#!/bin/sh set -e rm -rf .creds .secrets argocd_admin_password=$(vault kv get team-devops/services/ci-cd/ArgoCD/argocd.avroid.tech | grep service.user.admin.password | awk '{print $2}') # shellcheck disable=SC2016 argocd_admin_password_hash=$(htpasswd -nbBC 10 "" "${argocd_admin_password}" | tr -d ':\n' | sed 's/$2y/$2a/') argocd_ldap_binddn=$(vault kv get team-devops/accounts/ldap/service_accounts/svc_argocd | grep dn | awk '{print $2}') argocd_ldap_binddn_password=$(vault kv get team-devops/accounts/ldap/service_accounts/svc_argocd | grep password | awk '{print $2}') argocd_tg_token=$(vault kv get team-devops/accounts/bots/telegram/alertmanager | grep bot.avroid_alerts_bot.token | awk '{print $2}') argocd_repo_user=$(vault kv get team-devops/accounts/ldap/service_accounts/svc_argocd | grep login | awk '{print $2}') argocd_repo_password=$(vault kv get team-devops/accounts/ldap/service_accounts/svc_argocd | grep password | awk '{print $2}') argocd_cert_key=$(vault kv get -field="certificate.key" team-devops/ssl/avroid.tech/wildcard.avroid.tech) argocd_cert_data=$(vault kv get -field="certificate_fullchain.crt" team-devops/ssl/avroid.tech/wildcard.avroid.tech) argocd_avp_role_id=$(vault kv get team-devops/services/ci-cd/ArgoCD/argocd.avroid.tech | grep service.argocd_vault_plugin.vault.env.AVP_ROLE_ID | awk '{print $2}') argocd_avp_secret_id=$(vault kv get team-devops/services/ci-cd/ArgoCD/argocd.avroid.tech | grep service.argocd_vault_plugin.vault.env.AVP_SECRET_ID | awk '{print $2}') cat > .creds << EOF export ARGOCD_ADMIN_PASSWORD='${argocd_admin_password}' export ARGOCD_ADMIN_PASSWORD_HASH='${argocd_admin_password_hash}' export ARGOCD_GIT_REPO_USER='${argocd_repo_user}' export ARGOCD_GIT_REPO_USER_PASSWORD='${argocd_repo_password}' EOF mkdir .secrets cat > .secrets/argocd_key.pem << EOF ${argocd_cert_key} EOF cat > .secrets/argocd_cert.pem << EOF ${argocd_cert_data} EOF cat > .secrets/argocd-secret-path.yaml << EOF apiVersion: v1 kind: Secret metadata: name: argocd-secret namespace: argocd type: Opaque stringData: admin.password: ${argocd_admin_password_hash} dex.ldap.bindDN: ${argocd_ldap_binddn} dex.ldap.bindPW: ${argocd_ldap_binddn_password} telegram-token: ${argocd_tg_token} EOF cat > .secrets/argocd-vault-plugin-configmap.yaml << EOF apiVersion: v1 kind: ConfigMap metadata: name: cmp-plugin namespace: argocd data: avp.yaml: | apiVersion: argoproj.io/v1alpha1 kind: ConfigManagementPlugin metadata: name: argocd-vault-plugin spec: allowConcurrency: true discover: find: command: - sh - "-c" - "find . -name '*.yaml' | xargs -I {} grep \" .secrets/argocd-vault-plugin-secret.yaml << EOF apiVersion: v1 kind: Secret metadata: name: argocd-vault-plugin-credentials namespace: argocd type: Opaque stringData: AVP_AUTH_TYPE: approle AVP_TYPE: vault VAULT_ADDR: "https://vault.avroid.tech" AVP_ROLE_ID: ${argocd_avp_role_id} AVP_SECRET_ID: ${argocd_avp_secret_id} EOF echo "Run:" echo ' 1. source .creds' echo ' 2. kubectl -n argocd apply -f .secrets/argocd-vault-plugin-configmap.yaml' echo ' 3. kubectl -n argocd apply -f .secrets/argocd-vault-plugin-secret.yaml'