Kubernetes/k8s-configs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5654a65bffb78f71bb2837d18bdd8acacd711f32
k8s-configs/clusters/k8s-avroid-office.prod.local/namespaces/argocd/argo-cd/argocd_values_secrets_init.sh
Denis Patrakeev 5654a65bff [DO-1431] deploy ArgoCD (!6) 
DO-1431

Co-authored-by: denis.patrakeev <denis.patrakeev@avroid.tech>
Reviewed-on: https://git.avroid.tech/K8s/k8s-configs/pulls/6
2025-02-10 15:05:06 +03:00

103 lines
3.4 KiB
Bash
Executable File
Raw Blame History

#!/bin/sh
set -e
rm -rf .creds .secrets
argocd_admin_password=$(vault kv get team-devops/services/ci-cd/ArgoCD/argocd.avroid.tech | grep service.user.admin.password | awk '{print $2}')
# shellcheck disable=SC2016
argocd_admin_password_hash=$(htpasswd -nbBC 10 "" "${argocd_admin_password}" | tr -d ':\n' | sed 's/$2y/$2a/')
argocd_ldap_binddn=$(vault kv get team-devops/accounts/ldap/service_accounts/svc_argocd | grep dn | awk '{print $2}')
argocd_ldap_binddn_password=$(vault kv get team-devops/accounts/ldap/service_accounts/svc_argocd | grep password | awk '{print $2}')
argocd_tg_token=$(vault kv get team-devops/accounts/bots/telegram/alertmanager | grep bot.avroid_alerts_bot.token | awk '{print $2}')
argocd_repo_user=$(vault kv get team-devops/accounts/ldap/service_accounts/svc_argocd | grep login | awk '{print $2}')
argocd_repo_password=$(vault kv get team-devops/accounts/ldap/service_accounts/svc_argocd | grep password | awk '{print $2}')
argocd_cert_key=$(vault kv get -field="certificate.key" team-devops/ssl/avroid.tech/wildcard.avroid.tech)
argocd_cert_data=$(vault kv get -field="certificate_fullchain.crt" team-devops/ssl/avroid.tech/wildcard.avroid.tech)
argocd_avp_role_id=$(vault kv get team-devops/services/ci-cd/ArgoCD/argocd.avroid.tech | grep service.argocd_vault_plugin.vault.env.AVP_ROLE_ID | awk '{print $2}')
argocd_avp_secret_id=$(vault kv get team-devops/services/ci-cd/ArgoCD/argocd.avroid.tech | grep service.argocd_vault_plugin.vault.env.AVP_SECRET_ID | awk '{print $2}')
cat > .creds << EOF
export ARGOCD_ADMIN_PASSWORD='${argocd_admin_password}'
export ARGOCD_ADMIN_PASSWORD_HASH='${argocd_admin_password_hash}'
export ARGOCD_GIT_REPO_USER='${argocd_repo_user}'
export ARGOCD_GIT_REPO_USER_PASSWORD='${argocd_repo_password}'
EOF
mkdir .secrets
cat > .secrets/argocd_key.pem << EOF
${argocd_cert_key}
EOF
cat > .secrets/argocd_cert.pem << EOF
${argocd_cert_data}
EOF
cat > .secrets/argocd-secret-path.yaml << EOF
apiVersion: v1
kind: Secret
metadata:
name: argocd-secret
namespace: argocd
type: Opaque
stringData:
admin.password: ${argocd_admin_password_hash}
dex.ldap.bindDN: ${argocd_ldap_binddn}
dex.ldap.bindPW: ${argocd_ldap_binddn_password}
telegram-token: ${argocd_tg_token}
EOF
cat > .secrets/argocd-vault-plugin-configmap.yaml << EOF
apiVersion: v1
kind: ConfigMap
metadata:
name: cmp-plugin
namespace: argocd
data:
avp.yaml: |
apiVersion: argoproj.io/v1alpha1
kind: ConfigManagementPlugin
metadata:
name: argocd-vault-plugin
spec:
allowConcurrency: true
discover:
find:
command:
- sh
- "-c"
- "find . -name '*.yaml' | xargs -I {} grep \"<path\\\\|avp\\\\.kubernetes\\\\.io\" {} | grep ."
generate:
command:
- argocd-vault-plugin
- generate
- "."
lockRepo: false
EOF
cat > .secrets/argocd-vault-plugin-secret.yaml << EOF
apiVersion: v1
kind: Secret
metadata:
name: argocd-vault-plugin-credentials
namespace: argocd
type: Opaque
stringData:
AVP_AUTH_TYPE: approle
AVP_TYPE: vault
VAULT_ADDR: "https://vault.avroid.tech"
AVP_ROLE_ID: ${argocd_avp_role_id}
AVP_SECRET_ID: ${argocd_avp_secret_id}
EOF
echo "Run:"
echo ' 1. source .creds'
echo ' 2. kubectl -n argocd apply -f .secrets/argocd-vault-plugin-configmap.yaml'
echo ' 3. kubectl -n argocd apply -f .secrets/argocd-vault-plugin-secret.yaml'
Reference in New Issue View Git Blame Copy Permalink