Skip to content

Latest commit

 

History

History
158 lines (120 loc) · 4.35 KB

README.md

File metadata and controls

158 lines (120 loc) · 4.35 KB

Helm Wrap

Helm Wrap is a tool which processes helm values files and helm output.

This tool is intended to be used with ArgoCD's Helm feature. It enables you to pre-process values or post-process helm output without using a custom plugin.

For security, values files that have been processed are passed through named pipes to avoid writing them to disk.

Installation

Prerequisites

Helm is needed for Helm Wrap to work. Follow the instructions here to install it.

Getting Helm Wrap binary

Helm Wrap releases

Helm Wrap released binaries can be downloaded from GitHub.

Building from sources

Helm Wrap can be built using the go build command.

Deploying Helm Wrap

  • Rename helm to _helm.
  • Rename helm2 to _helm2
  • Add the helm-wrap binary with the names helm and helm2.

You can do this using an init container or by building custom images. Here is an example using the argo-cd helm chart.

repoServer:
  volumes:
  - name: custom-tools
    emptyDir: {}

  volumeMounts:
    - mountPath: /usr/local/bin/_helm2
      name: custom-tools
      subPath: helm-v2
    - mountPath: /usr/local/bin/_helm
      name: custom-tools
      subPath: helm-v3

    # mount helm-wrap as helm and helm2
    - mountPath: /usr/local/bin/helm
      name: custom-tools
      subPath: helm-wrap
    - mountPath: /usr/local/bin/helm2
      name: custom-tools
      subPath: helm-wrap

  initContainers:
    - name: download-tools
      image: alpine:latest
      imagePullPolicy: Always
      env:
        - name: HELM_SOPS_URL
          value: "https://github.com/teejaded/helm-wrap/releases/download/20201103-2/helm-wrap_20201103-2_linux_amd64.tar.gz"
        - name: HELM_3_URL
          value: "https://get.helm.sh/helm-v3.4.2-linux-amd64.tar.gz"
        - name: HELM_2_URL
          value: "https://storage.googleapis.com/kubernetes-helm/helm-v2.17.0-linux-amd64.tar.gz"
      command: [sh, -c]
      args:
        - >-
          set -x;
          cd /custom-tools &&
          wget -qO- $HELM_SOPS_URL | tar -xvzf - &&
          wget -qO- $HELM_3_URL | tar -xvzf - &&
          mv linux-amd64/helm /custom-tools/helm-v3 &&
          wget -qO- $HELM_2_URL | tar -xvzf - &&
          mv linux-amd64/helm /custom-tools/helm-v2
      volumeMounts:
        - mountPath: /custom-tools
          name: custom-tools

Usage

Create a config json that processes your yaml and store it in the HELMWRAP_CONFIG environment variable. The config consists of an array of actions that are executed in order.

Below is an example of how to set the variable in the argo-cd helm chart.

repoServer
  env:
    - name: HELMWRAP_CONFIG
      value: '[{"action":"shell-exec","command":"$HELM"}]'

transform-values action

This action calls your command for each helm values file found in the arguments. Stdout is captured and written to a named pipe.

The values file path is subsituted for {}.

There is an optional "filter" parameter which will check if a json path exists before running your command.

shell-exec

This action runs the command using /bin/bash -euo pipefail -c. It adds an environment variable HELM that contains the correct binary and arguments.

There is an optional string-match filter parameter on the helm sub-command (eg. show, template, etc). This is useful with argocd-vault-plugin which does not support the arbitrary yaml generated by helm show values .. The first matched shell-exec is the only one run.

Example Configs

This configuration replicates the functionality of Camptocamp's helm-sops

[
  {
    "action": "transform-values",
    "filter": "$.sops.lastmodified",
    "command": "sops -d {}"
  },
  {
    "action": "shell-exec",
    "command": "$HELM"
  }
]

kustomized-helm without a plugin

[
  {
    "action": "shell-exec",
    "filter": "template",
    "command": "$HELM > all.yaml; kustomize build $ARGOCD_APP_SOURCE_TARGET_REVISION"
  },
  {
    "action": "shell-exec",
    "command": "$HELM"
  }
]

argocd-vault-plugin

[
  {
    "action": "shell-exec",
    "filter": "template",
    "command": "$HELM | argocd-vault-plugin generate -"
  },
  {
    "action": "shell-exec",
    "command": "$HELM"
  }
]