Given a simple kustomization like

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../../../base/namespaces

and ArgoCD Application without lovely plugin, it works as expected, base is included and deployed properly.

However, when lovely plugin is included in the same Application:

apiVersion: argoproj.io/v1alpha1
kind: Application
...
spec:
  source:
    ...
    path: k8s/[omitted]/overlays/_cluster/namespaces
    plugin:
      name: argocd-lovely-plugin
...

an error is thrown:

rpc error: code = Unknown desc = Manifest generation error (cached):
 `argocd-lovely-plugin` failed exit status 1: 2022/10/13 15:19:41 
Error: accumulating resources: accumulation 
err='accumulating resources from '../../../../base/namespaces': 
evalsymlink failure on '/base/namespaces' : 
lstat /base: no such file or directory': 
evalsymlink failure on '/base/namespaces' : 
lstat /base: no such file or directory

Does lovely plugin support inclusion of base?

ArgoCD version: 2.4.12
Lovely version: 0.6.4
Kustomize version: 4.4.1

We use relative paths to dependencies of helm charts. Looks like the plugin doesn't work correctly with them:

$ cat Chart.yaml
apiVersion: v2
name: pomerium
description: A Helm chart for Kubernetes
type: application
version: 33.0.1
appVersion: "24.0.0"

dependencies:
  - name: pomerium
    version: "27.0.2"
    repository: "file://../../generic-charts/chart_deps/pomerium/"
  - name: genapp
    alias: pomerium-common
    version: ">0.1.0, <0.2.0"
    repository: "oci://asia-docker.pkg.dev/xxxx-xxxx/gcp-helm-repository/stable"

$ helm dep update . --skip-refresh
Saving 2 charts
Downloading genapp from repo oci://asia-docker.pkg.dev/xxxx-xxxx/gcp-helm-repository/stable
Pulled: asia-docker.pkg.dev/xxxx-xxxx/gcp-helm-repository/stable/xxxx:0.1.262
Digest: sha256:006b8e3c2b2cbc392faea28b4d92e6f3386a148d7f1a3b418034783afd4ec141
Deleting outdated charts

$ argocd-lovely-plugin 
2023/06/17 10:23:39 exit status 1: Error: directory ../../generic-charts/chart_deps/pomerium not found

$ ls ../../generic-charts/chart_deps/pomerium
Chart.lock	Chart.yaml	OWNERS		README.md	charts		ci		scripts		templates	values.yaml

Version of plugin: argocd-lovely-plugin-0.19.4-darwin-amd64.
Please take a look.

everything seems to be in working order when kustomization.yaml does not reference ../
but as soon as you include a base in the parent directory (at the same level at the directory polled by lovely plugin) everything breaks because lovely plugin does not copy all the resources like argocd kustomization support does. (kustomization including parent directory content for base works in native argocd)

After upgrading to v2.2.0, any application using argocd-lovely-plugin goes into an unknown sync state with no obvious way of recovering.

Raised this ticket to track any troubleshooting, rca and/or fixing.

Default config apiVersion is 'k3d.io/v1alpha4', but you're using 'k3d.io/v1alpha3': consider migrating. is being thrown in the CI

5.0.0 wasn't being updated. I've manually updated for now, but it needs investigation.

Like already brought up for the helm processor in #63, CRDs are also not included when using the helmfile processor. I looked through the configurable parameters but it seems, that it is currently not possible to define extra parameters for helmfile, like for helm template with the LOVELY_HELM_TEMPLATE_PARAMS variable.

Now the CRDs of the loki chart are not included in the lovely plugin output.

I'd suggest either adding the --include-crds parameter by default here (like already done in the helm processor) or by adding a new environment variable like LOVELY_HELMFILE_TEMPLATE_PARAMS where you can define your own parameters needed for your use-case. I'm happy to support with the implementation here.

As a temporary fix I have overwritten the used helmfile executable using the variable LOVELY_HELMFILE_PATH set to /home/argocd/scripts/helmfile.sh. Here is the helmfile.sh content:

#!/usr/bin/env bash
set -eu
helmfile template --include-crds

We don't report some failures well.

helm repo add failing is one I noticed.

Write a test suite for these

Using the latest stable version of argocd-lovely-plugin.

WIth a repo structure like the following:
my-cluster (folder):

• chart (folder containing a Chart.yaml and values.yaml)
• d.yaml
• e.yaml
• kustomization.yaml

This works without issue.

However, if you have a repo like this:

my-cluster (folder):

• chart (folder containing a Chart.yaml and values.yaml)
• b.yaml
• e.yaml
• kustomization.yaml

It will ONLY render the b and e and it won't render the helm chart.

I have a requirement where:

• I have a helm chart in a git repo that isn't published to a registry.
• I have multiple values.yaml files for different needs
• I have multiple applications in a different repo to the helm chart that call each values.yaml file depending on the application purpose.

Argocd solves this by allowing me to set the name of the values.yaml file it references in the application manifest.

Argocd doesn't allow me to set the above AND have a plugin. This makes me sad.

I have the following applicationset for promtail:

apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
  name: promtail-set
spec:
  generators:
    - clusters:
        selector:
          matchLabels:
            mycompany.biz/appset-common: "true"
  template:
    metadata:
      name: 'promtail-{{name}}'
    spec:
      destination:
        name: '{{name}}'
        namespace: promtail
      project: applicationsets
      source:
        path: pathy/path
        repoURL: 'gittygittgit.git'
        targetRevision: HEAD
        plugin:
          name: argocd-lovely-plugin
          env:                                                                                                                                                                                         
            - name: ARGOCD_ENV_LOVELY_HELM_PATCH                                                                                                                                                                  
              value: |                                                                                                                                                                                 
                [{ "op": "add", "path": "/promtail/config/snippets/common/7", "value": { "action": "replace", "replacement": "{{name}}", "target_label": "cluster" } }]
      syncPolicy:
        automated:
          prune: true
          selfHeal: true
        syncOptions:
        - CreateNamespace=true

However, when I exec into a promtail pod and perform cat /etc/promtail/promtail.yaml I don't see the expected:

      - action: replace
        replacement: my-cluster-name
        target_label: cluster

If I change ARGOCD_ENV_LOVELY_HELM_PATCH back to LOVELY_HELM_PATCH, I see my expected addition in the promtail.yaml file.

ArgoCD 2.4.6. Lovely 0.4.1

(Promtail Chart 6.2.1 for what it's worth)

ArgoCD 2.6 will drop support for the currently documented way we run this. We may need to provide various dependencies inside our container.

At the moment, is it possible to install a plugin via ArgoCDExtension? I understand that configManagementPlugins is a deprecated parameter and will soon be removed argoproj/argo-helm#1766

I've configured lovely plugin with vault-replacer, and trying to use helm-argocd-vault-replacer as plugin for lovely. My use case is that we have in-house maintained Helm chart, that in one of it's secret retrieves Vault secret like this:

stringData:
  sftp.json: "<secret:sftp/data/login/{{ .Values.sftp.environment }}/users~{{ .Values.sftp.userName }}>"

As values are used in the secret template, I need to first render the Helm chart before filling in the secret templates.

My Application spec looks like:

    spec:
      source:
        path: 'deploy'
        plugin:
          name: argocd-lovely-plugin
          env:
            - name: LOVELY_PLUGINS
              value: helm-argocd-vault-replacer
            - name: LOVELY_PREPROCESSORS
              value: sed -i 's/<<environment>>/{{environment}}/g' values.yaml || true

Error I get is:

`argocd-lovely-plugin` failed exit status 1: 2022/09/27 05:19:57 exit status 127: bash: line 1: helm-argocd-vault-replacer: command not found`

Looking at source code in lovely plugin, all it tries is to execute plugins as commands. Are plugins in argo-cd configmap relevant at all as plugins for lovely, and can above scenario work at all?

It's a pain for users.

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• chore(deps): update helm release nginx to v17

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

I would assume that environment variables that can be part of my values configuration should not expanded.
I have a manifest like so:

spec:
    ...
    plugin:
      name: argocd-lovely-plugin
      env:
        - name: LOVELY_HELM_MERGE
          value: |
            serviceAccount:
              annotations:
                test: yes
                simplevar: $da
                quoted_var: "$AVP_TYPE"
                escaped_var: "\\$AVP_TYPE"
    ...

The resulting resource looks like this:

apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    escaped_var: \
    quoted_var: ""
    test: "yes"

Escaping a value once, like "\$AVP_TYPE" breaks yaml altogether and i get this:

Unknown desc = error generating manifests: `argocd-lovely-plugin` failed exit status 1: 2023/07/03 15:18:41 yaml: line 2: did not find expected key"

I am not sure this is intended behaviour as there is no declared env var expansion functionality.
This totally breaks all application configurations that have env vars that the apps process by their logic (primarily its the dex configuration for argocd.. it uses clientID: $dex.gitlab.clientID this format for config and its broken when using lovely)

Expected behaviour:

• Ignore all environment variables?

I'm using sed command in ARGOCD_ENV_LOVELY_PREPROCESSORS, as in one of the examples to replace contents of values.yaml.

Seems if sed returns error code due to eg. file not existing, lovely-plugin does not catch it, and happily just continues processing.

Instead, we should return error to argocd.

EDIT: seems my ENV variable name was wrong, LOVELY_PREPROCESSORS does work, however I still can't make it to find proper file. Following Application definition works, and replaces correctly:

  source:
    path: deploy/magento
    plugin:
      env:
      - name: LOVELY_PREPROCESSORS
        value: sed -i 's/<<environment>>/dev-lovely/g' values.yaml
      name: argocd-lovely-plugin

But if I try to target a directory above it, in order to include plain yaml files in another directory, I this fails:

  source:
    path: deploy
    plugin:
      env:
      - name: LOVELY_PREPROCESSORS
        value: sed -i 's/<<environment>>/dev-lovely/g' magento/values.yaml
      name: argocd-lovely-plugin

I want to use argocd-lovely-plugin along with argocd-vault-plugin. I don't want to use versioned plugin, so I used this image ghcr.io/crumbhole/lovely-vault-plugin:0.19.4, however this image has no argocd-vault-plugin installed. The image with versioned plugin ghcr.io/crumbhole/lovely-vault-plugin-ver:0.19.4 this binary have.

From variations/variations.txt I can see that the variations/Dockerfile.nover is used for building the ghcr.io/crumbhole/lovely-vault-plugin:0.19.4 image. And this Dockerfile.nover do not install argocd-vault-plugin.

Isn't this some kind of bug or am I doing something wrong?

 Steps to reproduce

1. Image for versioned plugin which has argocd-vault-plugin inside

   docker run --rm --entrypoint "" --platform linux/amd64 \
     ghcr.io/crumbhole/lovely-vault-plugin-ver:0.19.4 \
     which argocd-vault-plugin

   output

   /usr/local/bin/argocd-vault-plugin

2. Image for unversioned plugin which has no argocd-vault-plugin inside

   docker run --rm --entrypoint "" --platform linux/amd64 \
     ghcr.io/crumbhole/lovely-vault-plugin:0.19.4 \
     which argocd-vault-plugin

   output

how i fix this error ?

rpc error: code = Unknown desc = Manifest generation error (cached): `argocd-lovely-plugin` failed exit status 1: 2022/11/25 12:36:32 exit status 1: Error: no cached repository for helm-manager-daf1ee1308783e5bff6495f156b188a0ededf4f6125cc2a5c95c7274583672ee found. (try 'helm repo update'): open /tmp/.helm/cache/repository/helm-manager-daf1ee1308783e5bff6495f156b188a0ededf4f6125cc2a5c95c7274583672ee-index.yaml: no such file or directory

when using kustomize_patch as per below, anything attached to $ disappears from the render, there doesnt appear to be an escape key either to stop this from happening.

plugin:
  name: argocd-lovely-plugin
  env:
    - name: LOVELY_KUSTOMIZE_PATCH
      value: |-
        - op: replace
          path: /patches/0/patch
          value: |-
            - op: add
              path: /data/agent3.yaml
              value: $value

So in the above example the entire "$value" will disappear and leave it empty.

My use case is patching in configs for an prometheus that includes scraping configs that require variables such as "$1:$2" which are dropped and rendered as ":"

Dear all,
I am working in MonoRepo<=>Multi-k8s-clusters environment. Here is my inventory repository structure my GitlabCI pipeline is browsing to build deployment manifests to be scrapped by Argo App.

I had in mind to move the process of my GitlabCI pipeline into Lovely plugin. Here are the main caveats I do experience

Vault interop

Vault Replacer plugin is configured as a plugin to lovely by the means of env variable ARGOCD_ENV_LOVELY_PLUGINS. As a result, Vault Replacer is gonna run in preprocessing step in order to resolve secret in these cases:

Deploy a helm chart in accordance with its values. One of the values will be taken from Hashicorp Vault.
Deploy a separate kubernetes secret, with the value being taken from Hashicorp Vault.
Deploy a kubernetes configmap using Kustomize. Some of the data within the configmap will be taken from Hashicorp Vault.

Vault Replacer does only support Kubernetes Auth method. This method is not supported by my central Vault server. As a workaround, I successfully interop lovely plugin with ArgoCD Vault plugin with approle authentication.
ArgoCD Vault plugin takes the PATH of the yaml files to resolve and sends the result as the aggregate standard output i.e. we should iterate each yaml file to keep the directory tree like Vault Replacer which performs this process in the box.
Vault plugin cannot do it out of the box along preprocessing step by the means of the basic ArgoCD configManagementPlugins syntax.

As a consequence, I trigger Vault Plugin once Lovely Plugin is processed. Hence, we support only here above use cases #2 and #3.

Overlays support

As detailed in ArgoCD Lovely plugin help page, overlays mechanisms are not supported:

• neither from an Helm value file perspective : --values (or -f) to specify a YAML file with overrides. This can be specified multiple times and the rightmost file will take precedence,
• nor from a Kustomize perspective.

However, application sets should be investigated furthermore to mitigate/tackle this caveat.

Environment variables

ArgoCD Lovely plugin does not support environnement variables. Helm value file or manifest file must be fully resolved prior to be processed. Also ArgoCD Lovely plugin does not enhance Kustomize processing which does build the manifests from files exclusively, and no information would come from runtime. In essence, no information can be loaded from the command-line arguments or environment variables during the manifest build phase.

This caveat could however be solved by the means of a preprocessor plugin which would browse the working application directory and envsubst the yaml files.

Thanks & Best Regards.
Richard

Curious how you'd recommend adding additional args to kustomize such as --load-restrictor LoadRestrictionsNone? Attempting to install a chart from local, and can't get it to work unless the /chart is inside the kustomize directory. I see --helm-enabled is set here, and we're given the option to provide a path to a different kustomize binary. Would it be possible to use another plugin instead of pointing to a binary? Already have a kustomize plugin with the necessary options set. Otherwise maybe some way to use the argo-cm kustomize.buildOptions?

is the argocd-lovely-plugin ready for production ?

The tag for 0.3.0 does not exist in the ghcr.io/crumbhole/argocd-lovely-plugin registry, and stable seems to point at 0.2.3:

$ podman pull ghcr.io/crumbhole/argocd-lovely-plugin:stable
Trying to pull ghcr.io/crumbhole/argocd-lovely-plugin:stable...
Getting image source signatures
Copying blob 59bf1c3509f3 skipped: already exists
Copying blob e4b84b497c85 done
Copying config 87b5fe0811 done
Writing manifest to image destination
Storing signatures
87b5fe0811691a772a988d9844b55e16af738f9c59dc2a367d1d536c03b42b91

$ podman pull ghcr.io/crumbhole/argocd-lovely-plugin:0.2.3
Trying to pull ghcr.io/crumbhole/argocd-lovely-plugin:0.2.3...
Getting image source signatures
Copying blob e4b84b497c85 skipped: already exists
Copying blob 59bf1c3509f3 skipped: already exists
Copying config 87b5fe0811 done
Writing manifest to image destination
Storing signatures
87b5fe0811691a772a988d9844b55e16af738f9c59dc2a367d1d536c03b42b91

$ podman pull ghcr.io/crumbhole/argocd-lovely-plugin:0.3.0
Trying to pull ghcr.io/crumbhole/argocd-lovely-plugin:0.3.0...
Error: initializing source docker://ghcr.io/crumbhole/argocd-lovely-plugin:0.3.0: reading manifest 0.3.0 in ghcr.io/crumbhole/argocd-lovely-plugin: manifest unknown

We use GAR as a storage for some chart dependencies. An attempt to run the plugin on a local laptop throws errors.

Authentication:

$ gcloud auth configure-docker asia-docker.pkg.dev
export HELM_REGISTRY_CONFIG=~/.docker/config.json

Adding credentials for: asia-docker.pkg.dev
gcloud credential helpers already registered correctly.

Attempt to run a plugin in a folder with chart:

$ argocd-lovely-plugin
2023/06/17 11:02:28 exit status 1: Error: could not retrieve list of tags for repository oci://asia-docker.pkg.dev/xxx-xxx/gcp-helm-repository/stable: GET "https://asia-docker.pkg.dev/v2/xxx-xxx/gcp-helm-repository/stable/genapp/tags/list": GET "https://asia-docker.pkg.dev/v2/token?scope=repository%xxx-xxx%2Fgcp-helm-repository%2Fstable%2Fgenapp%3Apull&service=asia-docker.pkg.dev": unexpected status code 401: unauthorized: failed authentication

The same with helm:

$ helm dep update --skip-refresh
Saving 1 charts
Downloading genapp from repo oci://asia-docker.pkg.dev/inspectorio-ant/gcp-helm-repository/stable
Pulled: asia-docker.pkg.dev/inspectorio-ant/gcp-helm-repository/stable/genapp:0.1.262
Digest: sha256:006b8e3c2b2cbc392faea28b4d92e6f3386a148d7f1a3b418034783afd4ec141
Deleting outdated charts

Version: argocd-lovely-plugin-0.19.4-darwin-amd64

$ helm version
version.BuildInfo{Version:"v3.12.0", GitCommit:"c9f554d75773799f72ceef38c51210f1842a1dea", GitTreeState:"clean", GoVersion:"go1.20.4"}

It seems that the ci ghcr creds aren't available to users who offer PRs to this project. They are only available to cool people like myself and @Joibel.

Other github projects don't have this issue, so we've done some incorrect setup that I don't yet understand.

Hello,

looking at the code below, I assume private repositories are not supported

func (h helmProcessor) repoEnsure(path string, name string, url string) error {
	_, err := h.helmDo(path, `repo`, `add`, name, url)
	return err
}

I was wondering if we could provide a limited support by leveraging ArgoCD env variables like: GIT_USERNAME and GIT_PASSWORD, assuming the same credentials for source repo, and all other repo found underneath.
It would work in my case but maybe too limited for community.

++
thanks

Hello.

I have a dependency chart in Chart.yaml

dependencies:
- name: service
  version: 0.1.0
  repository: oci://gitlab.example.com/repo/main/chart

and get the error Error: looks like "oci://gitlab.example.com/repo/main/chart" is not a valid chart repository or cannot be reached: object required

It looks like the argocd-lovely-plugin doesn't support OCI based helm registries https://helm.sh/docs/topics/registries/ because here https://github.com/crumbhole/argocd-lovely-plugin/blob/main/pkg/processor/helmProcessor.go#L42 the plugin uses helm repo add --force-update command which doesn't support OCI registries (helm/helm#10565)

Can you add support of OCI based helm repositories to your plugin?

Hey, first of all I want to say thank you for this cool project.

Our OPA-Gatekeeper does not allow containers running as root user.
The InitContainer argocd-lovely-plugin:0.4.1 is running as root user. I tried to create my own Dockerfile, but always getting the following InitContainer error as soon as I deploy with ArgoCD:

mv: can't remove 'argocd-lovely-plugin': Permission denied

With the Dockerfile, I tried to create my own user and change the owner of the /argocd-lovely-plugin file:

FROM ghcr.io/crumbhole/argocd-lovely-plugin:0.4.1

USER root

# Create a group and user
RUN addgroup -S app -g 1000 && adduser -S app -u 1000 -G app \
 && chown -R 1000:1000 /argocd-lovely-plugin

# Tell docker that all future commands should run as the appuser user
USER 1000

# the following commands are only for traceability
RUN id
RUN ls -l /
RUN ls -ln /argocd-lovely-plugin
RUN rm -rf /argocd-lovely-plugin

If I build the image and try to remove (rm) the "argocd-lovely-plugin" file, then I have the same problem:

Step 1/7 : FROM ghcr.io/crumbhole/argocd-lovely-plugin:0.4.1
 ---> 3256ecbe39ac
Step 2/7 : USER root
 ---> Running in cd434b201efe
Removing intermediate container cd434b201efe
 ---> c196c3018099
Step 3/7 : RUN addgroup -S app -g 1000 && adduser -S app -u 1000 -G app  && chown -R 1000:1000 /argocd-lovely-plugin
 ---> Running in c4d323e9e69c
Removing intermediate container c4d323e9e69c
 ---> 56dd65b7905e
Step 4/7 : USER 1000
 ---> Running in 8e9f994b894c
Removing intermediate container 8e9f994b894c
 ---> 114c8b9d36d9
Step 5/7 : RUN ls -l /
 ---> Running in 2866727819fe
total 14532
-rwxr-xr-x    1 app      app       14822201 Jul  5 10:44 argocd-lovely-plugin
drwxr-xr-x    2 root     root          4096 May 23 16:51 bin
drwxr-xr-x    5 root     root           320 Jul 22 23:20 dev
drwxr-xr-x    1 root     root          4096 Jul 22 23:20 etc
drwxr-xr-x    1 root     root          4096 Jul 22 23:20 home
drwxr-xr-x    7 root     root          4096 May 23 16:51 lib
drwxr-xr-x    5 root     root          4096 May 23 16:51 media
drwxr-xr-x    2 root     root          4096 May 23 16:51 mnt
drwxr-xr-x    2 root     root          4096 May 23 16:51 opt
dr-xr-xr-x  167 root     root             0 Jul 22 23:20 proc
drwx------    2 root     root          4096 May 23 16:51 root
drwxr-xr-x    2 root     root          4096 May 23 16:51 run
drwxr-xr-x    2 root     root          4096 May 23 16:51 sbin
drwxr-xr-x    2 root     root          4096 May 23 16:51 srv
dr-xr-xr-x   13 root     root             0 Jul 22 23:20 sys
drwxrwxrwt    2 root     root          4096 May 23 16:51 tmp
drwxr-xr-x    7 root     root          4096 May 23 16:51 usr
drwxr-xr-x   12 root     root          4096 May 23 16:51 var
Removing intermediate container 2866727819fe
 ---> 6f09a2a7cb8c
Step 6/7 : RUN ls -ln /argocd-lovely-plugin
 ---> Running in e17004972a4b
-rwxr-xr-x    1 1000     1000      14822201 Jul  5 10:44 /argocd-lovely-plugin
Removing intermediate container e17004972a4b
 ---> 25de8bbf2028
Step 7/7 : RUN rm -rf /argocd-lovely-plugin
 ---> Running in 8f9d8cfb7001
rm: can't remove '/argocd-lovely-plugin': Permission denied
The command '/bin/sh -c rm -rf /argocd-lovely-plugin' returned a non-zero code: 1

Adjusting the file permissions (e.g. 777) leads to the same behavior.

Do you have any idea what I'm doing wrong or is there a plan on the roadmap for a container that is "runAsNonRoot" compatible?

Hi
want to use helm with kustomization with a private helm repo which require authentication hence add evn LOVELY_HELM_REPO_ADD_PARAMS to handle this but getting error as below. Example will really help.

image:
docker pull ghcr.io/crumbhole/argocd-lovely-plugin-cmp:ab87458a41ae4583d54f89fe8c08eb214177616d

time="2023-08-11T19:09:30Z" level=error msg="argocd-lovely-plugin failed exit status 1: 2023/08/11 19:09:30 exit status 1: Error: "helm repo add" requires 2 arguments\n\nUsage: helm repo add [NAME] [URL] [flags]" execID=48c03
time="2023-08-11T19:09:30Z" level=error msg="finished streaming call with code Unknown" error="error generating manifests: argocd-lovely-plugin failed exit status 1: 2023/08/11 19:09:30 exit status 1: Error: "helm repo add" requires 2 arguments\n\nUsage: helm repo add [NAME] [URL] [flags]" grpc.code=Unknown grpc.method=GenerateManifest grpc.service=plugin.ConfigManagementPluginService grpc.start_time="2023-08-11T19:09:28Z" grpc.time_ms=1307.654 span.kind=server system=grpc
time="2023-08-11T19:13:59Z" level=info msg="Alloc=7713 TotalAlloc=130720 Sys=46445 NumGC=17 Goroutines=7"

At Argocd-ui application

plugin:
name: argocd-lovely-plugin
env:
- name: LOVELY_HELM_REPO_ADD_PARAMS
value: >-
helm repo add common-helm-virtual-dev
https://artifactory.local.com:443/artifactory/common-helm-virtual-dev
--insecure-skip-tls-verify --username [email protected] --password
AKCp8mZwPxNkmhdSUbKQxx9urBCjR26a2tbtuFT89sKXUtLcSKJ8EqyeFo9YPEQMpWja4x56D

At Repo-server Deployment environment

• name: LOVELY_HELM_REPO_ADD_PARAMS
  value: helm repo add common-helm-virtual-dev https://artifactory.local.com:443/artifactory/common-helm-virtual-dev --insecure-skip-tls-verify --username [email protected] --password AKCp8mZwPxNkmhdSUbKQxx9urBCjR26a2tbtuFT89sKXUtLcSKJ8EqyeFo9YPEQMpWja4x56D

I got this error when I wanted to use custom-values.yaml file from upper directory ../values/.

ComparisonError rpc error: code = Unknown desc = plugin sidecar failed. error generating manifests in cmp: rpc error: code = Unknown desc = error generating manifests: argocd-lovely-plugin failed exit status 1: 2023/05/25 08:44:04 error running helm: exit status 1: Error: open ../values/custom-values.yaml: no such file or directory

I have this repository stucture

.
├── test-argocd-plugin
│   ├── Chart.lock
│   ├── Chart.yaml
│   ├── charts
│   │   └── hello-world-0.1.0.tgz
│   ├── kustomization.yaml
│   ├── liveness-patch.yml
│   ├── templates
│   │   ├── configmap.yaml
│   │   └── secret.yaml
│   └── values.yaml
└── values
    └── custom-values.yaml

ArgoCD Application manifest for this app

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: test-argocd-plugin
  namespace: argocd
spec:
  destination:
    url: https://kubernetes.default.svc
    namespace: default
  project: default
  source:
    plugin:
      name: argocd-lovely-plugin-v1.0
      env:
        - name: LOVELY_HELM_NAME
          value: foo
        - name: LOVELY_HELM_REPO_ADD_PARAMS
          value: --insecure-skip-tls-verify
        - name: LOVELY_HELM_VALUES
          value: "../values/custom-values.yaml"
    path: test-argocd-plugin
    repoURL: '<git repo>'
    targetRevision: master

Without plugin it works, but doesn't work with the argocd-lovely-plugin.

argocd-lovely-plugin: 0.18.0
ArgoCD version: v2.7.1+5e54351.dirty

Issue1: Kustomization doesn't work
My repo structure:

/test/yamls/dev/kustomization.yaml
/test/yamls/base/kustomization.yaml
/test/yamls/base/deployment.yaml

ArgoCD application path set to /test/yamls/dev/, it doesn't work after enable argocd-lovely-plugin, but it's working after i revert

P.s.: argocd config kustomize.buildOptions: --load-restrictor LoadRestrictionsNone --enable-helm

Issue2: if i enabled both helm.valueFiles and plugin, argocd reports multi source error

Because both charts are rendered with the same name (ARGOCD_APP_NAME), there are issues in most cases.

Provide a way to override this on a per chart basis. Can we do something automatically perhaps, like postpend the directory name?

Hello!

I have been struggling with finding the proper way to define a non-lovely (argocd-vault-plugin) plugin as a plugin of lovely-plugin.

I dug into the multiple installation examples, including the deprecated ones, but no matter what I am not able to use the argocd-vault-plugin in combination with lovely.

the error I am seeing:

rpc error: code = Unknown desc = Manifest generation error (cached): plugin sidecar failed. error generating manifests in cmp: rpc error: code = Unknown desc = error generating manifests: `argocd-lovely-plugin` failed exit status 1: 2023/06/08 20:53:40 exit status 127: bash: line 1: argocd-vault-plugin-kustomize: command not found

I am unsure how lovely is trying to run its plugins nor how the sidecars share anything other than the cmp-plugin volumeMount, which only has the .sock file for each of the sidecars.

Unfortunately I cannot use your vault replacement as it doesn't seem to support 1Password connect so I was hoping to combine the other plugins with lovely.

here is the relevant part of my values file for argocd repo server:

 # -- load env from secret
    envFrom:
      - secretRef:
          name: argocd-vault-plugin-credentials
    # -- init container to download vault plugin
    initContainers:
      - name: download-tools
        image: registry.access.redhat.com/ubi8
        env:
          - name: AVP_VERSION
            # renovate: datasource=github-releases depName=argoproj-labs/argocd-vault-plugin
            value: 1.14.0
        command: [sh, -c]
        args:
          - >-
            curl -L https://github.com/argoproj-labs/argocd-vault-plugin/releases/download/v$(AVP_VERSION)/argocd-vault-plugin_$(AVP_VERSION)_linux_amd64 -o argocd-vault-plugin &&
            chmod +x argocd-vault-plugin &&
            mv argocd-vault-plugin /custom-tools/
        volumeMounts:
          - mountPath: /custom-tools
            name: custom-tools
    # -- sidecars to run vault plugin
    extraContainers:
      # -- argocd-vault-plugin with Helm
      - name: avp-helm
        command: [/var/run/argocd/argocd-cmp-server]
        image: quay.io/argoproj/argocd:v2.7.4
        securityContext:
          runAsNonRoot: true
          runAsUser: 999
        envFrom:
          - secretRef:
              name: argocd-vault-plugin-credentials
        volumeMounts:
          - mountPath: /var/run/argocd
            name: var-files
          - mountPath: /home/argocd/cmp-server/plugins
            name: plugins
          - mountPath: /tmp
            name: tmp
          # Register plugins into sidecar
          - mountPath: /home/argocd/cmp-server/config/plugin.yaml
            subPath: avp-helm.yaml
            name: cmp-plugin

          # Important: Mount tools into $PATH
          - name: custom-tools
            subPath: argocd-vault-plugin
            mountPath: /usr/local/bin/argocd-vault-plugin

      # argocd-vault-plugin with Kustomize
      - name: avp-kustomize
        command: [/var/run/argocd/argocd-cmp-server]
        image: quay.io/argoproj/argocd:v2.7.4
        securityContext:
          runAsNonRoot: true
          runAsUser: 999
        envFrom:
          - secretRef:
              name: argocd-vault-plugin-credentials
        volumeMounts:
          - mountPath: /var/run/argocd
            name: var-files
          - mountPath: /home/argocd/cmp-server/plugins
            name: plugins
          - mountPath: /tmp
            name: tmp

          # Register plugins into sidecar
          - mountPath: /home/argocd/cmp-server/config/plugin.yaml
            subPath: avp-kustomize.yaml
            name: cmp-plugin

          # Important: Mount tools into $PATH
          - name: custom-tools
            subPath: argocd-vault-plugin
            mountPath: /usr/local/bin/argocd-vault-plugin

      # argocd-vault-plugin with plain YAML
      - name: avp
        command: [/var/run/argocd/argocd-cmp-server]
        image: quay.io/argoproj/argocd:v2.7.4
        securityContext:
          runAsNonRoot: true
          runAsUser: 999
        envFrom:
          - secretRef:
              name: argocd-vault-plugin-credentials
        volumeMounts:
          - mountPath: /var/run/argocd
            name: var-files
          - mountPath: /home/argocd/cmp-server/plugins
            name: plugins
          - mountPath: /tmp
            name: tmp

          # Register plugins into sidecar
          - mountPath: /home/argocd/cmp-server/config/plugin.yaml
            subPath: avp.yaml
            name: cmp-plugin

          # Important: Mount tools into $PATH
          - name: custom-tools
            subPath: argocd-vault-plugin
            mountPath: /usr/local/bin/argocd-vault-plugin

      # -- sidecar to run lovely plugin
      - name: lovely-plugin
        # This command is actually already set in the image.
        command: [/var/run/argocd/argocd-cmp-server]  # Entrypoint should be Argo CD lightweight CMP server i.e. argocd-cmp-server
        # Choose your image here - this one has vault replacer in it
        image: ghcr.io/crumbhole/argocd-lovely-plugin-cmp:0.19.1
        env:
          - name: LOVELY_PLUGINS
            value: argocd-vault-plugin-kustomize, argocd-vault-plugin-helm, argocd-vault-plugin
        securityContext:
          runAsNonRoot: true
          runAsUser: 999
        volumeMounts:
          # Import the repo-server's plugin binary
          - mountPath: /var/run/argocd
            name: var-files
          - mountPath: /home/argocd/cmp-server/plugins
            name: plugins
            # Starting with v2.4, do NOT mount the same tmp volume as the repo-server container. The filesystem separation helps
            # mitigate path traversal attacks.
          - mountPath: /tmp
            name: lovely-tmp
    volumes:
      # A temporary directory for the lovely plugin to work in.
      - emptyDir: {}
        name: lovely-tmp
      # Volumes for cmp-plugins
      - configMap:
          name: cmp-plugin
        name: cmp-plugin
      - name: custom-tools
        emptyDir: {}
      - name: tmp
        emptyDir: {}

Here is the configmap of the different avp sidecars

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: cmp-plugin
data:
  avp-kustomize.yaml: |
    ---
    apiVersion: argoproj.io/v1alpha1
    kind: ConfigManagementPlugin
    metadata:
      name: argocd-vault-plugin-kustomize
    spec:
      allowConcurrency: true

      # Note: this command is run _before_ anything is done, therefore the logic is to check
      # if this looks like a Kustomize bundle
      discover:
        find:
          command:
            - find
            - "."
            - -name
            - kustomization.yaml
      generate:
        command:
          - sh
          - "-c"
          - "kustomize build . | argocd-vault-plugin generate -"
      lockRepo: false
  avp-helm.yaml: |
    ---
    apiVersion: argoproj.io/v1alpha1
    kind: ConfigManagementPlugin
    metadata:
      name: argocd-vault-plugin-helm
    spec:
      allowConcurrency: true

      # Note: this command is run _before_ any Helm templating is done, therefore the logic is to check
      # if this looks like a Helm chart
      discover:
        find:
          command:
            - sh
            - "-c"
            - "find . -name 'Chart.yaml' && find . -name 'values.yaml'"
      generate:
        # **IMPORTANT**: passing `${ARGOCD_ENV_helm_args}` effectively allows users to run arbitrary code in the Argo CD
        # repo-server (or, if using a sidecar, in the plugin sidecar). Only use this when the users are completely trusted. If
        # possible, determine which Helm arguments are needed by your users and explicitly pass only those arguments.
        command:
          - sh
          - "-c"
          - |
            helm template $ARGOCD_APP_NAME -n $ARGOCD_APP_NAMESPACE ${ARGOCD_ENV_HELM_ARGS} . |
            argocd-vault-plugin generate --verbose-sensitive-output -
      lockRepo: false
  avp.yaml: |
    apiVersion: argoproj.io/v1alpha1
    kind: ConfigManagementPlugin
    metadata:
      name: argocd-vault-plugin
    spec:
      allowConcurrency: true
      discover:
        find:
          command:
            - sh
            - "-c"
            - "find . -name '*.yaml' | xargs -I {} grep \"<path\\|avp\\.kubernetes\\.io\" {} | grep ."
      generate:
        command:
          - argocd-vault-plugin
          - "generate"
          - "."
      lockRepo: false
---

I tested examples/applicationsets/applicationset.yaml
and helm values are completely getting ignored. plugin is downloading latest chart and using defaut values only.

Helm template call should to include flag --include-crds in order for Helm to generate custom resource definitions during templating, otherwise CRD's will be missing from output. This is relevant when using lovely-plugin to install cluster addons such as kube-prometheus-stack.

The recent builds of the argocd-vault-plugin container don't include the binary of argocd-vault-plugin. Thus the plugin fails with the following error message:
level=error msg="`argocd-lovely-plugin` failed exit status 1: 2023/07/30 11:53:45 exit status 127: /usr/local/bin/argocd-vault-plugin: line 1: Not: command not found" execID=36c50

I checked the most recent image and the image with version tag 0.19.7.
I suspect this to be because of the version parameter in the Dockerfile, which is prefixed with a v while the download url excepts a version without prefix.

Hello there!

This plugin is lovely, I was wondering if adding helmfile support would be too big or not?

Helmfile, even if young, is used in some big companies like gitlab, I think it would be really cool to have it available as an option in lovely plugin:

• https://github.com/helmfile/helmfile

It's advantage is that you can use go templating in kustomize files, add subcharts to an existing helm chart, or whatever, it's pretty convenient if you already used to enhance third party helm charts with custom stuff, without using kustomize, or even add default values depending on the environment you're trying to deploy your chart to, etc...

Thanks for reading

Hi there,

I have installed argocd with the plugin using the resources here: https://github.com/crumbhole/argocd-lovely-plugin/tree/main/examples/installation/argocd-sidecar.

I am having an applicationset with

apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
  name: applications
  namespace: argocd
spec:
  generators:
    - matrix:
        generators:
          - clusters:
              selector:
                matchLabels:
                  argocd.argoproj.io/secret-type: cluster
          - git:
              repoURL: [email protected]:/organization/repo
              revision: HEAD
              files:
                - path: apps/**/overlays/{{ name }}/kustomization.yaml
template:
    metadata:
      labels:
        app.kubernetes.io/managed-by: argocd
        app.kubernetes.io/name: '{{ path[0] }}'
      name: '{{ name }}-{{ path[1] }}'
      namespace: argocd
    spec:
      destination:
        namespace: '{{ path[1] }}'
        server: '{{ server }}'
      source:
        path: apps/{{ path[1] }}/overlays/{{ name }}
        repoURL: [email protected]:/organization/repo
        targetRevision: HEAD
        plugin:
          name: argocd-lovely-plugin
      project: default
      syncPolicy:
        automated:
          allowEmpty: true
          prune: true
          selfHeal: true
        syncOptions:
        - ServerSideApply=true
        - CreateNamespace=true

in argocd ui, each application is giving the following error

rpc error: code = Unknown desc = Manifest generation error (cached): plugin sidecar failed. couldn't find cmp-server plugin with name argocd-lovely-plugin supporting the given repository

I would expect the example to work out of the box. What am I missing?

There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.

Location: renovate.json
Error type: Invalid JSON (parsing failed)
Message: JSON.parse error: JSON5: invalid character '}' at 43:2

@tico24 discovered that ArgoCD does this correctly now

From Argo CD 2.4, plugin env vars will be prefixed with ARGOCD_ENV_

https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/upgrading/2.3-2.4.md#update-plugins-to-use-newly-prefixed-environment-variables

Is there any way to use argocd-lovely-plugin with multiple instances of argocd-vault-plugin, meaning that we can use multiple instances of vault and each argocd-vault-plugin will be configured to work with the specific vault? The current setup expected just one instance of the vault.

Thanks

I used to work around the private Helm Repo Problem by downloading the chart and include it into the ArgcoCD Repo. But this won't work anymore after updating from 0.7.

Version Matrix

build binary

make build/argocd-lovely-plugin

create helm chart

cd examples/multiple-helm-charts/charts/chart2/charts
mkdir charts
helm create charts/hello-world

remove repository

sed -i '/repository/d' Chart.yaml

run plugin

ARGOCD_APP_NAME=foo ../../../../build/argocd-lovely-plugin

Result

• 0.7.0

ARGOCD_APP_NAME=foo ../../../../build/argocd-lovely-plugin | head
---
# Source: hello-world/charts/hello-world/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: foo-hello-world
  labels:
    helm.sh/chart: hello-world-0.1.0
    app.kubernetes.io/name: hello-world
    app.kubernetes.io/instance: foo

• 0.13.0

ARGOCD_APP_NAME=foo ../../../../build/argocd-lovely-plugin
2023/01/18 11:52:37 exit status 1: Error: could not find protocol handler for:

The plugin enables the kustomize processor if there is either a kustomization.yaml or kustomization.yml.
However, the processor expects only a kustomization.yaml afterwards.

I see that the CI builds and pushes images for arm64, but I can't seem to get it to execute successfully. I'm installing multiple other plugins with init container(specifying the arm64 arch version of the tools), and they execute fine. For this plugin, when I install with either latest, 0.13.2, or specify the arm64 sha (0.13.2@sha256:6a78d1edfd0548fc8574588b74addd707a00304ae526c624730a9a7617e7202b), running argocd-lovely-plugin within the repo-server results in:

rpc error: code = Unknown desc = Manifest generation error (cached): fork/exec /usr/local/bin/argocd-lovely-plugin: exec format error

Curious if its been tested working or if there might be some other config I'm missing.

Context

I want to feed Helm with decrypted secrets, ideally without storing them to disk. My secrets are stored encrypted in the Git repository with SOPS. As a plain shell command it would look like this: sops --decrypt secrets.enc.yaml | helm template $name . -f -.

This would automatically pick up the values.yaml file in the directory but it would also pass the decrypted values in secrets.enc.yaml via stdin to helm, effectively merging the values together. Obviously the SOPS binary, configuration and keys would need to be in-place but that is not a concern for the plugin.

The problem

It seems that I cannot specify additional values files on disk for the Helm processor, let alone pass something to Helm via stdin. I need something to happen before the Helm command kicks off that generates values, which are then fed via stdin to Helm.

Options

I've looked at the options at my disposal.

ARGOCD_ENV_LOVELY_PREPROCESSORS

As far as I can see, this can only modify files on disk for further processing. My use-case is to not decrypt the secrets to disk. So the idea of a prepocessor is what I'm looking for, but it needs to be able to 'feed' the Helm command via stdin.

ARGOCD_ENV_LOVELY_HELM_MERGE

I do not know upfront what the contents of my secrets will be. Also, I'd rather not put it in ENV variables for additional security.

Plugins

Plugins seem to run after Helm/Kustomize which makes them useless for my use-case. All the magic is happening within the Helm chart. I don't want to patch/correct it afterwards. I don't want to dig into the Helm chart and see how they use the secret values to implement them on my own later in the 'pipeline'.

Since plugins implement the idea of Linux pipe, this is exactly what I need, only I need it to run before Helm kicks off. Passing the output of the previous plugins to Helm.

Next steps

Maybe I've overlooked/missed options that can work for my use case. Otherwise I'd be happy to collaborate on a design and help implement the code (I'm proficient in Go) if the added value is sufficient. I understand that we should probably design for the generic case, SOPS is just my implementation but others should be free to use whatever they want.