Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make the Strongbox logic "on" by default #104

Merged
merged 1 commit into from
Oct 7, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 7 additions & 22 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -39,28 +39,17 @@ resources:

## Environment Variables

### Strongbox ENVs
### Strongbox envvars

Plugin supports following _plugin envs_ which can be set in ArgoCD Application crd:
Secret name containing Strongbox keyring/identity file MUST be `argocd-voodoobox-strongbox-keyring`.

Set following envvar:

```
- name: STRONGBOX_ENABLED
value: "true"
```

to enable Strongbox decryption for your Namespace.

Secret that contains Strongbox keyring/identity used to encrypt app secrets, must be `argocd-voodoobox-strongbox-keyring`.

`STRONGBOX_SECRET_KEY` the value should be the name of the Secret data key which contains a valid Strongbox keyring file data. The default value is `.strongbox_keyring`
`STRONGBOX_SECRET_KEY` - set a custom "key name" for keyring data. The default value is `.strongbox_keyring`.

For age, the key must be `.strongbox_identity`.
For age, the key name MUST be `.strongbox_identity`.

`STRONGBOX_SECRET_NAMESPACE` If you need to deploy a shared strongbox keyring to use in multiple namespaces, then it can be set by this ENV.
the Secret should have an annotation called "argocd.voodoobox.plugin.io/allowed-namespaces" which contains a comma-separated list of all the namespaces that are allowed to use it.
Since ArgoCD Application can be used to create a namespace, wild card is not supported in the allow list. it is an exact matching.
Since ArgoCD Application can be used to create a namespace, wild card is not supported in the allow list. It is an exact match.
If this env is not specified then it defaults to the same namespace as the app's destination NS.

```yaml
Expand Down Expand Up @@ -99,15 +88,11 @@ spec:
targetRevision: HEAD
plugin:
env:
- name: STRONGBOX_ENABLED
value: "true"
- name: STRONGBOX_SECRET_NAMESPACE
value: team-a
- name: STRONGBOX_SECRET_KEY
value: .strongbox_keyring
```

### Git SSH Keys Envs
### Git SSH Keys envvars

Set following envvar:

Expand Down Expand Up @@ -272,7 +257,7 @@ subjects:
|-|-|-|
| ARGOCD_APP_NAME | set by argocd | name of application |
| ARGOCD_APP_NAMESPACE | set by argocd | application's destination namespace |
| STRONGBOX_ENABLED | "false" | Enable Strongbox for decryption |
| STRONGBOX_ENABLED | "true" | Enable Strongbox for decryption |
| STRONGBOX_KEYRING_KEY | .strongbox_keyring | the name of the secret data key which contains a valid strongbox keyring file |
| STRONGBOX_SECRET_NAMESPACE | | the name of a namespace where secret resource containing strongbox keyring is located, defaults to current |
| GIT_SSH_CUSTOM_KEY_ENABLED | "false" | Enable Git SSH building using custom (non global) key |
Expand Down
3 changes: 2 additions & 1 deletion main.go
Original file line number Diff line number Diff line change
Expand Up @@ -88,8 +88,9 @@ to get comma-separated list of all the namespaces that are allowed to use it`,
Name: "app-strongbox-enabled",
EnvVars: []string{argocdAppEnvPrefix + "STRONGBOX_ENABLED"},
Usage: `set 'STRONGBOX_ENABLED' in argocd application as plugin
ENV. If set to "true" will use default values to lookup the
ENV. If set to "true" (default) will use default values to lookup the
Strongbox secret and use it.`,
Value: true,
},
// following envs comes from argocd application resource
// strongbox secrets flags
Expand Down