Helm Wrap is a tool which processes helm values files and helm output.
This tool is intended to be used with ArgoCD's Helm feature. It enables you to pre-process values or post-process helm output without using a custom plugin.
For security, values files that have been processed are passed through named pipes to avoid writing them to disk.
Helm is needed for Helm Wrap to work. Follow the instructions here to install it.
Helm Wrap released binaries can be downloaded from GitHub.
Helm Wrap can be built using the go build command.
- Rename helm to _helm.
- Rename helm2 to _helm2
- Add the
helm-wrapbinary with the nameshelmandhelm2.
You can do this using an init container or by building custom images. Here is an example using the argo-cd helm chart.
repoServer:
volumes:
- name: custom-tools
emptyDir: {}
volumeMounts:
- mountPath: /usr/local/bin/_helm2
name: custom-tools
subPath: helm-v2
- mountPath: /usr/local/bin/_helm
name: custom-tools
subPath: helm-v3
# mount helm-wrap as helm and helm2
- mountPath: /usr/local/bin/helm
name: custom-tools
subPath: helm-wrap
- mountPath: /usr/local/bin/helm2
name: custom-tools
subPath: helm-wrap
initContainers:
- name: download-tools
image: alpine:latest
imagePullPolicy: Always
env:
- name: HELM_SOPS_URL
value: "https://github.com/teejaded/helm-wrap/releases/download/20201103-2/helm-wrap_20201103-2_linux_amd64.tar.gz"
- name: HELM_3_URL
value: "https://get.helm.sh/helm-v3.4.2-linux-amd64.tar.gz"
- name: HELM_2_URL
value: "https://storage.googleapis.com/kubernetes-helm/helm-v2.17.0-linux-amd64.tar.gz"
command: [sh, -c]
args:
- >-
set -x;
cd /custom-tools &&
wget -qO- $HELM_SOPS_URL | tar -xvzf - &&
wget -qO- $HELM_3_URL | tar -xvzf - &&
mv linux-amd64/helm /custom-tools/helm-v3 &&
wget -qO- $HELM_2_URL | tar -xvzf - &&
mv linux-amd64/helm /custom-tools/helm-v2
volumeMounts:
- mountPath: /custom-tools
name: custom-toolsCreate a config json that processes your yaml and store it in the HELMWRAP_CONFIG environment variable. The config consists of an array of actions that are executed in order.
Below is an example of how to set the variable in the argo-cd helm chart.
repoServer
env:
- name: HELMWRAP_CONFIG
value: '[{"action":"shell-exec","command":"$HELM"}]'This action calls your command for each helm values file found in the arguments. Stdout is captured and written to a named pipe.
The values file path is subsituted for {}.
There is an optional "filter" parameter which will check if a json path exists before running your command.
This action runs the command using /bin/bash -euo pipefail -c. It adds an environment variable HELM that contains the correct binary and arguments.
There is an optional string-match filter parameter on the helm sub-command (eg. show, template, etc). This is useful with argocd-vault-plugin which does not support the arbitrary yaml generated by helm show values .. The first matched shell-exec is the only one run.
This configuration replicates the functionality of Camptocamp's helm-sops
[
{
"action": "transform-values",
"filter": "$.sops.lastmodified",
"command": "sops -d {}"
},
{
"action": "shell-exec",
"command": "$HELM"
}
]kustomized-helm without a plugin
[
{
"action": "shell-exec",
"filter": "template",
"command": "$HELM > all.yaml; kustomize build $ARGOCD_APP_SOURCE_TARGET_REVISION"
},
{
"action": "shell-exec",
"command": "$HELM"
}
]argocd-vault-plugin
[
{
"action": "shell-exec",
"filter": "template",
"command": "$HELM | argocd-vault-plugin generate -"
},
{
"action": "shell-exec",
"command": "$HELM"
}
]