Set up SOPS in ArgoCD

argocd-values.yaml

configs:
  cm:
    helm.valuesFileSchemes: >-
          secrets+gpg-import, secrets+gpg-import-kubernetes,
          secrets+age-import, secrets+age-import-kubernetes,
          secrets,secrets+literal,
          https

repoServer:
  metrics:
    enabled: true
    service:
      type: NodePort
  env:
  - name: HELM_PLUGINS
    value: /custom-tools/helm-plugins/
  - name: HELM_SECRETS_CURL_PATH
    value: /custom-tools/curl
  - name: HELM_SECRETS_SOPS_PATH
    value: /custom-tools/sops
  - name: HELM_SECRETS_VALS_PATH
    value: /custom-tools/vals
  - name: HELM_SECRETS_KUBECTL_PATH
    value: /custom-tools/kubectl
  - name: HELM_SECRETS_BACKEND
    value: sops
  # https://github.com/jkroepke/helm-secrets/wiki/Security-in-shared-environments
  - name: HELM_SECRETS_VALUES_ALLOW_SYMLINKS
    value: "false"
  - name: HELM_SECRETS_VALUES_ALLOW_ABSOLUTE_PATH
    value: "true"
  - name: HELM_SECRETS_VALUES_ALLOW_PATH_TRAVERSAL
    value: "false"
  - name: HELM_SECRETS_WRAPPER_ENABLED
    value: "true"
  - name: HELM_SECRETS_DECRYPT_SECRETS_IN_TMP_DIR
    value: "true"
  - name: HELM_SECRETS_HELM_PATH
    value: /usr/local/bin/helm
  - name: SOPS_AGE_KEY_FILE
    value: /helm-secrets-private-keys/key.txt
  initContainers:
    - name: download-tools
      image: alpine:latest
      imagePullPolicy: IfNotPresent
      command: [sh, -ec]
      env:
        - name: HELM_SECRETS_VERSION
          value: "4.6.0"
        - name: KUBECTL_VERSION
          value: "1.26.1"
        - name: VALS_VERSION
          value: "0.24.0"
        - name: SOPS_VERSION
          value: "3.8.1"
      args:
        - |
          mkdir -p /custom-tools/helm-plugins
          wget -qO- https://github.com/jkroepke/helm-secrets/releases/download/v${HELM_SECRETS_VERSION}/helm-secrets.tar.gz | tar -C /custom-tools/helm-plugins -xzf-;
          
          wget -qO /custom-tools/curl https://github.com/moparisthebest/static-curl/releases/latest/download/curl-amd64
          wget -qO /custom-tools/sops https://github.com/getsops/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.linux.amd64
          wget -qO /custom-tools/kubectl https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl

          wget -qO- https://github.com/helmfile/vals/releases/download/v${VALS_VERSION}/vals_${VALS_VERSION}_linux_amd64.tar.gz | tar -xzf- -C /custom-tools/ vals;

          cp /custom-tools/helm-plugins/helm-secrets/scripts/wrapper/helm.sh /custom-tools/helm
          
          chmod +x /custom-tools/*
      volumeMounts:
        - mountPath: /custom-tools
          name: custom-tools

  # -- Additional volumeMounts to the repo server main container
  volumeMounts:
    - mountPath: /custom-tools
      name: custom-tools
    - mountPath: /usr/local/sbin/helm
      subPath: helm
      name: custom-tools
    - mountPath: /helm-secrets-private-keys/
      name: helm-secrets-private-keys

  # -- Additional volumes to the repo server pod
  volumes:
    - name: custom-tools
      emptyDir: {}
    # kubectl create secret generic helm-secrets-private-keys --from-file=key.asc=assets/gpg/private2.gpg
    # kubectl -n argocd create secret generic helm-secrets-private-keys --from-file=key.txt=assets/age/key.txt
    - name: helm-secrets-private-keys
      secret:
        secretName: helm-secrets-private-keys

kustomization.yaml

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: argocd
resources:
- ./namespace.yaml

helmCharts:
  - name: argo-cd
    repo: https://argoproj.github.io/argo-helm
    releaseName: argocd
    namespace: argocd
    valuesFile: ./argocd/values.yaml
    version: 7.1.3

namespace.yaml

apiVersion: v1
kind: Namespace
metadata:
  name: argocd