Skip to content

ajaykumar4/gitops-tools

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

108 Commits
.github
.github
 
 
.DS_Store
.DS_Store
 
 
.gitignore
.gitignore
 
 
.renovaterc.json5
.renovaterc.json5
 
 
CHANGELOG.md
CHANGELOG.md
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

GitOps Tools Docker Image

Docker Build GitHub release Docker Pulls GitHub License GitHub Stars

Table of Contents

About

A curated, multi-platform Docker image containing a suite of essential tools for modern GitOps workflows. Built on Alpine Linux for a minimal footprint and supporting linux/amd64 and linux/arm64 architectures — ideal for CI/CD pipelines and local development (including Apple Silicon).

All tool versions are pinned and kept up-to-date automatically via Renovate Bot.

Key Features

  • Multi-Platform Support: Built for linux/amd64 and linux/arm64.
  • Lightweight: Based on the minimal alpine:3.22 image.
  • Comprehensive Toolset: Includes a wide range of popular and necessary tools for Kubernetes and Helm-based GitOps.
  • Version Pinned: All tool versions are explicitly pinned and managed.
  • CI/CD Ready: Perfect for use as a runner image in GitHub Actions, GitLab CI, CircleCI, and more.
  • Pre-configured Helm: Comes with popular Helm plugins like helm-secrets, helm-diff, and helm-git pre-installed.

Included Tools

This image packages the following command-line tools. All binaries are located in the /gitops-tools directory.

Tool Version Description
age v1.2.1 A simple, modern, and secure file encryption tool.
curl v8.11.0 A static build of the command-line tool for transferring data with URL syntax.
helmfile v1.1.2 A declarative spec for deploying Helm charts.
jq v1.7.1 A lightweight and flexible command-line JSON processor.
kubectl v1.33.2 The Kubernetes command-line tool.
kustomize v5.7.0 Customization of Kubernetes YAML configurations.
kustomize-sops (ksops) v4.3.3 A kustomize plugin for decrypting SOPS-encrypted resources.
sops v3.10.2 A tool for managing secrets, which works with AWS KMS, GCP KMS, etc.
vals v0.41.2 A tool for fetching and templating values from various sources (Vault, SSM, etc.).
yq v4.45.4 A command-line YAML, JSON, and XML processor.

All binaries are installed in /gitops-tools.

Helm Plugins

Plugin Version Description
helm-diff v3.12.2 A helm plugin for previewing helm upgrade as a diff.
helm-git v1.4.0 A helm plugin for installing charts from Git repositories.
helm-secrets v4.6.5 A helm plugin for managing secrets with sops or other secret backends.

Helm is wrapped in a script that automatically uses helm-secrets for seamless decryption.

ArgoCD Integration

To use these tools with ArgoCD, you can configure the argocd-repo-server to use this image as an initContainer. The initContainer will copy the tools to a shared emptyDir volume, making them available to the main repo-server container.

This allows ArgoCD to natively handle encrypted Helm charts and other GitOps functionalities provided by the tools.

Configure ArgoCD ConfigMap:

First, update the argocd-cm ConfigMap to register the helm-secrets decryption schemes.

configs:
  cm:
    helm.valuesFileSchemes: >-
      secrets+gpg-import, secrets+gpg-import-kubernetes,
      secrets+age-import, secrets+age-import-kubernetes,
      secrets, secrets+literal,
      https

Create a Secret for Private Keys:

For age encrypted secrets, create a Kubernetes secret containing your private key. The SOPS_AGE_KEY_FILE environment variable points to this key inside the container.

# The secret name 'helm-secrets-private-keys' and the key 'key.txt' should match the values in the repoServer patch below.
kubectl create secret generic helm-secrets-private-keys --from-file=key.txt=/path/to/your/age-key.txt

Patch the argocd-repo-server Deployment:

Apply the following patch to your argocd-repo-server deployment. This sets up the initContainer, volume mounts, and environment variables required for the tools to function correctly.

repoServer:
  initContainers:
    - name: gitops-tools
      image: ajaykumar4/gitops-tools:2025.7.1
      imagePullPolicy: Always
      command: [sh, -ec]
      args:
        - |
          mkdir -p /custom-tools/
          cp -rf /gitops-tools/* /custom-tools
          chmod +x /custom-tools/*
      volumeMounts:
        - mountPath: /custom-tools
          name: custom-tools
  env:
    - name: HELM_PLUGINS
      value: /custom-tools/helm-plugins/
    - name: HELM_SECRETS_CURL_PATH
      value: /custom-tools/curl
    - name: HELM_SECRETS_SOPS_PATH
      value: /custom-tools/sops
    - name: HELM_SECRETS_VALS_PATH
      value: /custom-tools/vals
    - name: HELM_SECRETS_KUBECTL_PATH
      value: /custom-tools/kubectl
    - name: HELM_SECRETS_BACKEND
      value: sops
    # https://github.com/jkroepke/helm-secrets/wiki/Security-in-shared-environments
    - name: HELM_SECRETS_VALUES_ALLOW_SYMLINKS
      value: "false"
    - name: HELM_SECRETS_VALUES_ALLOW_ABSOLUTE_PATH
      value: "true"
    - name: HELM_SECRETS_VALUES_ALLOW_PATH_TRAVERSAL
      value: "false"
    - name: HELM_SECRETS_WRAPPER_ENABLED
      value: "true"
    - name: HELM_SECRETS_DECRYPT_SECRETS_IN_TMP_DIR
      value: "true"
    - name: HELM_SECRETS_HELM_PATH
      value: /usr/local/bin/helm
    - name: SOPS_AGE_KEY_FILE # For age
      value: /helm-secrets-private-keys/key.txt
  volumes:
    - name: custom-tools
      emptyDir: {}
    - name: helm-secrets-private-keys
      secret:
        secretName: helm-secrets-private-keys
  volumeMounts:
    - mountPath: /custom-tools
      name: custom-tools
    - mountPath: /usr/local/sbin/helm
      subPath: helm
      name: custom-tools
    - mountPath: /usr/local/bin/kustomize
      name: custom-tools
      subPath: kustomize
    - mountPath: /usr/local/bin/ksops
      name: custom-tools
      subPath: ksops
    - mountPath: /helm-secrets-private-keys/
      name: helm-secrets-private-keys

Usage

ArgoCD with Helm-Secrets

Argo Application

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: cloudflare-dns
  namespace: argo-system
  annotations:
    argocd.argoproj.io/sync-wave: '0'
  finalizers:
    - resources-finalizer.argocd.argoproj.io
spec:
  project: kubernetes
  sources:
    - repoURL: "https://github.com/ajaykumar4/home-lab.git"
      path: kubernetes/apps/network/cloudflare-dns
      targetRevision: main
      ref: repo
    - repoURL: https://kubernetes-sigs.github.io/external-dns
      chart: external-dns
      targetRevision: 1.17.0
      helm:
        releaseName: cloudflare-dns
        valueFiles:
          - $repo/kubernetes/apps/network/cloudflare-dns/values.sops.yaml
  destination:
    name: in-cluster
    namespace: network
  syncPolicy:
    automated:
      allowEmpty: true
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
      - ServerSideApply=true

ArgoCD with kustomize-sops (ksops)

secret.sops.yaml

apiVersion: v1
kind: Secret
metadata:
  name: cloudflare-dns-secret
stringData:
  api-token: sNdfyrfE-sdgdghfdghfgdjhfgzcvhnd

secret-generator.yaml

apiVersion: viaduct.ai/v1
kind: ksops
metadata:
  name: cloudflare-dns-secret-generator
  annotations:
    config.kubernetes.io/function: |
      exec:
        path: ksops
files:
  - ./secret.sops.yaml

kustomization.yaml

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
generators:
  - ./secret-generator.yaml

Contributing

Contributions and suggestions are welcome! To update tool versions, submit a pull request or wait for Renovate Bot to open one automatically.

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 3

2025.7.1 Latest
Jul 1, 2025
+ 2 releases

Packages

 
 
 

Contributors 2

  •  
  •  

Languages