docs: use pipefail option in shell commands to prevent accidental deletions

jacksgt · jacksgt · commit ea14a6663558 · 2024-01-12T14:51:42.000+01:00
Signed-off-by: Jack Henschel &lt;jack.henschel@cern.ch&gt;
diff --git a/docs/usage.md b/docs/usage.md
@@ -34,9 +34,12 @@ spec:
   project: default
 ```
 
-3. Or you can pass the config-management-plugin flag to the Argo CD CLI app create command:  
+3. Or you can pass the config-management-plugin flag to the Argo CD CLI app create command:
 `argocd app create you-app-name --config-management-plugin argocd-vault-plugin`
 
+!!! warning
+    It is extremely important that `command` used in the plugin definition produces a non-zero exit code if *any* errors occurs. Otherwise, Argo CD will treat partial or empty output as valid and start deleting or modifying resources. Thus it is **strongly recommended** to use the `pipefail`, `errexit` and `nounset` shell options, see also [Writing Safe Shell Scripts](https://sipb.mit.edu/doc/safe-shell/).
+
 #### With Helm
 If you want to use Helm along with argocd-vault-plugin, use the instructions matching your [plugin installation method](../installation).
 
@@ -49,7 +52,7 @@ configManagementPlugins: |
       command: [sh, -c]
       args: ["helm dependency build"]
     generate:
-      command: ["sh", "-c"]
+      command: ["sh", "-o", "pipefail", "-c"]
       args: ["helm template $ARGOCD_APP_NAME . --include-crds | argocd-vault-plugin generate -"]
 ```
 For sidecar configured plugins, add this to `cmp-plugin` ConfigMap, and then [add a sidecar to run it](../installation#initcontainer-and-configuration-via-sidecar):
@@ -71,6 +74,8 @@ For sidecar configured plugins, add this to `cmp-plugin` ConfigMap, and then [ad
       generate:
         command:
           - sh
+          - "-o"
+          - "pipefail" # exit with non-zero code if any command in pipeline fails
           - "-c"
           - |
             helm template $ARGOCD_APP_NAME --include-crds . |
@@ -82,8 +87,8 @@ For sidecar configured plugins, add this to `cmp-plugin` ConfigMap, and then [ad
 
 Use this option if you want to use Helm along with argocd-vault-plugin and use additional helm args.
 
-**IMPORTANT**: passing `${ARGOCD_ENV_HELM_ARGS}` effectively allows users to run arbitrary code in the Argo CD 
-repo-server (or, if using a sidecar, in the plugin sidecar). Only use this when the users are completely trusted. If  
+**IMPORTANT**: passing `${ARGOCD_ENV_HELM_ARGS}` effectively allows users to run arbitrary code in the Argo CD
+repo-server (or, if using a sidecar, in the plugin sidecar). Only use this when the users are completely trusted. If
 possible, determine which Helm arguments are needed by your users and explicitly pass only those arguments.
 
 For `argocd-cm` ConfigMap configured plugins, add this to `argod-cm` ConfigMap:
@@ -94,7 +99,7 @@ configManagementPlugins: |
       command: [sh, -c]
       args: ["helm dependency build"]
     generate:
-      command: ["sh", "-c"]
+      command: ["sh", "-o", "pipefail", "-c"]
       args: ["helm template $ARGOCD_APP_NAME -n $ARGOCD_APP_NAMESPACE ${ARGOCD_ENV_HELM_ARGS} . --include-crds | argocd-vault-plugin generate -"]
 ```
 For sidecar configured plugins, add this to `cmp-plugin` ConfigMap, and then [add a sidecar to run it](../installation#initcontainer-and-configuration-via-sidecar):
@@ -115,7 +120,9 @@ For sidecar configured plugins, add this to `cmp-plugin` ConfigMap, and then [ad
             - "find . -name 'Chart.yaml' && find . -name 'values.yaml'"
       generate:
         command:
-          - sh
+          - "sh"
+          - "-o"
+          - "pipefail" # exit with non-zero code if any command in pipeline fails
           - "-c"
           - |
             helm template $ARGOCD_APP_NAME --include-crds -n $ARGOCD_APP_NAMESPACE ${ARGOCD_ENV_HELM_ARGS} . |
@@ -134,7 +141,7 @@ Helm args must be defined in the application manifest:
           value: -f values-dev.yaml -f values-dev-tag.yaml
 ```
 
-**Note: Bypassing the parameters like this can be dangerous in a multi-tenant environment as it could allow for malicious injection of arbitrary commands. So be cautious when doing something like in a production environment. Ensuring proper permissions and protections is very important when doing something like this.** 
+**Note: Bypassing the parameters like this can be dangerous in a multi-tenant environment as it could allow for malicious injection of arbitrary commands. So be cautious when doing something like in a production environment. Ensuring proper permissions and protections is very important when doing something like this.**
 
 ##### With an inline values file
 Alternatively, if you'd like to use values inline in your application manifest (similar to the ArgoCD CLI's `--values-literal-file` option), you can create a plugin like this (note the use of `bash` instead of `sh` here):
@@ -144,7 +151,7 @@ For `argocd-cm` ConfigMap configured plugins, add this to `argod-cm` ConfigMap:
 configManagementPlugins: |
   - name: argocd-vault-plugin-helm
     generate:
-      command: ["bash", "-c"]
+      command: ["bash", "-o", "pipefail", "-c"]
       args: ['helm template "$ARGOCD_APP_NAME" -f <(echo "$ARGOCD_ENV_HELM_VALUES") . | argocd-vault-plugin generate -']
 ```
 For sidecar configured plugins, add this to `cmp-plugin` ConfigMap, and then [add a sidecar to run it](../installation#initcontainer-and-configuration-via-sidecar):
@@ -165,7 +172,9 @@ For sidecar configured plugins, add this to `cmp-plugin` ConfigMap, and then [ad
             - "find . -name 'Chart.yaml' && find . -name 'values.yaml'"
       generate:
         command:
-          - bash
+          - "sh"
+          - "-o"
+          - "pipefail"
           - "-c"
           - |
             helm template $ARGOCD_APP_NAME -n $ARGOCD_APP_NAMESPACE -f <(echo "$ARGOCD_ENV_HELM_VALUES") . |
@@ -205,7 +214,7 @@ For `argocd-cm` ConfigMap configured plugins, add this to `argod-cm` ConfigMap:
 configManagementPlugins: |
   - name: argocd-vault-plugin-kustomize
     generate:
-      command: ["sh", "-c"]
+      command: ["sh" , "-o", "pipefail", "-c"]
       args: ["kustomize build . | argocd-vault-plugin generate -"]
 ```
 For sidecar configured plugins, add this to `cmp-plugin` ConfigMap, and then [add a sidecar to run it](../installation#initcontainer-and-configuration-via-sidecar):
@@ -227,7 +236,9 @@ For sidecar configured plugins, add this to `cmp-plugin` ConfigMap, and then [ad
             - kustomization.yaml
       generate:
         command:
-          - sh
+          - "sh"
+          - "-o"
+          - "pipefail"
           - "-c"
           - "kustomize build . | argocd-vault-plugin generate -"
       lockRepo: false
@@ -276,7 +287,7 @@ The plugin will work with both YAML and JSON output from jsonnet.
 #### Refreshing values from Secrets Managers
 If you want to load in a new value from your Secret Manager without making any new code changes you must use the Hard-Refresh concept in Argo CD. This can be done in two ways. You can either use the UI and select the `Hard Refresh` button which is located within the `Refresh Button`.
 
-<img src="https://github.com/argoproj-labs/argocd-vault-plugin/raw/main/assets/hard-refresh.png" width="300">  
+<img src="https://github.com/argoproj-labs/argocd-vault-plugin/raw/main/assets/hard-refresh.png" width="300">
 
 You can also use the `argocd app diff` command passing the `--hard-refresh` flag. This will run argocd-vault-plugin again and pull in the new values from your Secret Manager and then you can either have Auto Sync setup or Sync manually to apply the new values.
 
