github viaduct-ai/kustomize-sops v4.5.0
on GitHub

latest release: v4.5.1
3 days ago

Upgrade Guide: ArgoCD Init Container

What changed

Starting in v4.4.0, the ksops Docker image uses a distroless base image, which does not include /bin/sh, mv, or other shell utilities. This broke the documented ArgoCD init container pattern that relied on shell commands to copy binaries into a shared volume.

This release adds a built-in ksops install subcommand that copies the ksops and kustomize binaries to a target directory — no shell required.

How to upgrade

Replace the command and args in your init container. The volume mounts stay the same.

Before: 

initContainers:

- name: install-ksops
  image: viaductoss/ksops:v4.4.0
  command: ["/bin/sh", "-c"]
  args:
  - echo "Installing KSOPS...";
    mv ksops /custom-tools/;
    mv kustomize /custom-tools/;
    echo "Done.";
    volumeMounts:
  - mountPath: /custom-tools
    name: custom-tools

After: 

initContainers:

- name: install-ksops
  image: viaductoss/ksops:vX.Y.Z
  command: ["/usr/local/bin/ksops", "install", "/custom-tools"]
  volumeMounts:
  - mountPath: /custom-tools
    name: custom-tools

That's it. No other changes to your volumes, volume mounts, or container definitions are needed.

Affected configurations

This applies to all three documented ArgoCD integration methods:

  • Strategic merge patch (argo-cd-repo-server-ksops-patch.yaml)
  • ArgoCD CRD (OKD4/OCP4 kind: ArgoCD spec)
  • Argo CD Helm chart (repoServer.initContainers values)

Workarounds no longer needed

If you were using any of these workarounds, you can remove them:

  • Using alpine as the init container image to curl and extract the release tarball
  • Building a custom container image that bundles ksops into the ArgoCD repo server
  • Pinning to a version before v4.4.0

Changelog

  • 92bc163 chore(deps): bump actions/checkout from 5 to 6 (#307)
  • 42d7795 chore(deps): bump actions/setup-go from 5 to 6 (#302)
  • cfb835c chore(deps): bump docker/login-action from 3 to 4 (#315)
  • a25bfcd chore(deps): bump docker/setup-buildx-action from 3 to 4 (#316)
  • 2aee20e chore(deps): bump docker/setup-qemu-action from 3 to 4 (#317)
  • 061495f chore(deps): bump filippo.io/edwards25519 from 1.1.0 to 1.1.1 (#309)
  • 845389a chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 (#325)
  • d70b62e chore(deps): bump github.com/getsops/sops/v3 from 3.11.0 to 3.12.2 (#319)
  • 98fe884 chore(deps): bump github.com/go-jose/go-jose/v4 from 4.1.1 to 4.1.4 (#323)
  • 80616de chore(deps): bump github/codeql-action from 3 to 4 (#305)
  • eb80fe6 chore(deps): bump go.opentelemetry.io/otel/sdk from 1.37.0 to 1.43.0 (#326)
  • dd0987e chore(deps): bump golang.org/x/crypto from 0.42.0 to 0.45.0 (#306)
  • 31dfb4e chore(deps): bump google.golang.org/grpc from 1.75.1 to 1.79.3 (#318)
  • d4c8c13 chore(deps): bump goreleaser/goreleaser-action from 6 to 7 (#312)
  • dfeab3f chore: v4.5.0 (#329)
  • 8f3b8d1 feat: add ksops install subcommand for distroless compatibility (#327)
  • 50ad78f feat: concurrent secret decryption (#328)
  • 4345f5f fix: pin to 1.25.0
  • 8624cb3 update(sops): 3.10.2 -> 3.11.0 (#304)
Check out latest releases or
releases around viaduct-ai/kustomize-sops v4.5.0

Don't miss a new kustomize-sops release

NewReleases is sending notifications on new releases.

Get notifications