argocd-vault-plugin icon indicating copy to clipboard operation
argocd-vault-plugin copied to clipboard

Published 20 hours ago verified publisher icon argoproj-labs

ArgoCD Application with helm.passCredentials=true does not trigger vault-pattern replacement

Open CUBITECH opened this issue 1 year ago • 4 comments

Describe the bug I have setup ArgoCD Vault Plugin as Side-Container, configured and validated configuration. When creating an ArgoCD Application where spec.source.helm.passCredentials is true the vault pattern <..> is not being replaced. Setting the value to false, and the replacement works properly.

To Reproduce Steps to reproduce the behavior:

  1. Setup ArgoCD 2.5.6 with sidecared avp plugin
  2. Create a Secret with vault pattern
apiVersion: v1
kind: Secret
metadata:
  name: vault-secret-injection-helm
type: Opaque
stringData:
  password: <path:kv-v2/data/argocd#password>
  1. Create Application
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: sandbox
  namespace: argocd
spec:
  destination:
    namespace: sandbox
    server: https://kubernetes.default.svc
  project: xxx
  source:
    path: xxx
    repoURL: xxx
    targetRevision: HEAD
    helm:
      passCredentials: true
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
  1. See error

Expected behavior PassCredentials Parameter should not break vault chain

Screenshots/Verbose output No error found in repo-server container logs

If you've tried running argocd-vault-plugin generate with --verbose-sensitive-output to help debug, please include that output here after redacting any secrets. -> No additional logs with that param

CUBITECH avatar Jan 16 '23 11:01 CUBITECH

Hi, I have the same issue when adding the spec.source.helm.parameters in applicationset manifest. when the helm section is added the pattern replacement stops, Once the helm section is removed it works but I do not have my helm parameters override. I am using argocd v2.5.4+86b2dde.

TalZiv avatar Jan 30 '23 14:01 TalZiv

For me it only works in the outer app-in-app application. But not in the inner application. I only use helmet charts.

Ex. if I save the secret.yaml parallel to the application.yaml, then the secret is replaced by AVP. But if inside the helm chart a secret with placeholder is generated, AVP doesn't replace the secret.

btw: I use multiple sources for an application (https://argo-cd.readthedocs.io/en/stable/user-guide/multiple_sources/), so I need to use the helm.valueFiles setting.

fabhuebner avatar Mar 18 '23 12:03 fabhuebner

@CUBITECH Looking at your Application yaml, you are using Helm instead of a custom plugin. You have to use the plugin tool. https://argo-cd.readthedocs.io/en/stable/operator-manual/config-management-plugins/#using-a-config-management-plugin-with-an-application

werne2j avatar Mar 28 '23 15:03 werne2j

when the helm section is added the pattern replacement stops, Once the helm section is removed it works but I do not have my helm parameters override

You cant use AVP with the built in Helm or Kustomize. You have to follow https://argocd-vault-plugin.readthedocs.io/en/stable/usage/#with-helm

werne2j avatar Mar 28 '23 15:03 werne2j