argocd-vault-plugin
argocd-vault-plugin copied to clipboard
ArgoCD Application with helm.passCredentials=true does not trigger vault-pattern replacement
Describe the bug I have setup ArgoCD Vault Plugin as Side-Container, configured and validated configuration. When creating an ArgoCD Application where spec.source.helm.passCredentials is true the vault pattern <..> is not being replaced. Setting the value to false, and the replacement works properly.
To Reproduce Steps to reproduce the behavior:
- Setup ArgoCD 2.5.6 with sidecared avp plugin
- Create a Secret with vault pattern
apiVersion: v1
kind: Secret
metadata:
name: vault-secret-injection-helm
type: Opaque
stringData:
password: <path:kv-v2/data/argocd#password>
- Create Application
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: sandbox
namespace: argocd
spec:
destination:
namespace: sandbox
server: https://kubernetes.default.svc
project: xxx
source:
path: xxx
repoURL: xxx
targetRevision: HEAD
helm:
passCredentials: true
syncPolicy:
automated:
prune: true
selfHeal: true
- See error
Expected behavior PassCredentials Parameter should not break vault chain
Screenshots/Verbose output No error found in repo-server container logs
If you've tried running argocd-vault-plugin generate
with --verbose-sensitive-output
to help debug, please include that output here after redacting any secrets.
-> No additional logs with that param
Hi, I have the same issue when adding the spec.source.helm.parameters in applicationset manifest. when the helm section is added the pattern replacement stops, Once the helm section is removed it works but I do not have my helm parameters override. I am using argocd v2.5.4+86b2dde.
For me it only works in the outer app-in-app application. But not in the inner application. I only use helmet charts.
Ex. if I save the secret.yaml
parallel to the application.yaml
, then the secret is replaced by AVP. But if inside the helm chart a secret with placeholder is generated, AVP doesn't replace the secret.
btw: I use multiple sources for an application (https://argo-cd.readthedocs.io/en/stable/user-guide/multiple_sources/), so I need to use the helm.valueFiles
setting.
@CUBITECH Looking at your Application yaml, you are using Helm instead of a custom plugin. You have to use the plugin
tool. https://argo-cd.readthedocs.io/en/stable/operator-manual/config-management-plugins/#using-a-config-management-plugin-with-an-application
when the helm section is added the pattern replacement stops, Once the helm section is removed it works but I do not have my helm parameters override
You cant use AVP with the built in Helm or Kustomize. You have to follow https://argocd-vault-plugin.readthedocs.io/en/stable/usage/#with-helm