How to use Argo Vault Plugin as Sidecar with ArgoCD Helm Chart - Documentation Request

[ayeks]

Hey everyone,

first of all: Thanks a lot for this awesome plugin. It helps a lot!

Because argocd-cm plugins are deprecated, and support will be removed in v2.7 I looked into the sidecar installation of argo-vault-plugin. After some hours where I tried to wrap my head around the documentation I am a bit lost. I am looking for the best way to integrate in into the repoServer configuration of the official ArgoCD Helm Chart. The official Argo CMP documentation is also not super clear to me on how everything works together.

However, the documentation just tells you that I should replace the repo server deployment with the one in the documentation. I don't think that this is the best to do this when one is deploying ArgoCD with Helm, right? Is anyone around who already has a working configuration and can just share the repoServer: part of your values.yaml definition?

I will be the first to contribute a working Helm config to the vault plugin docu, once I get it working. :)

Best regards Lars

[carslen]

Maybe the latest Chart release (5.26.0) will answer your question? They just added CMP with sidecar to the helm chart.

[s7an-it]

Simple example is definitely needed.

[ayeks]

So I had some time to do look into that. To me it seems that the AVP docs are only describing the soon to be deprecated ConfigMap plugin way to install a plugin and not the sidecar plugin. This issue is related to: #464

In another issue someone already switched to the sidecar plugin but has some different problems: #460 However, I will see how far I can reuse his setup.

[carslen]

The usage page describe the old configMap and the sidecar implementation. Be careful with the variable names, on that page there is a mix of upper and lower case var names used (ARGOCD_ENV_HELM_ARGS in pluginconfiguration vs helm_args in Argo App definition). User either upper or lower but do not mix it. Also, do not add name: argocd-vault-plugin-helm to your app, this will print a depricated waring in WebUI.

[werne2j]

Yes, you can find some sidecar docs here https://argocd-vault-plugin.readthedocs.io/en/stable/installation/#initcontainer-and-configuration-via-sidecar but since AVP is just the binary following the official guide is recommended https://argo-cd.readthedocs.io/en/stable/operator-manual/config-management-plugins/#sidecar-plugin. And you can then swap out the init, generate and discover to follow our docs https://argocd-vault-plugin.readthedocs.io/en/stable/usage/#with-helm

[perebaj]

I'm also confused about the documentation. In my case, I want to export secrets from GCP using AVP, and my Argo service is deployed in a K8s cluster using the official Helm chart. However, I have doubts about how Argo will access the secrets inside my GCP organization, and how to install the plugin with Helm.

[werne2j]

@perebaj the docs for GCP are here https://argocd-vault-plugin.readthedocs.io/en/stable/backends/#gcp-secret-manager and here is the values for cmp in the helm chart https://github.com/argoproj/argo-helm/blob/main/charts/argo-cd/values.yaml#L349 hope that helps

[alexvaque]

I wrote a tutorial for HELM AVP installations with sidecar and non sidecar installation.. Please , correct me if I made something wrong in the explanation, thank you very much

https://www.cloudadmins.org/argo-vault-plugin-avp/

however, finally what worked 100% good without any issue and easy way for me, it was the Installation via argocd-cm ConfigMap using Helm

Hope that I could give a small contribution to the community.

[yair-segal]

@alexvaque I think your tutorial is great. There is no place to comment on the tutorial itself - so I'll abuse this thread to add my comment :) While I agree that using "argocd-cm" is the "easiest installation method out of the two", it is important to mention that this option is planned to be removed - "drop support for argocd-cm Config Management Plugins in favor of sidecars" https://github.com/argoproj/argo-cd/issues/8117 (so even though you put hard work into this option, it may be worth to simplify your tutorial and focus only on the sidecar option...) According to the official "Installing a config management plugin" docs - "ConfigMap plugin (this method is deprecated and will be removed in a future version)"

[alexvaque]

yes, thanks for your comment , it is very useful and I am agree on that . For timing and some blockers that I found installing the sidecar , we are using the argocd-cm but it is on our mind to be replaced in a while for the sidecar option . I was thinking to move my tutorial in another place for the comments , EDITED: done-> https://medium.com/@alexvaque/argo-vault-plugin-avp-installation-via-helm-7de7fe5e95a4

[thieugiatri4492]

I face the problem while install with Sidecar: When i chose avp plugin in argocd, i create external-dns application, it throws this error: "error": "application spec for external-dns is invalid: InvalidSpecError: Unable to generate manifests in : rpc error: code = Unknown desc = Manifest generation error (cached): plugin sidecar failed. error generating manifests in cmp: rpc error: code = Unknown desc = error generating manifests: sh -c \"helm template $ARGOCD_APP_NAME -n $ARGOCD_APP_NAMESPACE ${ARGOCD_ENV_HELM_ARGS} . |\\nargocd-vault-plugin generate -\\n\" failed exit status 127: /usr/local/bin/argocd-vault-plugin: 1: Not: not found"

[rothbauer]

I face the problem while install with Sidecar: When i chose avp plugin in argocd, i create external-dns application, it throws this error: "error": "application spec for external-dns is invalid: InvalidSpecError: Unable to generate manifests in : rpc error: code = Unknown desc = Manifest generation error (cached): plugin sidecar failed. error generating manifests in cmp: rpc error: code = Unknown desc = error generating manifests: sh -c \"helm template $ARGOCD_APP_NAME -n $ARGOCD_APP_NAMESPACE ${ARGOCD_ENV_HELM_ARGS} . |\\nargocd-vault-plugin generate -\\n\" failed exit status 127: /usr/local/bin/argocd-vault-plugin: 1: Not: not found"

I saw this error when I tried to run argocd-vault-plugin generate manually in the avp-helm container... I think I fixed it by editing cmp-plugin configMap, where data."avp-helm.yaml" key was a one-liner string with newline characters in it. If it's also your case, then delete all the comments from the configMap definition and fix it.

Anyways, I agree it's not very well documented. In my case it looks like the plugin (I use sidecar variant) is never called by argocd-repo-server. Don't know why yet.