argocd-vault-plugin
argocd-vault-plugin copied to clipboard
argoproj-labs
Bash evaluation
Describe the bug Hi! I'm trying to use vault plugin to fetch secrets from AWS secretstore Plugin is installed as sidecar Right now my generate config section looks like this
generate:
command:
- bash
- "-c"
- helm template $ARGOCD_APP_NAME -n $ARGOCD_APP_NAMESPACE -f <(echo '$ARGOCD_ENV_helm_values') . | argocd-vault-plugin generate -
and application source section like this
source:
plugin:
env:
- name: helm_values
value: |
namespace: {{ $top.Values.appNamespace }}
MORE_VALUES_HERE
And for simple cases it works like a charm, but when i try to add some ingress annotations to values, which contains $ symbol, e.x.
nginx.ingress.kubernetes.io/rewrite-target: '/$1'
evaluation happen, and plugin trying to parse $1 as a bash variable, so in the end i've got empty result instead of this value
nginx.ingress.kubernetes.io/rewrite-target: '/'
I tried to use escapes \, but then helm can't generate values
I tried single and double quotas everywhere i can (generate command / values), no luck
Also i couldn't find nothing about that in documentation
I understand this is because of we evaluating whole values in bash, but maybe there is something to avoid that behaviour? I bet i'm not the only one who trying to add ingress redirect annotations to values :)
To Reproduce Steps to reproduce the behavior:
- Add some values with
$symbol - Try to use plugin to generate release with such values
- Check generated resources
Expected behavior
$ symbol is not considered as start of bash variable
Does helm template output the proper values?
If you were to try to run AVP on plain yamls with the $ do you see the same?
Helm template has proper values in output
Local generation on macos works well, but with debian there is no output
root@22ea72d18b3e:/app# set -e
+ set -e
root@22ea72d18b3e:/app# set -x
+ set -x
root@22ea72d18b3e:/app# helm template test -n test -f values.yaml . | argocd-vault-plugin generate -
+ argocd-vault-plugin generate -
+ helm template test -n test -f values.yaml .
root@22ea72d18b3e:/app# echo $?
+ echo 0
0
Hi @Wilderone Sorry my comment is not an answer to your issue but I need your help with something
Can you paste your avp plugin full configmap ? as I am having the same structure as your application source but I cant get the helm_values to work correctly at all even for simple values
@samar-elsayed Hi, sure, but there is almost full configmap above I'm using latest helm chart for installation of argocd, there is a section for cmp Overall in the end i've got following configmap
apiVersion: argoproj.io/v1alpha1
kind: ConfigManagementPlugin
metadata:
name: vault-plugin-helm-inline
spec:
allowConcurrency: true
discover:
find:
command:
- sh
- -c
- find . -name 'Chart.yaml' && find . -name '*values.yaml'
generate:
command:
- sh
- -c
- helm template $ARGOCD_APP_NAME -n $ARGOCD_APP_NAMESPACE -f <(echo '$ARGOCD_ENV_helm_values') . | argocd-vault-plugin generate -
lockRepo: false
Don't forget to add plugin.env in your kind: Application, and ensure there is an access from argo to your secret backend (i'm using AWS SecretManager with IRSA)