argocd-vault-plugin icon indicating copy to clipboard operation
argocd-vault-plugin copied to clipboard

Published 20 hours ago verified publisher icon argoproj-labs

Add plaintext-mode where file doesn't have to be kubernetes manifest

Open jpruciak opened this issue 1 year ago • 4 comments

Is your feature request related to a problem? Please describe. I'm looking for some way to template files with placeholders which would be replaced with secret values from hashicorp vault. This tool seems to be the closest to my needs, but it crashes when loading plaintext file not being kubernetes manifest.

bash-4.4$ cat test.yaml
test: yaml
testplaceholder: <path:secret/data/test#TEST>
bash-4.4$ argocd-vault-plugin generate test.yaml
Error: could not read YAML/JSON files:
could not read file: test.yaml from disk: error unmarshaling JSON: while decoding JSON: Object 'Kind' is missing in '{"test":"yaml","testplaceholder":"\u003cpath:secret/data/test#TEST\u003e"}'
Usage:

Describe the solution you'd like eg. get an additional argument to generate subcommand which makes it just replace placeholders without parsing file as k8s manifest

This would allow a lot of other usages of this tool, like creating helm downloader plugin for preprocessing values.yaml files.

Describe alternatives you've considered Other tools, but those lack avp features.

jpruciak avatar May 10 '23 10:05 jpruciak

@jpruciak we will take this into consideration. We may not be able to get to it as soon as possible but we we would be open to a PR if you want to give it a shot

werne2j avatar May 14 '23 16:05 werne2j

Hello, I'm also running into this "limitation". For now my workaround is adding kind: dummy to the YAML document, feeding it through argocd-vault-plugin and then removing the kind: dummy again.

cat document.yaml | yq '. += {"kind":"dummy"}' | argocd-vault-plugin generate - | yq 'del(.kind)' --yaml-output

Though I'd love to see something more "official".

jacksgt avatar Jun 05 '23 16:06 jacksgt

This is VERY NICE workaround! Thank you for the idea.

jpruciak avatar Jun 05 '23 20:06 jpruciak

Thank you for the workaround. However, this should urgently be implemented as a feature so that secret resolution can be done before Helm templating. The current necessity of this and its consistent recommendation throughout the documentation is very problematic, as it leads to issues when using Helm functions for string manipulation or cryptographic operations. One example is: #571 Another example where it comes to issues with restrictive helm schemas can be found here: #332 Another one is this issue although its description leaves some room for improvement #600

Yocker95k avatar May 06 '24 14:05 Yocker95k