argo-cd-helmfile
argo-cd-helmfile copied to clipboard
travisghansen
Not able to use secretref+k8s to fetch secrets from Kubernetes Secret object
Environment:
- ArgoCD: 2.10.2
- argo-cd-helmfile: v0.3.10
Private Repository in Helmfile.yaml
repositories:
- name: C3SP-Helm-Charts
url: {{ fetchSecretValue (.StateValues | get "C3SP_HELM_REPO_URL" "secretref+k8s://v1/Secret/argo/argo-server-sso/helm-repo-url") }}
username: {{ fetchSecretValue (.StateValues | get "C3SP_HELM_REPO_USER" "secretref+k8s://v1/Secret/argo/argo-server-sso/helm-repo-user") }}
password: {{ fetchSecretValue (.StateValues | get "C3SP_HELM_REPO_PWD" "secretref+k8s://v1/Secret/argo/argo-server-sso/helm-repo-pwd") }}
ArgoCD Setup
# Source: argo-cd/templates/argocd-repo-server/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: argo-cd-argocd-repo-server
namespace: "argo"
labels:
helm.sh/chart: argo-cd-6.7.1
app.kubernetes.io/name: argocd-repo-server
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/component: repo-server
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v2.10.2"
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
---
# Source: argo-cd/templates/argocd-repo-server/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: argo-cd-argocd-repo-server
namespace: "argo"
labels:
helm.sh/chart: argo-cd-6.7.1
app.kubernetes.io/name: argocd-repo-server
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/component: repo-server
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v2.10.2"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: argo-cd-argocd-repo-server
subjects:
- kind: ServiceAccount
name: argo-cd-argocd-repo-server
namespace: argo
Confirmed that argo-cd-argocd-repo-server is able to access argo-server-sso from kubernetes Secret
argocd@argo-cd-argocd-repo-server-6644b58d8f-rqf69:~$ kubectl get Secret argo-server-sso
NAME TYPE DATA AGE
argo-server-sso Opaque 5 103d
Issue When I try to create ArgoCD app with provided helmfile repository, it's throwing following error.
Unable to create application: application spec for delete is invalid: InvalidSpecError:
Unable to generate manifests in sample-app: rpc error: code = Unknown desc = plugin sidecar failed.
error generating manifests in cmp: rpc error: code = Unknown desc = error generating manifests: `argo-cd-helmfile.sh init` failed exit status 1: helm version v3.14.2+gc309b6f helmfile version 0.162.0
starting init vals-k8s: Unable to get a valid kubeConfig path: No path was found in any of the following: kubeContext URI param, KUBECONFIG environment variable, or default path /tmp/__argo-cd-helmfile.sh__/apps/delete/.kube/config does not exist.
vals-k8s: Unable to get a valid kubeConfig path: No path was found in any of the following: kubeContext URI param, KUBECONFIG environment variable, or default path /tmp/__argo-cd-helmfile.sh__/apps/delete/.kube/config does not exist. in ./helmfile.yaml:
error during helmfile.yaml.part.0 parsing: template: stringTemplate:3:10: executing "stringTemplate" at <fetchSecretValue (.StateValues | get "C3SP_HELM_REPO_URL" "secretref+k8s://v1/Secret/argo/argo-server-sso/helm-repo-url")>: error calling fetchSecretValue: expand k8s://v1/Secret/argo/argo-server-sso/helm-repo-url:
No path was found in any of the following: kubeContext URI param, KUBECONFIG environment variable, or default path /tmp/__argo-cd-helmfile.sh__/apps/delete/.kube/config does not exist.
Reference: Vals Kubernetes
That’s a good use case. I am not sure why it wouldn’t try and build a kubeconfig from the service account files but it likely would be pretty easy to get around that.
If you exec directly to the container and issue a kubectl command to fetch the secret does that work?
I was able to exec into the container argo-cd-argocd-repo-server and able to issue kubectl command to fetch the secret with all respected values.