search

argoproj-labs / argocd-vault-plugin

An Argo CD plugin to retrieve secrets from Secret Management tools and inject them into Kubernetes secrets
https://argocd-vault-plugin.readthedocs.io
Apache License 2.0
832 stars 191 forks source link

Interpolate a dockerconfigjson Secret #152

Closed llavaud closed 3 years ago

llavaud commented 3 years ago

Is your feature request related to a problem? Please describe. I'm trying to create a dockerconfigjson Secret using Helm (https://helm.sh/docs/howto/charts_tips_and_tricks/#creating-image-pull-secrets). If I want to retrieve the password from Vault using the AVP plugin it just interpolate the first "level" in the base64 string and not the "auth" part which is double base64 encoded.

Describe the solution you'd like interpolate the placeholder in the double base64 encoded part.

Describe alternatives you've considered I have tried using a stringData to keep only one level of base64 encoded string but without success, it mess up the json string...

llavaud commented 3 years ago

I have taked a look at the Banzai Cloud webhook and they have specific code to handle a dockerconfigjson Secret: https://github.com/banzaicloud/bank-vaults/blob/481f685ccd6e5c279ef36235a9687b1bb22b37e6/pkg/webhook/secret.go#L114

it may be possible to draw inspiration from this.

werne2j commented 3 years ago

@llavaud This is something that we do as well and we base64 the the pull secret before putting it in vault and then use data. This has worked for us and a way that you can accomplish what you are looking for.

llavaud commented 3 years ago

Hello ! I didn't even think about doing it like this, your solution suits me, thanks !

MoskitoHero commented 3 years ago

Hello, I have been trying to do just this (base64 encode my dockerconfigjson, save it in Google Secrets Manager, and use it in data). But argoCD complains with illegal base64 data at input byte 0, error found in #10 byte of ...

Could it be related to Google's Secret Manager ?

werne2j commented 3 years ago

Hi @MoskitoHero could you create a new issue with the problem you are having and we will take a look. Thanks!

teejaded commented 11 months ago

Can we revisit this?

I agree storing pre-computed base64 encoded user:pass strings in vault is a workaround for this, but it still seems sub-optimal. Any helm chart template that generates the dockerconfigjson using a username/password is not usable.

For example: https://github.com/instana/synthetic-pop-charts/blob/main/templates/_helpers.tpl#L95-L103

Granted, there is often an escape hatch in many helm charts to use your own pullSecret, but not always.

I haven't written tests yet, but it was not too difficult to also support this usecase.

https://github.com/teejaded/argocd-vault-plugin/commit/532b4b3fa5140bf18960401b972c44134719545b

❯ kubectl create secret docker-registry test \
        --docker-server=https://my-server.local \
        --docker-username='<path:secret/devops/test#credentials | jsonPath {.user}>' \
        --docker-password='<path:secret/devops/test#credentials | jsonPath {.pass}>' \
        -o yaml --dry-run=client | \
./argocd-vault-plugin generate - | \
yq '.data.".dockerconfigjson" | @base64d'

{"auths":{"https://my-server.local":{"auth":"bXl1c2VyOm15cGFzcw==","password":"mypass","username":"myuser"}}}
werne2j commented 11 months ago

@teejaded PRs are always welcome if you’d like to put something up for review