Unable to pull certificates/keys type secrets from AWS Secrets Manager

[jeunii]

Describe the bug I am trying to create a kubernetes.io/tls type secret in my k8s cluster. My secret manifest looks like

apiVersion: v1
kind: Secret
metadata:
  name: argocd-tls-new
  annotations:
    avp.kubernetes.io/path: "dev/argocd"
data:
  tls.key: <ARGOCD_TLS_KEY>
  tls.crt: <ARGOCD_TLS_CERT>
type: kubernetes.io/tls

In AWS secret manager, under dev/argocd I have,

But in ArgoCD when I try to sync the secret, I get the error message

Secret in version "v1" cannot be handled as a Secret: v1.Secret.Data: decode base64: illegal base64 data at input byte 0, error found in #10 byte of ...|CATE-----","tls.key"|..., bigger context ...|EBpsr6GtPAQw4dy753ec5\\n-----END CERTIFICATE-----","tls.key":"-----BEGIN PRIVATE KEY-----\\nMIIEvwIB|...

All other types of secrets fetching works. but not when im trying to import certs/keys.

Is this a limitation of this plugin ?

[werne2j]

@jeunii it’s because you are putting in plain text and using the data field. A couple different options.. base64 the cert in AWS, use the base64modifier or switch the data field to stringData in the yaml file.

[jeunii]

@werne2j thanks for the reply. you mentioned

use the base64modifier

could you please elaborate on this ?

[werne2j]

Sorry, meant to say base64encode modifier but the docs are here https://argocd-vault-plugin.readthedocs.io/en/stable/howitworks/#base64encode

[werne2j]

@jeunii is this still an issue?

[devendrasinghrawat]

I had a similar issue and as indicated by @werne2j did a base64 encoding to my key in AWS Secret Manager along with changing yaml file to data instead of stringData and it all worked.

Only issue I found with base64 encoding was it still had newline characters which required to be removed before updating AWS SM. Maybe I need to apply some more flags during base64 encoding.