search

argoproj-labs / argocd-vault-plugin

An Argo CD plugin to retrieve secrets from Secret Management tools and inject them into Kubernetes secrets
https://argocd-vault-plugin.readthedocs.io
Apache License 2.0
832 stars 191 forks source link

How to provide AVP configuration in Sidecar Container #412

Open NitishGupta9282 opened 2 years ago

NitishGupta9282 commented 2 years ago

Describe the bug A clear and concise description of what the bug is.

To Reproduce Steps to reproduce the behavior:

  1. Go to '...'
  2. Click on '....'
  3. Scroll down to '....'
  4. See error

Expected behavior A clear and concise description of what you expected to happen.

Screenshots/Verbose output If applicable, add screenshots to help explain your problem.

If you've tried running argocd-vault-plugin generate with --verbose-sensitive-output to help debug, please include that output here after redacting any secrets.

Additional context Add any other context about the problem here.

NitishGupta9282 commented 2 years ago
  1. In the method via argocd-cm ConfigMap i am supplying my vault configuration as environment varible in argocd repo server as mentioned in below code ` envFrom:
    • secretRef: name: argocd-vault-plugin-credentials`

But how can we apply these vault configuration via sidecar ?

  1. Is this Method will work without providing plugin '{}' in application manifest?
ptimofee commented 1 year ago

Yes, this part is missing in the documentation and should be added

werne2j commented 1 year ago

@NitishGupta9282 You can see the Argo CD docs here https://argo-cd.readthedocs.io/en/stable/operator-manual/config-management-plugins/#using-environment-variables-in-your-plugin

The system environment variables (of the repo-server container for argocd-cm plugins or of the sidecar for sidecar plugins). If using sidecar, you attach the env vars to the sidecar container.

harshchauhan1988 commented 1 year ago

I am having a similar issue while I am trying to setup ArgoCD with AWS secret manager and vault plug-in has been setup as sidecar container where I am getting below error:

time="2023-06-27T10:02:45Z" level=error msg="argocd-vault-plugin generate .failed exit status 1: Error: Must provide a supported Vault Type\nUsage:\n argocd-vault-plugin generate <path> [flags]\n\nFlags:\n -c, --config-path string path to a file containing Vault configuration (YAML, JSON, envfile) to use\n -h, --help help for generate\n -s, --secret-name string name of a Kubernetes Secret in the argocd namespace containing Vault configuration data in the argocd namespace of your ArgoCD host (Only available when used in ArgoCD). The namespace can be overridden by using the format <namespace>:<name>" execID=df3e0

this is configuration with ENV variable which is being shown on argoCD-repo server:

kubectl exec argo-cd-argocd-repo-server-7c4599c44d-qbqsk -it /bin/sh -n argo-cd
$ env | grep AVP
AVP_TYPE=awssecretsmanager
$ env | grep AWS
AWS_REGION=us-west-2
harshchauhan1988 commented 1 year ago

here is how i have built sidecar container with ArgoCD helm chart value file:

configs:
  cmp:
    create: true
    plugins:
      argocd-vault-plugin:
        allowConcurrency: true
        discover:
          find:
            command:
              - sh
              - "-c"
              - "find . -name '*.yaml' | xargs -I {} grep \"<path\\|avp\\.kubernetes\\.io\" {} | grep ."
        generate:
          command:
            - argocd-vault-plugin
            - generate
            - "."
        lockRepo: false
      argocd-vault-plugin-helm:
         generate:
          command: ["sh", "-c"]
          args: ["helm template . | argocd-vault-plugin generate -"]
      argocd-vault-plugin-helm-with-args:
         generate:
          command: ["sh", "-c"]
          args: ["helm template ${helm_args} . | argocd-vault-plugin generate -"]
repoServer:
  volumes:
  - name: argocd-cmp-cm
    configMap:
      name: argocd-cmp-cm
  extraContainers:
    - name: avp1
      command: [/var/run/argocd/argocd-cmp-server]
      image: <vault-plugin_image>
      securityContext:
        runAsNonRoot: true
        runAsUser: 999
      volumeMounts:
        - mountPath: /var/run/argocd
          name: var-files
        - mountPath: /home/argocd/cmp-server/plugins
          name: plugins
        - mountPath: /tmp
          name: tmp
        # Register plugins into sidecar
        - mountPath: /home/argocd/cmp-server/config/plugin.yaml
          subPath: argocd-vault-plugin.yaml
          name: argocd-cmp-cm
    - name: avp2
      command: [/var/run/argocd/argocd-cmp-server]
      image: <vault-plugin_image>
      securityContext:
        runAsNonRoot: true
        runAsUser: 999
      volumeMounts:
        - mountPath: /var/run/argocd
          name: var-files
        - mountPath: /home/argocd/cmp-server/plugins
          name: plugins
        - mountPath: /tmp
          name: tmp
        # Register plugins into sidecar
        - mountPath: /home/argocd/cmp-server/config/plugin.yaml
          subPath: argocd-vault-plugin-helm-with-args.yaml
          name: argocd-cmp-cm
    - name: avp3
      command: [/var/run/argocd/argocd-cmp-server]
      image: <vault_plugin_image>
      securityContext:
        runAsNonRoot: true
        runAsUser: 999
      volumeMounts:
        - mountPath: /var/run/argocd
          name: var-files
        - mountPath: /home/argocd/cmp-server/plugins
          name: plugins
        - mountPath: /tmp
          name: tmp
        # Register plugins into sidecar
        - mountPath: /home/argocd/cmp-server/config/plugin.yaml
          subPath: argocd-vault-plugin-helm.yaml
          name: argocd-cmp-cm
  env:
    - name: AWS_REGION
      value: us-west-2
    - name: AVP_TYPE
      value: awssecretsmanager
  serviceAccount:
    automountServiceAccountToken: true
harshchauhan1988 commented 1 year ago

@jkayani would you be kind enough to provide your feedback on this?

thank you.

raweber42 commented 6 months ago

@harshchauhan1988 did you resolve this?