search

argoproj-labs / argocd-vault-plugin

An Argo CD plugin to retrieve secrets from Secret Management tools and inject them into Kubernetes secrets
https://argocd-vault-plugin.readthedocs.io
Apache License 2.0
812 stars 190 forks source link

plugin not replacing placeholder #479

Open gehal6 opened 1 year ago

gehal6 commented 1 year ago

Describe the bug Hi All, kindly I have helm,argocd and hashicorp vault. I am implementing "Argo CD Vault Plugin" so it can read the placeholders and change it with the value from the hashicorp vault. I tried the plugin with command line on mac device to test the plugin in argo and works perfectly for the same helmchart and connection is opened to the vault from local. command "helm template keycloak-config ./chart-name -f chart-name/dev-values.yaml | argocd-vault-plugin generate -c /tmp/vaultconfig.yaml" but on argocd the plugin is installed and I can deploy using it although the placeholders doesn't change for example goes in EKS secrets wthout changing with the value in the vault I appreciate your support very much, it has been a week looking into this one

To Reproduce Steps to reproduce the behavior: install plugin with init containers and ConfigMap

Expected behavior if the yaml has stringData: password:

in the k8s secrets the password value goes like without getting changed

Screenshots/Verbose output If applicable, add screenshots to help explain your problem.

If you've tried running argocd-vault-plugin generate with --verbose-sensitive-output to help debug, please include that output here after redacting any secrets.

Additional context Add any other context about the problem here.

werne2j commented 1 year ago

Can you please provide your application manifest, the full yaml with the placeholders and how you’re setting up AVP?

gehal6 commented 1 year ago

Hi Jacob,

Kindly I attached the following

  1. the complete manifest "argocd.yaml" of argocd objects.
  2. the yaml with the placeholders "secrets.yaml"

I am setting the AVP using the options "InitContainer and configuration via argocd-cm ConfigMap" in the documentation https://argocd-vault-plugin.readthedocs.io/en/stable/installation/

I have read in some blog that this installation not supported since version 2.4.0 although argo official documentation not stating that. please confirm so I can act upon your reply.

Thanks, George Halim

On Tue, Mar 21, 2023 at 1:58 PM Jacob Wernette @.***> wrote:

Can you please provide your application manifest, the full yaml with the placeholders and how you’re setting up AVP?

— Reply to this email directly, view it on GitHub https://github.com/argoproj-labs/argocd-vault-plugin/issues/479#issuecomment-1477711309, or unsubscribe https://github.com/notifications/unsubscribe-auth/ALPFOIDIKPT2O46TBWMN2ILW5GJYFANCNFSM6AAAAAAV6YT4QQ . You are receiving this because you authored the thread.Message ID: @.***>

werne2j commented 1 year ago

@gehal6 Looks like the yamls never got uploaded to github. Can you add them in the comments?

kaiquerass commented 1 year ago

Same issue here, the secret value is created exactly as the placeholder. <path:secrets/data/helm#CUSTOM_ENV> I ran ssh to the repo-server pod and the command argocd-vault-plugin generate worked perfect, the placeholder is changed to the secret value. But when I sync the application, it does not work.

werne2j commented 1 year ago

@kaiquerass This tells me that something in the setup is not correct. Missing env vars or something like that. As you say, the binary is working just fine.

kaiquerass commented 1 year ago

but if it was env vars problems, the container would not be able to run the command and make connection to vault, right? sorry, but I didn't get the point. I mean, the container is actually working the command when I run manually, but the argo executing the plugin is not.

kaiquerass commented 1 year ago

I was able to fix it.

I removed the plugin configuration from the application manifest and it worked!

GeorgeWasla commented 1 year ago

@kaiquerass can I know which approach did you follow in the vault plugin installation?

kaiquerass commented 1 year ago

for people having this problem: argo will automatically discover which plugin to use based on the discover section of the plugin, so write a discover command that will fit your application. then remove the plugin config in application manifest: 

source:
  repoURL: ''
  path: charts
  targetRevision: HEAD
  plugin: {}
kaiquerass commented 1 year ago

I'm using as sidecar @GeorgeWasla

epetrovski-endava commented 1 year ago

@kaiquerass could you please elaborate a bit more on the discover command that you wrote? my AVP works with regular manifests in .yaml format, but I'm passing a custom values.yaml file for my chart and for some reason the placeholder isn't being replaced in the values.yaml file, but regular manifests in .yaml are replacing the placeholder

gehal6 commented 1 year ago

@epetrovski-endava I fixed the issue, the problem happens when installing argocd using manifest in the documentation to fix that you need to use the helm chart instead

epetrovski-endava commented 1 year ago

@gehal6 Could you please elaborate a bit further? I'm not sure I understand what exactly is needed to fix this. I added the three plugins (avp, avp-kustomize, avp-helm) in my ArgoCD values.yaml, under config.cmp, chart version 5.26.0, and the plugin still does not replace the placeholder when I am adding it in my values.yaml of the application that I use.

Do I need to modify my application.yaml? Thank you

yossigilad commented 1 year ago

@epetrovski-endava I'm having same issue in my environment, did you succeded to solve yours issue?

Zoli8501 commented 3 months ago

Same issue for me as well: replaceString: missing Vault value for placeholder password in string password: I tried to let argo automatically discover the plugin: plugin: {}, but same error.