Open jonathon2nd opened 10 months ago
I am wondering if SOPS is not fully supported yet, as it is not listed here: https://argocd-vault-plugin.readthedocs.io/en/stable/config/#full-list-of-supported-parameters
this works fine for me when using SOPS and age
https://github.com/getsops/sops?tab=readme-ov-file#22encrypting-using-age
if you check this comment - https://github.com/argoproj-labs/argocd-vault-plugin/pull/265#issuecomment-1015577571
has all the details you need to get it working i think.
you probably should not call your encoded secret file "secret-test.enc.yaml" - as argocd will apply this file - rather just use "secret-test.enc"
my configmap
sops-age-plugin.yaml: |
apiVersion: argoproj.io/v1alpha1
kind: ConfigManagementPlugin
metadata:
name: argocd-sops-age-plugin
spec:
generate:
command: ["sh", "-c"]
args: ['AVP_TYPE=sops argocd-vault-plugin generate ./']
and ArgoCD cr snippet (you need a sidecar image with age and sops binaries in it)
- command:
- /var/run/argocd/argocd-cmp-server
env:
- name: SOPS_AGE_KEY_FILE
value: /var/run/secrets/age-key.txt
image: 'quay.io/eformat/argocd-vault-sidecar:2.11.6'
name: sops-age-plugin
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /var/run/argocd
name: var-files
- mountPath: /home/argocd/cmp-server/config
name: sops-age-plugin
- mountPath: /home/argocd/cmp-server/plugins
name: plugins
- mountPath: /tmp
name: cmp-tmp-sops-age
- mountPath: /var/run/secrets
name: sops-age-key
readOnly: true
Describe the bug I am struggling to get argocd-vault-plugin working with sops for my install of argocd. I am sure it is an error on my part, but have not been able to figure it out and hoping someone can point me in the right direction.
To Reproduce Install configmap:
Install sop secret (this was done during my debugging)
Patch argo-cd
test secret
sops --encrypt templates/secret-test.yaml > templates/secret-test.enc.yaml
Then add the following to the chart for test install along with the output of the sops command.
Expected behavior I expect to see the decrypted value in the secret in k8s.
Screenshots/Verbose output
No errors in AVP-helm
Additional context