search

argoproj-labs / argocd-vault-plugin

An Argo CD plugin to retrieve secrets from Secret Management tools and inject them into Kubernetes secrets
https://argocd-vault-plugin.readthedocs.io
Apache License 2.0
812 stars 190 forks source link

vault plugin is not connecting to vault #636

Closed Zoli8501 closed 4 months ago

Zoli8501 commented 4 months ago

I try to activate the plugin for argocd in helm chart, configmaps are argocd-cmp-cm and argocd-cm.

configuration of argocd-cm: configManagementPlugins: |

the cmp-plugin in argocd-cmp-cm: plugins:

--- First plugin

   cmp-plugin:
     version: v1.0
     init:
       command: [sh]
       args: [-c, 'echo "Initializing..."']
     generate:
       command: [sh, -c]
       args:
         - |
           echo "{\"kind\": \"ConfigMap\", \"apiVersion\": \"v1\", \"metadata\": { \"name\": \"$ARGOCD_APP_NAME\", \"namespace\": \"$ARGOCD_APP_NAMESPACE\", \"annotations\": {\"Foo\": \"$ARGOCD_ENV_FOO\", \"KubeVersion\": \"$KUBE_VERSION\", \"KubeApiVersion\": \"$KUBE_API_VERSIONS\",\"Bar\": \"baz\"}}}"
     discover:
       fileName: "./subdir/s*.yaml"
       find:
         glob: "**/Chart.yaml"
         command: [sh, -c, find . -name env.yaml]

and the plugin configuration part: extraContainers:

-- envFrom to pass to repo server

@default -- [] (See [values.yaml])

envFrom:

backend secret is root token of vault: data: AVP_AUTH_TYPE: vault VAULT_ADDR: ... AVP_AUTH_TYPE: token AVP_TYPE: vault VAULT_TOKEN: ... kind: Secret

Argocd app manifest:

apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: opensearch namespace: argocd spec: project: hccs destination: server: {{ .Values.spec.destination.server }} namespace: opensearch sources:

and the secret: kind: Secret apiVersion: v1 metadata: name: opensearch annotations: avp.kubernetes.io/path: "secret/data/opensearch" type: Opaque stringData: password:

in argocd the secret will be syncronized but password substitution is not happening...

I also tried to add manually cmp-plugin configmap: apiVersion: v1 kind: ConfigMap metadata: name: cmp-plugin data: avp.yaml: | apiVersion: argoproj.io/v1alpha1 kind: ConfigManagementPlugin metadata: name: argocd-vault-plugin spec: allowConcurrency: true discover: find: command:

but also not working...

Thank you for your support.

Zoli8501 commented 4 months ago

Made some progress, plugin is now visible in argocd, can be selected but when creating new app following error appears: Unable to create application: application spec for root-app is invalid: InvalidSpecError: Unable to generate manifests in .: rpc error: code = Unknown desc = plugin sidecar failed. error generating manifests in cmp: rpc error: code = Unknown desc = error generating manifests: argocd-vault-plugin generate -s vault-kubernetes failed exit status 1: Error: argument required to generate manifests Usage: argocd-vault-plugin generate [flags] Flags: -c, --config-path string path to a file containing Vault configuration (YAML, JSON, envfile) to use -h, --help help for generate -s, --secret-name string name of a Kubernetes Secret in the argocd namespace containing Vault configuration data in the argocd namespace of your ArgoCD host (Only available when used in ArgoCD). The namespace can be overridden by using the format : --verbose-sensitive-output enable verbose mode for detailed info to help with debugging. Includes sensitive data (credentials), logged to stderr

cmp-plugin: apiVersion: v1 kind: ConfigMap metadata: name: cmp-plugin namespace: argocd data: avp.yaml: | apiVersion: argoproj.io/v1alpha1 kind: ConfigManagementPlugin metadata: name: argocd-vault-plugin spec: allowConcurrency: true discover: find: command:

somehow it not mounted: $ printenv | grep "AVP" $ $

but mountpath and volummounts are there in the configuration: 

        - mountPath: /home/argocd/cmp-server/config/plugin.yaml
          name: cmp-plugin
          subPath: avp.yaml

..

volumes: