search

argoproj / argo-cd

Declarative Continuous Deployment for Kubernetes
https://argo-cd.readthedocs.io
Apache License 2.0
17.31k stars 5.25k forks source link

Global secrets for 3rd party apps #7700

Open HemanthMarella opened 2 years ago

HemanthMarella commented 2 years ago

Summary

When deploying 3rd party applications like Splunk, Datadog,logDNA etc or any other apps which has specific token to pass.

  1. Current approach, when deploying those with helm charts, placing sensitive info as variables and passing as flags while running the helm commands.
  2. Or creating secret, and passing that secret in helm template to pick it. (or kind of similar).

Let's say, I want to deploy splunk using argoCD. 

apiVersion: argoproj.io/v1alpha1
kind: Application
...
...
source:
    helm:
      values: |
          global:
            secret:
              create: false
              name: splunk-hec-token
            splunk:
              **hec:
               token: ${{secrets.GLOBAL_SPLUNK_HEC_TOKEN}}**
               host: splunkforwarder.common.com
...
...

My over thinking made me to create a secret in github and pass it here, but the value of token is taking as it is(string) and as expected -invalid token.

Below link has reference yaml. https://cloud-native.slack.com/archives/C01TSERG0KZ/p1636749820322900

Proposal

Got a thought, and would love to see this feature in ArgoCD if this is reasonable/possible. So, here all I want to do is While writing application yaml, I need one more parameter(can be optional). 

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  finalizers:
    - resources-finalizer.argocd.argoproj.io
   partyapps:
     - datadog
     - splunk
  name: common-splunk

login to argoCD console --> settings --> secrets --> [drop down option to select list of most used 3rd party apps] ~> select splunk ~> provide [unique-key,value] --> save. (similarly, for other apps Datadog, logDNA, JFrog, Grafana, ELK, etc. any apps you know better than me, that requires tokens/sensitive info. ) and got to my app yaml and place it. 

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  finalizers:
    - resources-finalizer.argocd.argoproj.io
   partyapps:
     - splunk
...
source:
    helm:
      values: |
          global:
            secret:
              create: false
              name: splunk-hec-token
            splunk:
              hec:
               token: ${{argo.global.secret.unique-key}}
               host: splunkforwarder.common.com
...
...

ArgoCD will do the rest.

Just thinking out of my head I am not sure, if this is genuine question or bad idea. But in case if it is possible. Can you please make this in your enhancement list.
Currently, I am using argoCD v2.1.6

Thank you in Advance.

dublx commented 2 years ago

@HemanthMarella did you find a workaround for this?