search

argoproj / argo-cd

Declarative Continuous Deployment for Kubernetes
https://argo-cd.readthedocs.io
Apache License 2.0
17.91k stars 5.46k forks source link

$oidc disappears in argocd-cm ConfigMap #8635

Open eli-halych opened 2 years ago

eli-halych commented 2 years ago

When I deploy Argo CD, I want this key-value pair in argocd-cm ConfigMap: oidc.config.clientSecret: $oidc.keycloak.clientSecret (according to THIS guide).

However, after I deploy Argo CD through the GitLab Pipeline, I get this instead: oidc.config.clientSecret: .keycloak.clientSecret.

$oidc disappears. How can I make sure that $oidc.keycloak.clientSecret is deployed as it is? This makes it impossible for me to use clienSecret.

crenshaw-dev commented 2 years ago

I'm not super familiar with GitLab pipelines. How are you deploying Argo CD in pipelines? Are you using kustomize/kubectl in some container step?

Kinda feels like something is interpreting $oidc as an empty variable. But without knowing all the tools in the chain, I'm not sure which tool might be doing that.

eli-halych commented 2 years ago

@crenshaw-dev I am deploying it using Helmsman and a Helm chart. The pipeline runs helm and helmsman commands in a GitLab runner with a Docker executor.

Helmsman version: v3.6.4 Helm version: v3.3.4

crenshaw-dev commented 2 years ago

Can you run helm template on the sources manually, just to make sure it's preserving the $oidc?

What tool are you using to confirm that $oidc is gone? Maybe there's a bug in some presentation software. I'd personally trust output from kubectl.

eli-halych commented 2 years ago

  1. helm template . output:

    clientSecret: $oidc.keycloak.clientSecret

    $oidc is not gone.

  2. I used kubectl edit argocd-secret -n argocd and this is where I saw that the $oidc was gone.

crenshaw-dev commented 2 years ago

Gotcha. This leads me to believe that Helmsman is to blame for removing $oidc. I'm not super familiar with Helmsman. Is there any way for you to do manually what's currently being done in the GitLab pipeline?

eli-halych commented 2 years ago

I couldn't manually do it with Helmsman. Also, it looks like that the dollar sign, or the whole $oidc part, needs to be escaped to not be treated as a variable with null value. I tried \$, $$, $(oidc.keycloak.clientSecret), %$, but nothing worked.

bigwheel commented 2 years ago

$$oidc ? I thought this issue might be related to https://github.com/argoproj/argo-cd/issues/6878 .

kompiz commented 1 year ago

$$oidc ? I thought this issue might be related to #6878 .

Yes! Thank you! $$oidc in the argocd-app.yaml renders $oidc!