Argo CD Git WebHook Secret from another secret

argoproj / argo-helm

ArgoProj Helm Charts

https://argoproj.github.io/argo-helm/

Apache License 2.0

1.77k stars 1.88k forks source link

Argo CD Git WebHook Secret from another secret #2635

Open alex-souslik-hs opened 7 months ago

alex-souslik-hs commented 7 months ago

Is your feature request related to a problem?

I've configured a Git WebHook to Argo CD but couldn't figure out how to securely add the WebHook secret to my helm values. My values.yaml is stored in a GitHub repo and the argocd-secret is defined in it.

Related helm chart

argo-cd

Describe the solution you'd like

Ideally, I'd like this configuration to be handled the same way sensitive keys can be handled in argocd-cm.

Describe alternatives you've considered

Not using the WebHook secret.
Not creating the argocd-secret with the Argo CD chart.

Additional context

No response

pdrastil commented 6 months ago

Hi @alex-souslik-hs the sensitive values in argocd-cm are inderctly referencing K8s secret, however webhook tokens have to be stored in Secret callled argocd-secret. You can achieve this with various integrations where you take full control of secret creation.

See:

You can also check sample snippet bellow that uses external-secret operator if you want to provision this without hardcoding anything sensitive in values.yaml.

configs:
  secret:
    createSecret: false

extraObjects:
  - apiVersion: external-secrets.io/v1beta1
    kind: ExternalSecret
    metadata:
       name: argocd-secret
    spec:
      secretStoreRef:
        name: aws-secretsmanager
        kind: SecretStore
      target:
        name: argocd-secret
      data:
      - secretKey: webhook.github.secret
        remoteRef:
          key: webhook
          property: webhook.github.secret

tman5 commented 5 months ago

@pdrastil I have a very similar setup. So you are saying this won't work with the helm chart?

  secret:
    createSecret: true
    gitlabSecret: "$otherK8sSecret:gitlabSecret"

github-actions[bot] commented 3 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

pdrastil commented 3 months ago

@tman5 I don't think so. The substitutions are done in ConfigMap argocd-cm and needs to be supported by Argo CD controller. See Argo CD docs. For storing / generating sensitive values outside of helm chart it's usually done by various solutions that generate and populate the secret values from external systems or require additional plugins to process encrypted values.

yolkov commented 2 months ago

@pdrastil so this docs one and two is wrong?

Kariton commented 2 weeks ago

i'm also curious how this is supposed to work. was unable to get those $<k8s_secret_name>:<a_key_in_that_k8s_secret> references to work.