Closed devXpro closed 1 year ago
Hi,
This looks like ArgoCD cannot access to the vault with the kube authentication.
Did you play the terraform init
, followed by terraform plan
, then terraform apply
in the vault
directory after the ./init.sh
from the Hashicorp Vault step ?
It will create the key/value vault, the kubernetes vault authentication, and the default policy.
This authentication allows all ArgoCD apps to access to the vault with the default policy kv/*
.
If you already performed the terraform init
and so on, do you have :
The secret for the default kube auth : kubect get secret default-vault-credentials -n argocd
?
And in the Vault :
$ kubectl exec -it statefulset.apps/hashicorp-vault -n hashicorp-vault -- sh
/ $ vault login
Token (will be hidden): xxx
The kubernetes auth ?
/ $ vault auth list
Path Type Accessor Description Version
---- ---- -------- ----------- -------
[...]
kubernetes/ kubernetes auth_kubernetes_xxxxx n/a n/a
[...]
The kv secret vault ?
/ $ vault secrets list
Path Type Accessor Description
---- ---- -------- -----------
[...]
kv/ kv kv_xxxxxx KV Version 2 secret engine mount
[...]
I simply didn't complete the last step of the vault setup, which is done through Terraform. I was thrown off by the note that said 'This part is not mandatory.', and I just skipped it. However, it's a crucial step, as without it, no application in ArgoCD will work
I've been trying to understand why ArgoCD is not working with Vault for the second day already. I followed all the instructions. On the last step, I set up the infrastructure using bin/terraform-apply.sh scaleway. I successfully obtained the load balancer's IP and linked it to the domains. Next, I followed the Vault setup instructions. I generated cluster-keys.json and was able to access the Vault admin interface using the root_token from this file. However, I still see an error on the ArgoCD admin page:
*rpc error: code = Unknown desc = Manifest generation error (cached): plugin sidecar failed. error generating manifests in cmp: rpc error: code = Unknown desc = error generating manifests: [flags] Flags: -c, --config-path string path to a file containing Vault configuration (YAML, JSON, envfile) to use -h, --help help for generate -s, --secret-name string name of a Kubernetes Secret in the argocd namespace containing Vault configuration data in the argocd namespace of your ArgoCD host (Only available when used in ArgoCD). The namespace can be overridden by using the format : --verbose-sensitive-output enable verbose mode for detailed info to help with debugging. Includes sensitive data (credentials), logged to stderr**
sh -c "helm template $ARGOCD_APP_NAME -n $ARGOCD_APP_NAMESPACE ${ARGOCD_ENV_HELM_ARGS} --include-crds . |\nargocd-vault-plugin generate - -s ${ARGOCD_ENV_AVP_SECRET}\n"
failed exit status 1: Error: Error making API request. URL: PUT https://vault-st.my_site.io/v1/auth/kubernetes/login Code: 403. Errors: service account name not authorized Usage: argocd-vault-plugin generateI tried reinstalling ArgoCD with Vault already configured (commented out the contents of argocd.tf, did a plan and apply, and then uncommented and did a plan and apply), but it didn't help. I keep seeing this error. What am I doing wrong? Are there any additional steps that may be required?