Not able to use secretref+k8s to fetch secrets from Kubernetes Secret object

[workwithprashant]

Environment:

• ArgoCD: 2.10.2
• argo-cd-helmfile: v0.3.10

Private Repository in Helmfile.yaml

repositories:
- name: C3SP-Helm-Charts
  url: {{ fetchSecretValue (.StateValues | get "C3SP_HELM_REPO_URL" "secretref+k8s://v1/Secret/argo/argo-server-sso/helm-repo-url") }}
  username: {{ fetchSecretValue (.StateValues | get "C3SP_HELM_REPO_USER" "secretref+k8s://v1/Secret/argo/argo-server-sso/helm-repo-user") }}
  password: {{ fetchSecretValue (.StateValues | get "C3SP_HELM_REPO_PWD" "secretref+k8s://v1/Secret/argo/argo-server-sso/helm-repo-pwd") }}

ArgoCD Setup

# Source: argo-cd/templates/argocd-repo-server/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: argo-cd-argocd-repo-server
  namespace: "argo"
  labels:
    helm.sh/chart: argo-cd-6.7.1
    app.kubernetes.io/name: argocd-repo-server
    app.kubernetes.io/instance: argo-cd
    app.kubernetes.io/component: repo-server
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/part-of: argocd
    app.kubernetes.io/version: "v2.10.2"
rules:
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
  - list
  - watch
---
# Source: argo-cd/templates/argocd-repo-server/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: argo-cd-argocd-repo-server
  namespace: "argo"
  labels:
    helm.sh/chart: argo-cd-6.7.1
    app.kubernetes.io/name: argocd-repo-server
    app.kubernetes.io/instance: argo-cd
    app.kubernetes.io/component: repo-server
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/part-of: argocd
    app.kubernetes.io/version: "v2.10.2"
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: argo-cd-argocd-repo-server
subjects:
- kind: ServiceAccount
  name: argo-cd-argocd-repo-server
  namespace: argo

Confirmed that argo-cd-argocd-repo-server is able to access argo-server-sso from kubernetes Secret

argocd@argo-cd-argocd-repo-server-6644b58d8f-rqf69:~$ kubectl get Secret argo-server-sso
NAME              TYPE     DATA   AGE
argo-server-sso   Opaque   5      103d

Issue When I try to create ArgoCD app with provided helmfile repository, it's throwing following error.

Unable to create application: application spec for delete is invalid: InvalidSpecError: 

Unable to generate manifests in sample-app: rpc error: code = Unknown desc = plugin sidecar failed. 

error generating manifests in cmp: rpc error: code = Unknown desc = error generating manifests: `argo-cd-helmfile.sh init` failed exit status 1: helm version v3.14.2+gc309b6f helmfile version 0.162.0 

starting init vals-k8s: Unable to get a valid kubeConfig path: No path was found in any of the following: kubeContext URI param, KUBECONFIG environment variable, or default path /tmp/__argo-cd-helmfile.sh__/apps/delete/.kube/config does not exist. 

vals-k8s: Unable to get a valid kubeConfig path: No path was found in any of the following: kubeContext URI param, KUBECONFIG environment variable, or default path /tmp/__argo-cd-helmfile.sh__/apps/delete/.kube/config does not exist. in ./helmfile.yaml: 

error during helmfile.yaml.part.0 parsing: template: stringTemplate:3:10: executing "stringTemplate" at <fetchSecretValue (.StateValues | get "C3SP_HELM_REPO_URL" "secretref+k8s://v1/Secret/argo/argo-server-sso/helm-repo-url")>: error calling fetchSecretValue: expand k8s://v1/Secret/argo/argo-server-sso/helm-repo-url: 

No path was found in any of the following: kubeContext URI param, KUBECONFIG environment variable, or default path /tmp/__argo-cd-helmfile.sh__/apps/delete/.kube/config does not exist.

Reference: Vals Kubernetes

[travisghansen]

That’s a good use case. I am not sure why it wouldn’t try and build a kubeconfig from the service account files but it likely would be pretty easy to get around that.

If you exec directly to the container and issue a kubectl command to fetch the secret does that work?

[workwithprashant]

I was able to exec into the container argo-cd-argocd-repo-server and able to issue kubectl command to fetch the secret with all respected values.