cicdargocdgitops

ArgoCD GitOps declarative config: How to store repo creds in a secure manner in git?

ArgoCD supports declarative configuration: https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/

In particular, for repository credentials: https://argo-cd.readthedocs.io/en/stable/operator-manual/argocd-repo-creds-yaml/

For example, a typical entry might look like this:

# Repository credentials, for using the same credentials in multiple repositories.
apiVersion: v1
kind: Secret
metadata:
  name: argoproj-https-creds
  namespace: argocd
  labels:
    argocd.argoproj.io/secret-type: repo-creds
stringData:
  url: https://github.com/argoproj
  type: helm
  password: my-password
  username: my-username

Likewise, it's possible to add SSH-based access for git repositories with a private SSH key:

apiVersion: v1
kind: Secret
metadata:
  name: argoproj-ssh-creds
  namespace: argocd
  labels:
    argocd.argoproj.io/secret-type: repo-creds
stringData:
  url: git@github.com:argoproj-labs
  type: helm
  sshPrivateKey: |
    -----BEGIN OPENSSH PRIVATE KEY-----
    ...
    -----END OPENSSH PRIVATE KEY-----

In both scenarios the plain-text password and the private ssh key get stored in a plain text file in git.

Is there a canonical way to store these credentials in a secure manner, instead of plain text?

https://xyproblem.info/: I am trying to solve the problem of bootstrapping an ArgoCD instance via a couple of YAML files stored in a git repository meant for gitops in an automated fashion. The ArgoCD application server would consume the repo-creds YAML file to populate itself, so that it can subsequently create ArgoCD applications from these repositories. However it's not desirable to have the password / private key be checked into git as plain text. How can we bootstrap all the needed repositories without doing so?

I am aware of at least one workaround: I could use the argocd CLI app in our K8s cluster to populate the repo-creds (or even plain kubectl apply for that matter). But then, what is the point of ArgoCD to programmatically support repo-creds credentials via gitops?

Solution

  • You might want to add a way to inject secrets, and avoid storing them in git indeed.

    Here are some common solution to inject the secrets, and just have the secret custom resources in git:

    A clean bootstrap of argocd would then look like this:

    1. Install the secret operator on your cluster
    2. Apply the argocd manifests with the operator custom resource for the secret containing your repo-creds

    So usually at bootstrap you still end up providing 1 key which is not in git, the one the secret operator needs.

    Note: A really useful feature is the credentials template, as it allows you to define 1 secret for your Git repositories, instead of repeating the configuration for each repo.