openshiftargocdvault

ArgoCD Vault Plugin + Kustomize

I am using ArgoCD and Kustomize for my projects in a git repo. I have this project based on kustomize, and I would like to have my secrets inside the project to be "read" by argocd-vault-plugin at the same time. I tried multiple ways but I can get it to work.

if I use kustomize then the secrets are not retrieve from my vault and I keep having <password> as a data or I get the error:

cmp-server plugin with name "argocd-vault-plugin" supporting the given repository" My Setup is a OpenShift Cluster.

kind: ConfigMap
apiVersion: v1
metadata:
  name: cmp-plugin
  namespace: argocd
data:
  avp.yaml: |
    apiVersion: argoproj.io/v1alpha1
    kind: ConfigManagementPlugin
    metadata:
      name: argocd-vault-plugin
    spec:
      allowConcurrency: true
      discover:
        find:
          command:
            - sh
            - "-c"
            - "find . -name '*.yaml'"
      generate:
        command:
          - argocd-vault-plugin
          - generate
          - "."
      lockRepo: false

this a configmap from my argocd-vault-plugin container

Solution

  • After trying multiple times, it worked using the following:

    initcontainer to download kustomize and place it in $PATH of my avp container:

    initContainers:
    - resources: {}
      terminationMessagePath: /dev/termination-log
      name: download-kustomize
      command:
        - sh
        - '-c'
        - >
          curl -L
          https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v4.5.7/kustomize_v4.5.7_linux_amd64.tar.gz
          -o /tmp/kustomize.tar.gz && tar -xzf /tmp/kustomize.tar.gz -C
          /test-kustom
      securityContext:
        capabilities:
          drop:
            - ALL
        runAsUser: 1000680000
        runAsNonRoot: true
        allowPrivilegeEscalation: false
      imagePullPolicy: IfNotPresent
      volumeMounts:
        - name: test-kustom
          mountPath: /test-kustom
      image: 'curlimages/curl:7.79.1'

    My AVP Container:

    - resources: {}
  name: avp
  command:
    - /var/run/argocd/argocd-cmp-server
  volumeMounts:
    - name: var-files
      mountPath: /var/run/argocd
    - name: plugins
      mountPath: /home/argocd/cmp-server/plugins
    - name: tmp
      mountPath: /tmp
    - name: cmp-plugin
      mountPath: /home/argocd/cmp-server/config/plugin.yaml
      subPath: avp.yaml
    - name: test-kustom
      mountPath: /usr/local/bin/kustomize
      subPath: kustomize
    - name: custom-tools
      mountPath: /usr/local/bin/argocd-vault-plugin
      subPath: argocd-vault-plugin

    After I changed my configmap cmp-plugin to use kustomize:

    kind: ConfigMap
apiVersion: v1
metadata:
  name: cmp-plugin
  namespace: argocd
data:
  avp.yaml: |
    apiVersion: argoproj.io/v1alpha1
    kind: ConfigManagementPlugin
    metadata:
      name: argocd-vault-plugin
    spec:
      allowConcurrency: true
      discover:
        find:
          command:
            - sh
            - "-c"
            - "find . -name '*.yaml'"
      generate:
        command:
          - sh
          - "-c"
          - |
            kustomize build . | argocd-vault-plugin generate -
      lockRepo: false

    And the applications in ArgoCD should use the ArgoCD-Vault-Plugin:

    apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: kibana
  namespace: argocd
spec:
  project: default
  source:
    repoURL: https://github.com/your-repo.git
    targetRevision: HEAD
    path: overlay/dev # The kustomize overlay path
    plugin:
      name: argocd-vault-plugin  # Enable AVP
  destination:
    server: https://kubernetes.default.svc
    namespace: elk
  syncPolicy:
    automated:
      prune: true
      selfHeal: true