I am using ArgoCD and Kustomize for my projects in a git repo. I have this project based on kustomize, and I would like to have my secrets inside the project to be "read" by argocd-vault-plugin at the same time. I tried multiple ways but I can get it to work.
if I use kustomize then the secrets are not retrieve from my vault and I keep having <password>
as a data or I get the error:
cmp-server plugin with name "argocd-vault-plugin" supporting the given repository" My Setup is a OpenShift Cluster.
kind: ConfigMap
apiVersion: v1
metadata:
name: cmp-plugin
namespace: argocd
data:
avp.yaml: |
apiVersion: argoproj.io/v1alpha1
kind: ConfigManagementPlugin
metadata:
name: argocd-vault-plugin
spec:
allowConcurrency: true
discover:
find:
command:
- sh
- "-c"
- "find . -name '*.yaml'"
generate:
command:
- argocd-vault-plugin
- generate
- "."
lockRepo: false
this a configmap from my argocd-vault-plugin container
After trying multiple times, it worked using the following:
initcontainer to download kustomize and place it in $PATH of my avp container:
initContainers:
- resources: {}
terminationMessagePath: /dev/termination-log
name: download-kustomize
command:
- sh
- '-c'
- >
curl -L
https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v4.5.7/kustomize_v4.5.7_linux_amd64.tar.gz
-o /tmp/kustomize.tar.gz && tar -xzf /tmp/kustomize.tar.gz -C
/test-kustom
securityContext:
capabilities:
drop:
- ALL
runAsUser: 1000680000
runAsNonRoot: true
allowPrivilegeEscalation: false
imagePullPolicy: IfNotPresent
volumeMounts:
- name: test-kustom
mountPath: /test-kustom
image: 'curlimages/curl:7.79.1'
My AVP Container:
- resources: {}
name: avp
command:
- /var/run/argocd/argocd-cmp-server
volumeMounts:
- name: var-files
mountPath: /var/run/argocd
- name: plugins
mountPath: /home/argocd/cmp-server/plugins
- name: tmp
mountPath: /tmp
- name: cmp-plugin
mountPath: /home/argocd/cmp-server/config/plugin.yaml
subPath: avp.yaml
- name: test-kustom
mountPath: /usr/local/bin/kustomize
subPath: kustomize
- name: custom-tools
mountPath: /usr/local/bin/argocd-vault-plugin
subPath: argocd-vault-plugin
After I changed my configmap cmp-plugin to use kustomize:
kind: ConfigMap
apiVersion: v1
metadata:
name: cmp-plugin
namespace: argocd
data:
avp.yaml: |
apiVersion: argoproj.io/v1alpha1
kind: ConfigManagementPlugin
metadata:
name: argocd-vault-plugin
spec:
allowConcurrency: true
discover:
find:
command:
- sh
- "-c"
- "find . -name '*.yaml'"
generate:
command:
- sh
- "-c"
- |
kustomize build . | argocd-vault-plugin generate -
lockRepo: false
And the applications in ArgoCD should use the ArgoCD-Vault-Plugin:
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: kibana
namespace: argocd
spec:
project: default
source:
repoURL: https://github.com/your-repo.git
targetRevision: HEAD
path: overlay/dev # The kustomize overlay path
plugin:
name: argocd-vault-plugin # Enable AVP
destination:
server: https://kubernetes.default.svc
namespace: elk
syncPolicy:
automated:
prune: true
selfHeal: true