Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ApplicationSet and secret paths #696

Open
huehnerhose opened this issue Feb 17, 2025 · 0 comments
Open

ApplicationSet and secret paths #696

huehnerhose opened this issue Feb 17, 2025 · 0 comments

Comments

@huehnerhose
Copy link

huehnerhose commented Feb 17, 2025
edited
Loading

Hi,

I was not able to find how to solve this, though I have the constant feeling of not asking the right search prompts.

I use app-of-apps approach to deploy ApplicationSets, deploying e.g. qa and prod env per Application. So I have an ApplicationSet "apps-of-apps" deploying via list-generator multiple Application, e.g. Application: "supporting-services" which deployes ApplicationSet "frontend-service", which deploys "frontend-service-prod" and "frontend-service-qa". The applications themselves are helm deployments via source.helm.values. So the applicationSet (reduced) looks like:

apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
  name: frontend-service
spec:
  goTemplate: true
  generators:
  - list:
      elements:
      - project: "qa"
        namespace: qa
        vaultPath: "dev"
      - project: "prod"
        namespace: prod
        vaultPath: "prod"

  template:
    metadata:
      name: frontend-service-{{.project}}
    spec:
      destination:
        namespace: '{{.namespace}}'
        server: 'https://kubernetes.default.svc'
      project: '{{.project}}'
      source:
        repoURL: helm.repo.com
        targetRevision: '3.2.12'
        chart: frontend-service
        plugin:
          env:
            - name: TEST
              value: FOO
        helm:
          values: |
            env:
              API_KEY: "<path:myapplication-{{.vaultPath}}-secrets/data/mySecret#API_KEY>"

You probably already see the issue.

API_KEY: "<path:myapplication-{{.vaultPath}}-secrets/data/mySecret#API_KEY>"

breaks the argocd-vault-plugin generate run, since the {{.vaultPath}} replacement / templating happens after the AVP is running. So AVP gets the literal string <path:myapplication-{{.vaultPath}}-secrets/data/mySecret#API_KEY> as path to look for the secret.

I tried, as you can see with the source.plugin.env part to pass ENV to the CMP/AVP run to run some replacement prior to the actual run of argocd-vault-plugin generate. But I never get a run on this ApplicationSet / resulting Application. But always only on the Application "supporting-services".

I moved the avp-annotation between the different Application Manifests, without any result.

Long Story short: I am lost if my setup is stupid to begin with and / or can work with AVP at all?

Edit:
I deploy AVP as sidecar in the argo-cd helm chart via

          cmp:
            create: true
            plugins:
              avp:
                allowConcurrency: true
                discover:
                  find:
                    command:
                      - sh
                      - "-c"
                      - "find . -name '*.yaml' | xargs -I {} grep \"<path\\|avp\\.kubernetes\\.io\" {} | grep ."
                generate:
                  command:
                    - sh
                    - "-c"
                    - "argocd-vault-plugin generate -s \"argocd:vault-configuration\" ."
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@huehnerhose