Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Not able to use secretref+k8s to fetch secrets from Kubernetes Secret object #58

Open
workwithprashant opened this issue Mar 13, 2024 · 2 comments
Open

Not able to use secretref+k8s to fetch secrets from Kubernetes Secret object #58

workwithprashant opened this issue Mar 13, 2024 · 2 comments

Comments

@workwithprashant
Copy link
Contributor

workwithprashant commented Mar 13, 2024
edited
Loading

Environment:

  • ArgoCD: 2.10.2
  • argo-cd-helmfile: v0.3.10

Private Repository in Helmfile.yaml

repositories:
- name: C3SP-Helm-Charts
  url: {{ fetchSecretValue (.StateValues | get "C3SP_HELM_REPO_URL" "secretref+k8s://v1/Secret/argo/argo-server-sso/helm-repo-url") }}
  username: {{ fetchSecretValue (.StateValues | get "C3SP_HELM_REPO_USER" "secretref+k8s://v1/Secret/argo/argo-server-sso/helm-repo-user") }}
  password: {{ fetchSecretValue (.StateValues | get "C3SP_HELM_REPO_PWD" "secretref+k8s://v1/Secret/argo/argo-server-sso/helm-repo-pwd") }}

ArgoCD Setup

# Source: argo-cd/templates/argocd-repo-server/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: argo-cd-argocd-repo-server
  namespace: "argo"
  labels:
    helm.sh/chart: argo-cd-6.7.1
    app.kubernetes.io/name: argocd-repo-server
    app.kubernetes.io/instance: argo-cd
    app.kubernetes.io/component: repo-server
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/part-of: argocd
    app.kubernetes.io/version: "v2.10.2"
rules:
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
  - list
  - watch
---
# Source: argo-cd/templates/argocd-repo-server/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: argo-cd-argocd-repo-server
  namespace: "argo"
  labels:
    helm.sh/chart: argo-cd-6.7.1
    app.kubernetes.io/name: argocd-repo-server
    app.kubernetes.io/instance: argo-cd
    app.kubernetes.io/component: repo-server
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/part-of: argocd
    app.kubernetes.io/version: "v2.10.2"
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: argo-cd-argocd-repo-server
subjects:
- kind: ServiceAccount
  name: argo-cd-argocd-repo-server
  namespace: argo

Confirmed that argo-cd-argocd-repo-server is able to access argo-server-sso from kubernetes Secret

argocd@argo-cd-argocd-repo-server-6644b58d8f-rqf69:~$ kubectl get Secret argo-server-sso
NAME              TYPE     DATA   AGE
argo-server-sso   Opaque   5      103d

Issue
When I try to create ArgoCD app with provided helmfile repository, it's throwing following error.

Unable to create application: application spec for delete is invalid: InvalidSpecError: 

Unable to generate manifests in sample-app: rpc error: code = Unknown desc = plugin sidecar failed. 

error generating manifests in cmp: rpc error: code = Unknown desc = error generating manifests: `argo-cd-helmfile.sh init` failed exit status 1: helm version v3.14.2+gc309b6f helmfile version 0.162.0 

starting init vals-k8s: Unable to get a valid kubeConfig path: No path was found in any of the following: kubeContext URI param, KUBECONFIG environment variable, or default path /tmp/__argo-cd-helmfile.sh__/apps/delete/.kube/config does not exist. 

vals-k8s: Unable to get a valid kubeConfig path: No path was found in any of the following: kubeContext URI param, KUBECONFIG environment variable, or default path /tmp/__argo-cd-helmfile.sh__/apps/delete/.kube/config does not exist. in ./helmfile.yaml: 

error during helmfile.yaml.part.0 parsing: template: stringTemplate:3:10: executing "stringTemplate" at <fetchSecretValue (.StateValues | get "C3SP_HELM_REPO_URL" "secretref+k8s://v1/Secret/argo/argo-server-sso/helm-repo-url")>: error calling fetchSecretValue: expand k8s://v1/Secret/argo/argo-server-sso/helm-repo-url: 

No path was found in any of the following: kubeContext URI param, KUBECONFIG environment variable, or default path /tmp/__argo-cd-helmfile.sh__/apps/delete/.kube/config does not exist.

Reference: Vals Kubernetes
@travisghansen
Copy link
Owner

That’s a good use case. I am not sure why it wouldn’t try and build a kubeconfig from the service account files but it likely would be pretty easy to get around that.

If you exec directly to the container and issue a kubectl command to fetch the secret does that work?

@workwithprashant
Copy link
Contributor Author

I was able to exec into the container argo-cd-argocd-repo-server and able to issue kubectl command to fetch the secret with all respected values.

@workwithprashant workwithprashant mentioned this issue Mar 13, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@travisghansen @workwithprashant