Author: Pulkit Bindal
Problem Statement:
The clients are in the need of a new plugin installation that could improve operational efficiency, improves security, and give the encoded password out of it, but there is no clear understanding/feasible approach for the best solution. In this blog, a perfect approach is presented, and also will see one use case that how we can extract the secured secrets kept in Vault with the help of ArgoCD_Vault_Plugin.
What is ArgoCD?
ArgoCD is a declarative GitOps tool built to deploy applications to Kubernetes. While the continuous delivery (CD) space is seen by some as crowded these days, ArgoCD does bring some interesting capabilities to the table.
Unlike other tools, ArgoCD is lightweight and easy to configure. It is purpose-built to deploy applications to Kubernetes so it doesn’t have the UI overhead of many tools built to deploy to multiple locations.
Why Argo CD?
Application definitions, configurations, and environments should be declarative and version controlled. Application deployment and lifecycle management should be automated, auditable, and easy to understand.
Why ArgoCD Vault Plugin?
This plugin is aimed at helping to solve the issue of secret management with GitOps and Argo CD. We wanted to find a simple way to utilize Vault without having to rely on an operator or custom resource definition. This plugin can be used not just for secrets but also for deployments, config maps, or any other Kubernetes resource.
** In simple words, we can say that the ArgoCD Vault plugin would be used if we have the secrets and we want them to be stored in the vault. The secrets can be fetched directly from the vault via ArgoCD deployed Application in maybe CLI or in other applications. For a more detailed flow, please read the blog carefully and refer to the snapshot attached.
Prerequisites:
- Kubernetes Cluster should be up and running.
- ArgoCD Pods should be installed and its Load Balancer URL should be exposed.
(Example: http://a1a2c24997d8e42558b1363bdd3d88c4-439400049.us-east-1.elb.amazonaws.com/)
- GitHub should have the directory starting with .github/workflows/XYZ.yaml .
- Vault Pods should be running and its Load Balancer URL should be exposed.
(Example: http://ac62692b24af645439a0c80ede01ce67-556141279.us-east-1.elb.amazonaws.com:8200/ui/)
How does it work?
The argocd-vault-plugin works by taking a directory of YAML or JSON files that have been templated out using the pattern of <placeholder> where you would want a value from Vault to go. The inside of the <> would be the actual key in the Vault.
An annotation can be used to specify exactly where the plugin should look for the vault values. The annotation needs to be in the format avp.kubernetes.io/path: “path/to/secret”.
For example, if you have a secret with the key password-vault-key that you would want to pull from the vault, you might have a YAML that looks something like the below code. In this YAML, the plugin will pull the value of the latest version of the secret at path/to/secret/password-vault-key and inject it into the Secret.
Installation of Apisero Exclusive ArgoCD_Vault_Plugin
Step 1: The first step is to have GitHub Repository, where the Plugin files could be stored.
Step 2: Upload the 3 YAML Files inside the GitHub Repository`s Directory. These YAML Files could be configured further according to the needs and requirements. Find the Plugin Required Files: Plugin Files.
Step 3: In my case, the files are present inside the argocd/overlays Directory. The overview of the particular files is attached herewith.
Enabling Apisero Exclusive ArgoCD_Vault_Plugin in ArgoCD
Step 1: The first step is to have GitHub Repository, where the Plugin files are present.
Step 2: Create the new ArgoCD Application by giving the same GitHub Repository and corresponding path.
In my case, the files are present inside the argocd/overlays Directory. So I will provide argocd/overlays.
Manifest YAML
project: default
source:
repoURL: 'https://github.com/prashant-demo110/helm_charts.git'
path: argocd/overlays
targetRevision: main
destination:
server: 'https://E8F1655A324ECFA51575C6C1DB2B8677.gr7.us-east-1.eks.amazonaws.com'
namespace: argocd
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=trueStep 3: Only Successful Sync will show that from now on, the plugin could be further used for upcoming applications. Kindly refer to the attached screenshot.
Cross Check Apisero Exclusive ArgoCD_Vault_Plugin
As we can see that after clicking the plugin from Drop down menu, 2 modules popping-up automatically. This shows that the apisero-exclusive-argocd-vault-plugin has been installed successfully.
Let`s understand the Use Case:
Use Case: Storing Secrets in Vault
A vault can be used to store any secret in a secure manner. The secrets may be SSL certificates and keys for your organization’s domain, credentials to connect to a corporate database server, etc. Storing such sensitive information in plaintext is not desirable.
Step 1: Log in to Vault using the Token authentication method and default token “root”.
Step 2: In the Web UI, select secret/ and then Create a secret. Enter nginx in the Path for this secret field, the key in the key field, and some value in the key value field.
Step 3: Click Save. Clicking on the sensitive information toggle lets you show or hide the secret value.
Use Case: Storing Secret.YAML File in GitHub
GitHub Actions uses YAML syntax to define the workflow. Each workflow is stored as a separate YAML file in your code repository, in a directory named .github/workflows.
You can create an example workflow in your repository that automatically triggers a series of commands whenever code is pushed. In this workflow, GitHub Actions checks out the pushed code, installs the bats testing framework, and runs a basic command to output the bats version: bats -v.
Step 1: In your repository, locate where the Helm Chart files are present or where you want the secrets to being fetched from.
Step 2: In the same folder location. Click on Add File -> Create New File. Name the file as secrets.yaml and add the following code.
YAML
kind: Secret
apiVersion: v1
metadata:
name: example-secret
annotations:
avp.kubernetes.io/path: "path/to/secret"
type: Opaque
stringData:
password: <password-vault-key>Step 3: Please Change the path to Secret with yours and password-vault-key with your Key (In my case, It is: secrets/data/nginx and <password>)
Given Key – password
Given Value – fancypassword
Use Case: Cross-Check By Fetching Value in CLI
Step 1: Run the command to have the encoded password.
kubectl get secret example-secret -o yaml -n argocd
Step 2: Run the following command to see the decoded password.
echo ‘ZmFu3lwYXNzd29yZA==’ | base64 –decode (Kindly Refer Snapshot for Output)
This shows that the apisero-argocd-vault-plugin is working perfectly fine.
All other options for Installation in ArgoCD
In order to use the plugin in Argo CD you have 4 distinct options:
- Installation via argocd-cm ConfigMap
- Download AVP in a volume and control everything as Kubernetes manifests
- Available as a pre-built Kustomize app: https://github.com/argoproj-labs/argocd-vault-plugin/blob/main/manifests/cmp-configmap
- Create a custom argocd-repo-server image with AVP and supporting tools pre-installed
- Download AVP in a volume and control everything as Kubernetes manifests
- Installation via a sidecar container (new, starting with Argo CD v2.4.0)
- Download AVP and supporting tools into a volume and control everything as Kubernetes manifests, using an off-the-shelf sidecar image
- Available as a pre-built Kustomize app: https://github.com/argoproj-labs/argocd-vault-plugin/blob/main/manifests/cmp-sidecar
- Create a custom sidecar image with AVP and supporting tools pre-installed
- Download AVP and supporting tools into a volume and control everything as Kubernetes manifests, using an off-the-shelf sidecar image