argocd-vault-plugin: Cannot find secret even though it's in the same namespace and has access

Describe the bug I have the plugin setup and have the vault configuration in a secret. This secret is called ‘argocd-vault-plugin-credentials’ and it exists in the same namespace as argocd. First I had the issue, that the argocd-repo-server didn’t have access to the secret, but I solved that by using the argo-server serviceAccount. (I don’t know how good practice that is, but it was the easiest solution instead of creating a new SA). Now if I want to use the plugin with the command that is run buy the repo-server helm template . | argocd-vault-plugin generate - --secret-name argocd-vault-plugin-credentials, I get the following error: Error: secrets "argocd" not found

To Reproduce Steps to reproduce the behavior:

  1. Setup argocd with kustomize with the 2.2.5 install manfest as base resource and install argocd-vault-plugin with the correct deployment customizations and secrets
  2. Try to use the plugin (either manual or with argocd sync)

Expected behavior With the command, I described above it should generate the entire helm data with the replaceholders replaced by the values from vault.

Screenshots This is the result inside the argocd-repo-server image

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 19 (7 by maintainers)

Most upvoted comments

Don’t worry about it. Probably a good solution here is to change the error message to say: Error: Must provide a supported Vault Type, received %s

+6
jkayani on Feb 18, 2022

Next, I noticed you had dmF1bHQK in your secret for AVP_TYPE. Can you try re-encoding the string without the trailing newline, dmF1bHQ=?

I feel really stupid right now because that was it. For every value of those secrets, it had a new line at the end -.- After I fixed all those variables, it works now.

I used echo vault | base64 to generate the base64 strings, which added a new line and gave out a result which wasn’t correct -.- So in the future, I’ll always make sure to use the -n flag for the echo command.

Maybe a warning inside the documentation or the error message when the vault-type cannot be read could be helpful.

Thx for the quick answers.

+5
TheAnachronism on Feb 18, 2022

@TheAnachronism What a perplexing thread. Let’s check a few basic things:

From your shell in the repo-server pod, does this at least get you to an error saying you need to specify an auth type?

echo "" | AVP_TYPE=vault argocd-vault-plugin generate -

If so, great - AVP itself is probably not broken.

Next, I noticed you had dmF1bHQK in your secret for AVP_TYPE. Can you try re-encoding the string without the trailing newline, dmF1bHQ=, and put that in the argocd-vault-plugin-credentials secret instead?

If that also gets you to the error about an auth type, that explains the issue with the env vars in the pod.

Finally, regarding the original message about the secret not being found - first, can you try just mounting the default (of -n argocd) SA’s token instead of using the SA for argocd-server, as explained here: https://argocd-vault-plugin.readthedocs.io/en/stable/installation/#initcontainer (2nd to last line in the YAML, setting automountServiceAccountToken to true)?

Second, assuming that doesn’t fix things (which I doubt it will since the argocd-server SA can read secrets too: https://github.com/argoproj/argo-cd/blob/master/manifests/base/server/argocd-server-role.yaml#L17), can you try using the namespace:name syntax for specifying the secret name: -s argocd:argocd-vault-plugin-credentials?

+2
jkayani on Feb 18, 2022
Read more comments on GitHub
← argocd-operator: Pods stuck in crashloop after update to 0.0.14
argocd-vault-plugin: Does not work with argocd multiple sources  →