argocd-vault-plugin
- argoproj-labs/argocd-vault-plugin
- ArgoCD 密钥管理
- 支持后端
- HashiCorp Vault
- SOPS
- AVP -> argocd-vault-plugin
- 安装
- 参考
kind: Secret
apiVersion: v1
metadata:
name: example-secret
annotations:
# 路径
avp.kubernetes.io/path: 'path/to/secret'
type: Opaque
data:
password: <password-vault-key>
# postgres://<username>:<password>@<host>:<port>/<database>?sslmode=require
# 会先 decode 然后替换,然后 encode
POSTGRES_URL: cG9zdGdyZXM6Ly88dXNlcm5hbWU+OjxwYXNzd29yZD5APGhvc3Q+Ojxwb3J0Pi88ZGF0YWJhc2U+P3NzbG1vZGU9cmVxdWlyZQ==
annotations:
# <path:some/path#secret-key>
# <path:some/path#secret-key#version>
avp.kubernetes.io/path: 'path/to/secret'
# 默认 latest
avp.kubernetes.io/secret-version: '1'
avp.kubernetes.io/kv-version: '2'
# 是否忽略文件
avp.kubernetes.io/ignore: 'false'
# 如果值不存在移除 key
avp.kubernetes.io/remove-missing: 'true'
- Modifiers
- base64encode
- base64decode
- jsonPath {.username}
- jsonParse
- yamlParse
- indent
配置
kind: Secret
apiVersion: v1
type: Opaque
metadata:
name: vault-configuration
namespace: argocd
stringData:
VAULT_ADDR: http://vault
# vault, sops, ibmsecretsmanager, awssecretsmanager, gcpsecretmanager, yandexcloudlockbox, 1passwordconnect
# sops 最简单
# vault 适合小团队 selfhost
AVP_TYPE: vault
# approle, github, k8s, token
AVP_AUTH_TYPE:
# approle
AVP_ROLE_ID:
AVP_SECRET_ID:
# k8s
AVP_K8S_MOUNT_PATH:
AVP_K8S_ROLE:
AVP_K8S_TOKEN_PATH: /var/run/secrets/kubernetes.io/serviceaccount/token
# auth/approle, auth/github, auth/kubernetes
AVP_MOUNT_PATH:
# avp.kubernetes.io/kv-version
AVP_KV_VERSION: '2'
- ArgoCD 2.4 会添加环境变量前缀
ARGOCD_ENV_
SOPS
- AVP_TYPE: sops
# 通过 annotation 配置
kind: Secret
apiVersion: v1
metadata:
name: test-secret
annotations:
avp.kubernetes.io/path: 'example.yaml'
type: Opaque
data:
password: <test-secret>
---
# Inline
kind: Secret
apiVersion: v1
metadata:
name: test-secret
type: Opaque
data:
password: <path:example.yaml#test-secret>
---
# 获取子字段
kind: Secret
apiVersion: v1
metadata:
name: test-secret
annotations:
avp.kubernetes.io/path: 'example.yaml'
type: Opaque
stringData:
password: <parent | jsonPath {.child}>
插件工作原理
-
Patch argocd-repo-server
- 挂载 ConfigMap/cmp-plugin
- 挂载 empty-dir custom-tools
- initContainers
- 通过 curl github 下不动 - 建议做镜像或者自己镜像文件
- 下载 argocd-vault-plugin 到 custom-tools
curl -L https://github.com/argoproj-labs/argocd-vault-plugin/releases/download/v$(AVP_VERSION)/argocd-vault-plugin_$(AVP_VERSION)_linux_amd64 -o argocd-vault-plugin \
&& chmod +x argocd-vault-plugin \
&& mv argocd-vault-plugin /custom-tools/
-
ConfigMap/cmp-plugin 配置 argocd - 通过
argocd-vault-plugin generate生成-
avp-kustomize.yaml
- ConfigManagementPlugin
# discover.find.command
find . -name kustomization.yaml
# generate.command
kustomize build . | argocd-vault-plugin generate - -
avp-helm.yaml
find . -name 'Chart.yaml' && find . -name 'values.yaml'
helm template $ARGOCD_APP_NAME -n $ARGOCD_APP_NAMESPACE ${ARGOCD_ENV_HELM_ARGS} . | argocd-vault-plugin generate -
-
AVP_VERSION=1.15.0
curl -LO https://github.com/argoproj-labs/argocd-vault-plugin/releases/download/v${AVP_VERSION}/argocd-vault-plugin_${AVP_VERSION}_linux_amd64