Configuration
There are 3 different ways that parameters can be passed along to argocd-vault-plugin.
Kubernetes Secret
You can define a Secret in the argocd
namespace of your Argo CD cluster with the Vault configuration. The keys of the secret's data
/stringData
should be the exact names given above, case-sensitive:
apiVersion: v1
data:
VAULT_ADDR: Zm9v
AVP_AUTH_TYPE: Zm9v
AVP_GITHUB_TOKEN: Zm9v
AVP_TYPE: Zm9v
kind: Secret
metadata:
name: vault-configuration
namespace: argocd
type: Opaque
You can use it like this: argocd-vault-plugin generate /some/path -s vault-configuration
.
Note: this requires the argocd-repo-server
to have a service account token mounted in the standard location.
Configuration File
The configuration can be given in a file reachable from the plugin, in any Viper supported format (YAML, JSON, etc.). The keys must match the same names used in the the Kubernetes secret:
VAULT_ADDR: http://vault
AVP_AUTH_TYPE: github
AVP_GITHUB_TOKEN: t0ke3n
AVP_TYPE: vault
You can use it like this: argocd-vault-plugin generate /some/path -c /path/to/config/file.yaml
. This can be useful for use-cases not involving Argo CD.
Environment Variables
The configuration can be set via environment variables, where each key is prefixed by AVP_
:
AVP_TYPE=vault # corresponds to TYPE key
Make sure that these environment variables are available to the plugin when running it, whether that is in Argo CD or as a CLI tool. Note that any set environment variables take precedence over configuration pulled from a Kubernetes Secret or a file.
Full List of Supported Parameters
We support all Vault Environment Variables listed here as well as:
Name | Description | Notes |
---|---|---|
AVP_TYPE | The type of Vault backend | Supported values: vault , ibmsecretsmanager , awssecretsmanager and gcpsecretmanager |
AVP_KV_VERSION | The vault secret engine | Supported values: 1 and 2 (defaults to 2). KV_VERSION will be ignored if the avp.kubernetes.io/kv-version annotation is present in a YAML resource. |
AVP_AUTH_TYPE | The type of authentication | Supported values: vault: approle, github, k8s . Only honored for AVP_TYPE of vault |
AVP_GITHUB_TOKEN | Github token | Required with AUTH_TYPE of github |
AVP_ROLE_ID | Vault AppRole Role_ID | Required with AUTH_TYPE of approle |
AVP_SECRET_ID | Vault AppRole Secret_ID | Required with AUTH_TYPE of approle |
AVP_K8S_MOUNT_PATH | Kuberentes Auth Mount PATH | Optional for AUTH_TYPE of k8s defaults to auth/kubernetes |
AVP_K8S_ROLE | Kuberentes Auth Role | Required with AUTH_TYPE of k8s |
AVP_K8S_TOKEN_PATH | Path to JWT for Kubernetes Auth | Optional for AUTH_TYPE of k8s defaults to /var/run/secrets/kubernetes.io/serviceaccount/token |
AVP_IBM_API_KEY | IBM Cloud IAM API Key | Required with TYPE of ibmsecretsmanager |
AVP_IBM_INSTANCE_URL | Endpoint URL for IBM Cloud Secrets Manager instance | If absent, fall back to $VAULT_ADDR |
AWS_REGION | AWS Secrets Manager Region | Only valid with TYPE awssecretsmanager |
Full List of Supported Annotation
We support several different annotations that can be used inside a kubernetes resource. These annotations will override any corresponding configuration set via Environment Variable or Configuration File.
Annotation | Description |
---|---|
avp.kubernetes.io/path | Path to the Vault Secret |
avp.kubernetes.io/ignore | Boolean to tell the plugin whether or not to process the file. Invalid values translate to false |
avp.kubernetes.io/kv-version | Version of the KV Secret Engine |
avp.kubernetes.io/secret-version | Version of the secret to retrieve. Only effective on generic <placeholder> s so avp.kubernetes.io/path is required when this annotation is used |
avp.kubernetes.io/remove-missing | Plugin will not throw error when a key is missing from Vault Secret. Only works on Secret or ConfigMap resources |