Share

Why use Vault for Argo CD?

Storing sensitive information in Git is not a security best practice. The DevOps team tries to ensure tight secret management to avoid security compromises. Argo and Vault plugin is used to implement secret management for the GitOps process. As Hashicorp Vault stores and secures tokens, passwords, certificates, and API Keys, the Ops team can use the integration for deployments, configmaps, and other Kubernetes CRDs. In this article, I will showcase how to integrate Argo CD and Vault to ensure more secure GitOps practices in production. 

Prerequisites for implementing Argo-Vault integration

1. ArgoCD installed

2. Vault installed with appropriate app role

               a)Refer to the below link for Vault installation:-                                            https://www.vaultproject.io/docs/platform/k8s/helm/run 

                b)Vault configuration with application role: https://www.vaultproject.io/docs/auth/approle 

3. ClusterRoleBinding with repo-server service account (Argo with Helm installation, no need to add service account or ClusterRoleBinding)

How to ensure ClusterRoleBinding

ClusterRoleBinding is an RBAC object that can have a list of subjects such as users, groups, or service accounts to grant cluster-wide permissions. 

Add permission to resources in ClusterRole of argocd-server and the below section. 

kubectl edit clusterrole -argocd-server

				
					- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - '*'
- nonResourceURLs:
  - '*'
  verbs:
  - '*'
				
			

Add your repo-server service account to ClusterRoleBinding of argocd-server in order to get secret over cluster level

kubectl edit clusterrolebinding <releasename>-argocd-server

				
					- kind: ServiceAccount
  name: <releasename>-argocd-repo-server
  namespace: <argocdinstalled namespace>
				
			

Steps to integrate Vault and Argo CD

Assuming you have installed Argo CD using install.yaml, you can proceed with the following steps to configure the integration between Vault and Argo.

Step-1: Configure Vault plugin

We will first set up our Vault by creating an application and sensitive information. Please follow the below points to progress with the Vault plugin.

(Note: Argo with Helm installation no need to add any configuration)

1. Add the Vault plugin to Argocd by editing configmap in the file argocd-cm 

# kubectl edit cm argocd-cm  -n <namespace> 

				
					  configManagementPlugins: |-
    - name: argocd-vault-plugin
      generate:
        command: ["argocd-vault-plugin"]
        args: ["generate", "-s", "NAMESPACE:argocd-vault-plugin-credentials", "./"]
				
			

(Note: If it is other than argocd namespace add namespace in front of secret) 

2. Once all changes are applied in argocd-repo-server  deployment, the Vault plugin will be visible in the Argo CD UI- in the plugin section of the application.

Vault plugin will be visible in the Argo CD UI

3. Now we will authenticate Argocd to Vault using a secret . At first we will create a secret called argocd-vault-plugin-credentials

kubectl apply -f argocd-vault.yaml -n <argocd-namespace>

Below is the Secret file for reference:

				
					apiVersion: v1
stringData:
  AVP_AUTH_TYPE: approle
  AVP_ROLE_ID: <ROLE-ID>
  AVP_SECRET_ID: <SECRET-ID>
  AVP_TYPE: vault
  VAULT_ADDR: <VAULT-ADDRESS>
kind: Secret
metadata:
  name: argocd-vault-plugin-credentials
type: Opaque
				
			

(Note: Update ROLE_ID, SECRET_ID,VAULT_ADDR with appropriate details.)

4. Enable the Vault plugin for Argocd using volume mount strategy for argocd-repo-server deployment

kubectl edit deploy argocd-repo-server -n <argocd-namespace>

  • Add envsecretref in the deployment for the main container after the env section.

Optional 

				
					envFrom:
  - secretRef:
      name: argocd-vault-plugin-credentials
				
			
  • Add volume mount to the main container
				
					  volumeMounts:
        - mountPath: /usr/local/bin/argocd-vault-plugin
          name: custom-tools
          subPath: argocd-vault-plugin
				
			
  • Add another init container to the argocd-repo-server deployment with volume mount
				
					     initContainers:
      - args:
        - |-
          wget -O argocd-vault-plugin https://github.com/argoproj-labs/argocd-vault-plugin/releases/download/v1.13.0/argocd-vault-plugin_1.13.0_linux_amd64
          chmod +x argocd-vault-plugin && mv argocd-vault-plugin /custom-tools/
        command:
        - sh
        - -c
        image: alpine:3.8
        imagePullPolicy: IfNotPresent
        name: download-tools
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /custom-tools
          name: custom-tools

				
			
  • Add empty dir to the volumes
				
					 volumes:
      - emptyDir: {}
        name: custom-tools

				
			

5. Verify the vault plugin in argocd-repo-server

# kubectl exec -it argocd-repo-server-<pod> -n argocd  — bash

You can now run the below command to verify the newly created plugin.

[email protected]:~$ argocd-vault-plugin version

argocd-vault-plugin v1.12.0 (9c7288a5b2d395fea19c1100f2cd07b547cc1ee2) BuildDate: 2022-07-08T13:27:45Z

In this case we have successfully built the plugin.

Create a Vault secret from the application

1. I have configured some secrets in the Vault that I will use in the Secret YAML file. ( You can refer to the secret yaml file I have used here) 

				
					apiVersion: v1
kind: Secret
metadata:
  name: example-secret
  annotations:
    avp.kubernetes.io/path: "kv/data/secretpath" #path of secret in vault
type: Opaque
stringData:
  sample-secret: <mysecretkey> #Fomat should be like this with key
				
			

2. Create an application in the argocd with repo and the plugin info can be added for the sample repo.

				
					apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
 name: vault-secret
spec:
 destination:
   name: ''
   namespace: NAMESPACE
   server: 'https://kubernetes.default.svc'
 source:
   path: vault-secret-source
   repoURL: 'git@github.com:OpsMx/argo-sample-apps.git'
   targetRevision: HEAD
   plugin:
     name: argocd-vault-plugin
 project: default
 syncPolicy:
   automated: null
				
			
create yaml application
source repository url
Vault plugin will be visible in the Argo CD UI

3. Application is created as below

Application created
new Application created

4. Sync the application to deploy the manifest

Sync the application to deploy the manifest

5. The secret is created in the backend 

secret is created in the backend

6. You can check the secret in the cluster using the following command.

				
					kubectl get secret example-secret  -n argocd -o jsonpath='{.data.sample-secret}' | base64 -d
				
			

It print my secret value as mentioned in vault 

Mysecretvalue-v5

Integrating Argo CD and Vault With HELM:

Integrating Argo and Valut using HELM is pretty straightforward. Enable secret management in the global section in the values.yaml and specify the roleid, credentials(secretid) and vaultaddress and perform helm install.

				
					 secretmanagement:
    vault: true
    roleid: a301e-XXX-XXX-5327
    secretid: 13XXXX-25aedb1648a2
    vaultaddress: <vault address>
				
			

Once the Installation is done, Please edit the configmap of argocd-cm and replace Release.Namespace with namespace where Argocd is installed.

Next Step

Secret management is essential for the Kubernetes ecosystem in any enterprise. Developers can configure their secrets in Vault without worrying about the information getting hacked or stolen. 

Let us know in the comments if the blog was helpful. And in case of any doubts about configuring Argo CD for production, you can reach us at the Argo Center of Excellence. Or if you want to resolve any open vulnerabilities while adopting Argo, please reach out to 24*7 support for Argo

Mahesh Kumar K

DevOps Engineer at OpsMx. Certified Kubernetes Administrator| Docker | CI/CD | AWS | Spinnaker | Argo | Bash script | Helm | Jenkins | SCM | automation and Configurations

Link

0 Comments

Submit a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.