Select Page

Vardhan NS

last updated on November 28, 2023

Why use argocd-vault plugin?

Storing sensitive information in Git is not a security best practice. The DevOps team tries to ensure tight secret management to avoid security compromises. Managing secrets should also be practiced while using ArgoCD for GitOps. 

Argo CD provides integration with the Hashicorp Vault to implement secret management in the GitOps process. As Vault stores and secures tokens, passwords, certificates, and API Keys, the Ops team can use the integration for deployments, configmaps, and other Kubernetes CRDs. In this article, we will see the step to integrate Argo CD and Vault to ensure more secure GitOps practices in production. 

Fore more you can read:

Prerequisites for implementing Argo-Vault integration

1. ArgoCD installed

2. Vault installed with appropriate app role

               a)Refer to the below link for Vault installation:-                                   

                b)Vault configuration with application role: 

3. ClusterRoleBinding with repo-server service account (Argo with Helm installation, no need to add service account or ClusterRoleBinding)

How to ensure ClusterRoleBinding

ClusterRoleBinding is an RBAC object that can have a list of subjects such as users, groups, or service accounts to grant cluster-wide permissions. 

Add permission to resources in ClusterRole of argocd-server and the below section. 

kubectl edit clusterrole -argocd-server

					- apiGroups:
  - '*'
  - '*'
  - '*'
- nonResourceURLs:
  - '*'
  - '*'

Add your repo-server service account to ClusterRoleBinding of argocd-server in order to get secret over cluster level

kubectl edit clusterrolebinding <releasename>-argocd-server

					- kind: ServiceAccount
  name: <releasename>-argocd-repo-server
  namespace: <argocdinstalled namespace>

Steps to integrate Vault and Argo CD

Assuming you have installed Argo CD using install.yaml, you can proceed with the following steps to configure the integration between Vault and Argo.

Step-1: Configure Vault plugin

We will first set up our Vault by creating an application and sensitive information. Please follow the below points to progress with the Vault plugin.

(Note: Argo with Helm installation no need to add any configuration)

1. Add the Vault plugin to Argocd by editing configmap in the file argocd-cm 

# kubectl edit cm argocd-cm  -n <namespace> 

					  configManagementPlugins: |-
    - name: argocd-vault-plugin
        command: ["argocd-vault-plugin"]
        args: ["generate", "-s", "NAMESPACE:argocd-vault-plugin-credentials", "./"]

(Note: If it is other than argocd namespace add namespace in front of secret) 

2. Once all changes are applied in argocd-repo-server  deployment, the Vault plugin will be visible in the Argo CD UI- in the plugin section of the application.

Vault plugin will be visible in the Argo CD UI

3. Now we will authenticate Argocd to Vault using a secret . At first we will create a secret called argocd-vault-plugin-credentials

kubectl apply -f argocd-vault.yaml -n <argocd-namespace>

Below is the Secret file for reference:

					apiVersion: v1
  AVP_AUTH_TYPE: approle
  AVP_TYPE: vault
kind: Secret
  name: argocd-vault-plugin-credentials
type: Opaque

(Note: Update ROLE_ID, SECRET_ID,VAULT_ADDR with appropriate details.)

4. Enable the Vault plugin for Argocd using volume mount strategy for argocd-repo-server deployment

kubectl edit deploy argocd-repo-server -n <argocd-namespace>

  • Add envsecretref in the deployment for the main container after the env section.


  - secretRef:
      name: argocd-vault-plugin-credentials
  • Add volume mount to the main container
        - mountPath: /usr/local/bin/argocd-vault-plugin
          name: custom-tools
          subPath: argocd-vault-plugin
  • Add another init container to the argocd-repo-server deployment with volume mount
      - args:
        - |-
          wget -O argocd-vault-plugin
          chmod +x argocd-vault-plugin && mv argocd-vault-plugin /custom-tools/
        - sh
        - -c
        image: alpine:3.8
        imagePullPolicy: IfNotPresent
        name: download-tools
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        - mountPath: /custom-tools
          name: custom-tools

  • Add empty dir to the volumes
      - emptyDir: {}
        name: custom-tools


5. Verify the vault plugin in argocd-repo-server

# kubectl exec -it argocd-repo-server-<pod> -n argocd  — bash

You can now run the below command to verify the newly created plugin.

argocd@argocd-repo-server-7f:~$ argocd-vault-plugin version

argocd-vault-plugin v1.12.0 (9c7288a5b2d395fea19c1100f2cd07b547cc1ee2) BuildDate: 2022-07-08T13:27:45Z

In this case we have successfully built the plugin.

Create a Vault secret from the application

1. I have configured some secrets in the Vault that I will use in the Secret YAML file. ( You can refer to the secret yaml file I have used here) 

					apiVersion: v1
kind: Secret
  name: example-secret
  annotations: "kv/data/secretpath" #path of secret in vault
type: Opaque
  sample-secret: <mysecretkey> #Fomat should be like this with key

2. Create an application in the argocd with repo and the plugin info can be added for the sample repo.

kind: Application
 name: vault-secret
   name: ''
   namespace: NAMESPACE
   server: 'https://kubernetes.default.svc'
   path: vault-secret-source
   repoURL: ''
   targetRevision: HEAD
     name: argocd-vault-plugin
 project: default
   automated: null

3. Application is created as below

4. Sync the application to deploy the manifest

5. The secret is created in the backend 

6. You can check the secret in the cluster using the following command.

					kubectl get secret example-secret  -n argocd -o jsonpath='{.data.sample-secret}' | base64 -d

It print my secret value as mentioned in vault 


Integrating Argo CD and Vault With HELM:

Integrating Argo and Valut using HELM is pretty straightforward. Enable secret management in the global section in the values.yaml and specify the roleid, credentials(secretid) and vaultaddress and perform helm install.

    vault: true
    roleid: a301e-XXX-XXX-5327
    secretid: 13XXXX-25aedb1648a2
    vaultaddress: <vault address>

Once the Installation is done, Please edit the configmap of argocd-cm and replace Release.Namespace with namespace where Argocd is installed.

Next Step

Secret management is essential for the Kubernetes ecosystem in any enterprise. Developers can configure their secrets in Vault without worrying about the information getting hacked or stolen. 

Let us know in the comments if the blog was helpful. And in case of any doubts about configuring Argo CD for production, you can reach us at the Argo Center of Excellence. Or if you want to resolve any open vulnerabilities while adopting Argo, please reach out to 24*7 support for Argo

About OpsMx

Founded with the vision of “delivering software without human intervention,” OpsMx enables customers to transform and automate their software delivery processes. OpsMx builds on open-source Spinnaker and Argo with services and software that helps DevOps teams SHIP BETTER SOFTWARE FASTER.

Vardhan NS

Vardhan is a technologist and a marketing professional, currently working as a Sr. PMM at OpsMx. His strength lies in understanding complex technologies, and explaining them in un-complicated ways. Vardhan is a passionate Product Marketer with a keen focus on Content, helping brands Position themselves uniquely with clear messaging and competitive differentiation. Outside of work, he is an athlete that is passionate about Football, Swimming and Surfing.



Submit a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.