Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Argo CD Git WebHook Secret from another secret #2635

Open
alex-souslik-hs opened this issue Apr 9, 2024 · 6 comments
Open

Argo CD Git WebHook Secret from another secret #2635

alex-souslik-hs opened this issue Apr 9, 2024 · 6 comments

Comments

@alex-souslik-hs
Copy link
Contributor

alex-souslik-hs commented Apr 9, 2024

Is your feature request related to a problem?

I've configured a Git WebHook to Argo CD but couldn't figure out how to securely add the WebHook secret to my helm values. My values.yaml is stored in a GitHub repo and the argocd-secret is defined in it.

Related helm chart

argo-cd

Describe the solution you'd like

Ideally, I'd like this configuration to be handled the same way sensitive keys can be handled in argocd-cm.

Describe alternatives you've considered

  • Not using the WebHook secret.
  • Not creating the argocd-secret with the Argo CD chart.

Additional context

No response

@alex-souslik-hs alex-souslik-hs added the enhancement New feature or request label Apr 9, 2024
@pdrastil
Copy link
Member

pdrastil commented May 12, 2024

Hi @alex-souslik-hs the sensitive values in argocd-cm are inderctly referencing K8s secret, however webhook tokens have to be stored in Secret callled argocd-secret. You can achieve this with various integrations where you take full control of secret creation.

See:

You can also check sample snippet bellow that uses external-secret operator if you want to provision this without hardcoding anything sensitive in values.yaml.

configs:
  secret:
    createSecret: false

extraObjects:
  - apiVersion: external-secrets.io/v1beta1
    kind: ExternalSecret
    metadata:
       name: argocd-secret
    spec:
      secretStoreRef:
        name: aws-secretsmanager
        kind: SecretStore
      target:
        name: argocd-secret
      data:
      - secretKey: webhook.github.secret
        remoteRef:
          key: webhook
          property: webhook.github.secret

@pdrastil pdrastil added question and removed enhancement New feature or request labels May 12, 2024
@tman5
Copy link

tman5 commented Jun 21, 2024

@pdrastil I have a very similar setup. So you are saying this won't work with the helm chart?

  secret:
    createSecret: true
    gitlabSecret: "$otherK8sSecret:gitlabSecret"

Copy link

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@pdrastil
Copy link
Member

@tman5 I don't think so. The substitutions are done in ConfigMap argocd-cm and needs to be supported by Argo CD controller. See Argo CD docs. For storing / generating sensitive values outside of helm chart it's usually done by various solutions that generate and populate the secret values from external systems or require additional plugins to process encrypted values.

@yolkov
Copy link

yolkov commented Sep 11, 2024

@pdrastil so this docs one and two is wrong?

@Kariton
Copy link

Kariton commented Nov 5, 2024

i'm also curious how this is supposed to work.
was unable to get those $<k8s_secret_name>:<a_key_in_that_k8s_secret> references to work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

6 participants