This article details integrating the ArgoCD Vault plugin with ArgoCD for automatic retrieval of secrets from Vault, enhancing Kubernetes secrets management.
In this article, we detail how to integrate the ArgoCD Vault plugin with ArgoCD. This integration enables automatic retrieval of secrets directly from Vault, simplifying and securing the management of your Kubernetes secrets.
This setup comprises a Git repository containing Kubernetes manifests, an ArgoCD instance, a Vault server, and a Kubernetes cluster. ArgoCD periodically pulls manifests from the Git repository. One such manifest is a secret template that includes an annotation for the Vault plugin along with a placeholder for the actual secret value. For example:
ArgoCD uses the annotation to trigger the Vault plugin. The plugin connects to Vault and automatically fetches the required secret, transforming the manifest with the live secret data for deployment.
ArgoCD supports custom tooling via configuration management plugins. The Vault plugin can be integrated using two approaches:
Direct Integration via ConfigMap
If the plugin is lightweight (requiring only a few lines), you can add its configuration directly to the ArgoCD ConfigMap. The repo server pod runs the plugin commands accordingly.
Sidecar Integration
For more complex plugins that may clutter the ArgoCD ConfigMap, consider deploying the plugin as a sidecar container alongside the repo server.
In this guide, we demonstrate the ConfigMap-based approach.
To integrate the Vault plugin, start by modifying the ArgoCD repo server deployment:
Define an empty directory volume to hold custom binaries.
Use an init container to download the ArgoCD Vault plugin binary and move it to the custom tools directory. This binary is made available to the main container during runtime.
Below is a snippet that demonstrates these changes:
Once the plugin binary is in place, register it with ArgoCD by updating the ConfigMap under the configuration management plugins section. After updating the ConfigMap, restart the ArgoCD repo server deployment. For instance:
After registering the plugin, configure it to authenticate with your Vault server. You can choose between two common approaches:
Create a dedicated Kubernetes secret containing Vault configurations and reference it from the repo server container.
Embed the Vault configuration directly within each ArgoCD application’s manifest.
Both methods can be configured using the ArgoCD UI or CLI. Once the configuration is set, ArgoCD executes the plugin’s generate command (with the specified arguments) to retrieve secrets from Vault and generate the final Kubernetes manifest for application deployment.
Always ensure that Vault credentials and configurations are secured appropriately. It is recommended to use Kubernetes Secrets to store sensitive Vault information.
After integrating and configuring the plugin, Vault stores the actual secret data. For example, a secret stored at the specified path may be retrieved as follows:
Integrating the ArgoCD Vault plugin enhances the security and manageability of your Kubernetes secrets by dynamically fetching sensitive data from Vault. Following the steps above helps maintain consistency between Git repositories and live deployments, ensuring that secrets are always up-to-date and secure.For further reading, consider exploring the following resources:
