You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Some tools like ArgoCD allow you to pull some secret values from vault by setting values in manifests to something like '?{vaultkv:path/to/vault/key}'. Those references are replaced by the actual value from vault before applying the manifest to the cluster.
However, since the chart renders all secrets as base64-encoded, ArgoCD cannot detect & replace those values.
Possible fixes
Don't base64-encoded secret values and use stringData instead of data
We want to set fields like the default admin password, HTTP secrets and similar.
In our pipeline we use helm template to render out all manifests, and then use ArgoCD to apply the manifests.
ArgoCD supports fetching the actual VALUE for a secret only when it is applied to the Kubernetes API.
In order to do that, ArgoCD must be able to identify values which reference a Vault entry before applying the manifest to the cluster. And this only works when Secret values are provided as stringData as opposed to data (since the data entries are base64-encoded and ArgoCD cannot determine whether this holds a Vault reference or binary data).
Some tools like ArgoCD allow you to pull some secret values from vault by setting values in manifests to something like
'?{vaultkv:path/to/vault/key}'
. Those references are replaced by the actual value from vault before applying the manifest to the cluster.However, since the chart renders all secrets as base64-encoded, ArgoCD cannot detect & replace those values.
Possible fixes
stringData
instead ofdata
If this is something you want to support I could send you a PR for option 1
The text was updated successfully, but these errors were encountered: