You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
Periodically the plugin loses connection to Vault. In this way, after configuration the plugin works correctly, but after 15-20 minutes the connection is lost. Hard Refresh of the app does not help. However, If you restart argocd-repo-server and argocd-redis, everything works successfully. If you restart one of them, the problem does not solve.
If you configure a connection to Vault for an application once, the connection will work stably.
Screenshots/Verbose output
Example of output
"helm template ... | argocd-vault-plugin generate -s argo-vault-secret -" failed exit status 1:
Error: Replace: could not replace all placeholders in Template:
Error making API request.
URL: GET http://vault.vault.svc.cluster.local:8200/v1/secret/data/application Code: 403.
Errors: * 1 error occurred: * permission denied
Error making API request.
Additional context
If you don't use Multitenancy, but make the most insecure policy possible, the connection is stable.
path "secret/data/*" {
capabilities = ["read"]
}
The text was updated successfully, but these errors were encountered:
The argocd-api role is generated in Vault with the parameters
Bound service account namespaces - argocd-repo-server
Bound service account namespaces - argocd
Generated Token's Policies - api
Pod argocd-repo-server uses ServiceAccount argocd-repo-server. When we do Hard Refresh in ArgoCD for api, it's as if ServiceAccount argocd-repo-server clings to the argo-vault-api secret, losing connections to Vault for argo-vault-worker
If we reboot the argocd-repo-server pod and do a Hard Refresh for the worker, then we lose the api
So when we used a universal role that has access to all secrets, we didn't encounter this problem
Describe the bug
Periodically the plugin loses connection to Vault. In this way, after configuration the plugin works correctly, but after 15-20 minutes the connection is lost. Hard Refresh of the app does not help. However, If you restart
argocd-repo-server
andargocd-redis
, everything works successfully. If you restart one of them, the problem does not solve.I use Multitenancy with Kubernetes Authentication
To Reproduce
If you want to reproduce this, you will need the following:
argocd-policy
argocd-role
, specifying the parametersExpected behavior
If you configure a connection to Vault for an application once, the connection will work stably.
Screenshots/Verbose output
Example of output
Additional context
If you don't use Multitenancy, but make the most insecure policy possible, the connection is stable.
The text was updated successfully, but these errors were encountered: