Giter Club home page Giter Club logo

openshift-gitops-vault-plugin's Introduction

OpenShift GitOps with ArgoCD Vault Sidecar

This repository is intended to be a refreshed guide for deploying OpenShift GitOps with the ArgoCD Vault Plugin to retrieve secrets from a Hashicorp Vault instance and inject them into Kubernetes resources.

This guide builds on previous work like this Red Hat blog from 2021 and is updated to use the more modern custom plugin sidecar approach.

./images/openshift-gitops-operator.png

Pre-requisites

This guide assumes you have a running OpenShift 4.10+ cluster with administrative privileges on that cluster. In my case I will be running a Red Hat OpenShift on AWS 4.13 cluster provisioned through the Red Hat demo system.

Additionally, ensure you are logged into the cluster in a terminal environment with oc and helm binaries available before proceeding with any of the following steps:

# Check pre-requisites
oc version && helm version

# Login to cluster
oc login --token=<token> --server=<server api url>:6443

Step 1 - Deploy vault

Our first step is to deploy an instance of vault, note that this example is deploying vault in dev mode which is not suitable for production. If you already have a vault instance running you can skip this step.

helm upgrade --install vault vault \
    --repo https://helm.releases.hashicorp.com \
    --namespace vault \
    --create-namespace \
    --set "global.openshift=true" \
    --set "server.dev.enabled=true" \
    --set "injector.enabled=false"

Step 2 - Configure vault

Once we have a vault instance deployed we can run a shell script against the vault pod to quickly configure it for this demo using the excellent vault cli.

The configuration script will configure the kubernetes auth method for vault, enable a kv-v2 secret store, create a test secret and an access policy for that secret.

# Copy our config shell script to the vault pod
oc --namespace vault cp 1-vault/configure-vault.sh vault-0:/tmp/configure-vault.sh

# Run the script remotely in the vault pod
oc --namespace vault exec vault-0 -t -- sh -c 'cd /tmp && ./configure-vault.sh'

Step 3 - Configure argocd vault plugin auth to vault

Once vault is deployed and configured we need to do some further configuration to enable our soon to be deployed ArgoCD Vault Plugin to be able to authenticate to Vault using a kubernetes service account.

# Create namespace that we will deploy argocd into
oc new-project vplugindemo

# Create the service account to be used by argo vault plugin to auth to vault
oc create serviceaccount vplugin

# Create a role in vault to bind our service account to the policy we created earlier
oc --namespace vault exec vault-0 -- vault write auth/kubernetes/role/vplugin \
    bound_service_account_names=vplugin \
    bound_service_account_namespaces=vplugindemo \
    policies=vplugin \
    ttl=1h

# Create the secret for the argo vault plugin to use to configure vault connection
# Supported parameters list: https://argocd-vault-plugin.readthedocs.io/en/stable/config/
oc --namespace vplugindemo create -f 2-argocd/secret-vault-configuration.yaml

Step 4 - Configure argocd vault plugin processing

With authentication configured, we now need to configure what our ArgoCD Vault Plugin sidecar will actually do. This is a two step process, firstly specifying a discover command, then a following generate command.

Refer to these documented examples including for helm or kustomize based applications. In our example we will take the most basic approach of discovering files that contain an annotation, then using argocd-vault-plugin generate . to template the files.

oc --namespace vplugindemo create -f 2-argocd/configmap-plugin.yaml

Step 5 - Deploy openshift gitops

With vault deployed, configured and our argocd vault plugin configured, let’s now deploy the OpenShift GitOps operator.

Note: The below operator subscription is pinned specifically to v1.8.3 from the gitops-1.8 release channel.

oc --namespace openshift-operators create -f 2-argocd/subscription-gitops.yaml

Once the operator has installed successfully we can create our argocd instance via custom resource.

oc --namespace vplugindemo create -f 2-argocd/crd-argocd.yaml

Step 6 - Create argocd application

Once argo is running, create this baseline sample application. This will create a secret resource on the cluster that will have the default placeholder values replaced with values that come from vault! πŸŽ‰

oc --namespace vplugindemo create -f 2-argocd/application-example.yaml

openshift-gitops-vault-plugin's People

Contributors

jmhbnz avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    πŸ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. πŸ“ŠπŸ“ˆπŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❀️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.