/openshift-gitops-vault-plugin

A quick walkthrough for deploying OpenShift GitOps with an ArgoCD Vault Plugin sidecar.

Primary LanguageShellGNU General Public License v3.0GPL-3.0

OpenShift GitOps with ArgoCD Vault Sidecar

This repository is intended to be a refreshed guide for deploying OpenShift GitOps with the ArgoCD Vault Plugin to retrieve secrets from a Hashicorp Vault instance and inject them into Kubernetes resources.

This guide builds on previous work like this Red Hat blog from 2021 and is updated to use the more modern custom plugin sidecar approach.

./images/openshift-gitops-operator.png

Pre-requisites

This guide assumes you have a running OpenShift 4.10+ cluster with administrative privileges on that cluster. In my case I will be running a Red Hat OpenShift on AWS 4.13 cluster provisioned through the Red Hat demo system.

Additionally, ensure you are logged into the cluster in a terminal environment with oc and helm binaries available before proceeding with any of the following steps:

# Check pre-requisites
oc version && helm version

# Login to cluster
oc login --token=<token> --server=<server api url>:6443

Step 1 - Deploy vault

Our first step is to deploy an instance of vault, note that this example is deploying vault in dev mode which is not suitable for production. If you already have a vault instance running you can skip this step.

helm upgrade --install vault vault \
    --repo https://helm.releases.hashicorp.com \
    --namespace vault \
    --create-namespace \
    --set "global.openshift=true" \
    --set "server.dev.enabled=true" \
    --set "injector.enabled=false"

Step 2 - Configure vault

Once we have a vault instance deployed we can run a shell script against the vault pod to quickly configure it for this demo using the excellent vault cli.

The configuration script will configure the kubernetes auth method for vault, enable a kv-v2 secret store, create a test secret and an access policy for that secret.

# Copy our config shell script to the vault pod
oc --namespace vault cp 1-vault/configure-vault.sh vault-0:/tmp/configure-vault.sh

# Run the script remotely in the vault pod
oc --namespace vault exec vault-0 -t -- sh -c 'cd /tmp && ./configure-vault.sh'

Step 3 - Configure argocd vault plugin auth to vault

Once vault is deployed and configured we need to do some further configuration to enable our soon to be deployed ArgoCD Vault Plugin to be able to authenticate to Vault using a kubernetes service account.

# Create namespace that we will deploy argocd into
oc new-project vplugindemo

# Create the service account to be used by argo vault plugin to auth to vault
oc create serviceaccount vplugin

# Create a role in vault to bind our service account to the policy we created earlier
oc --namespace vault exec vault-0 -- vault write auth/kubernetes/role/vplugin \
    bound_service_account_names=vplugin \
    bound_service_account_namespaces=vplugindemo \
    policies=vplugin \
    ttl=1h

# Create the secret for the argo vault plugin to use to configure vault connection
# Supported parameters list: https://argocd-vault-plugin.readthedocs.io/en/stable/config/
oc --namespace vplugindemo create -f 2-argocd/secret-vault-configuration.yaml

Step 4 - Configure argocd vault plugin processing

With authentication configured, we now need to configure what our ArgoCD Vault Plugin sidecar will actually do. This is a two step process, firstly specifying a discover command, then a following generate command.

Refer to these documented examples including for helm or kustomize based applications. In our example we will take the most basic approach of discovering files that contain an annotation, then using argocd-vault-plugin generate . to template the files.

oc --namespace vplugindemo create -f 2-argocd/configmap-plugin.yaml

Step 5 - Deploy openshift gitops

With vault deployed, configured and our argocd vault plugin configured, let’s now deploy the OpenShift GitOps operator.

Note: The below operator subscription is pinned specifically to v1.11.0 from the gitops-1.11 release channel.

oc --namespace openshift-operators create -f 2-argocd/subscription-gitops.yaml

Once the operator has installed successfully we can create our argocd instance via custom resource.

oc --namespace vplugindemo create -f 2-argocd/crd-argocd.yaml

Step 6 - Create argocd application

Once argo is running, create this baseline sample application. This will create a secret resource on the cluster that will have the default placeholder values replaced with values that come from vault! 🎉

oc --namespace vplugindemo create -f 2-argocd/application-example.yaml

Once the application has been created it should automatically sync. We can check the contents of the secret as follows:

oc get secret example-secret -o jsonpath={.data.username} | base64 --decode
oc get secret example-secret -o jsonpath={.data.password} | base64 --decode