
Replace placeholders with this ArgoCD plugin stored in sops encrypted file

Primary LanguageC#MIT LicenseMIT


An Argo CD plugin to replace placeholders in Kubernetes manifests with secrets stored in:

More stores may come in future releases.

The application will scan manifests from stdin looking for the string <secret:key|modifier> to be replaced from selected store and outputted to stdout.

Why should I use it?

  • Allows you to store secrets securely when in Git Ops approach
    • Configuration is in Git
    • Secrets are stored in selected secret store
  • Works well with helm and kustomize generated manifests
  • Allows you to securely replace values in any kind of documents

Installing in Argo CD as an plugin

You can find Kustomization example how to install this application as a plugin.

If you want to install plugin in Argo CD, you can build your own Argo CD image with the plugin already inside, or make use of an Init Container to pull the binary. More about plugins you can find in Argo CD documentation.

Environment Variables

Environment Variable Name Purpose Example Required?
ARGOCD_ENV_SOPS_EXE Allows to change sops executable that is used in sops flow /custom-tools/sops no
SOPS_* Configuring sops via environment variables as in documentation https://github.com/mozilla/sops SOPS_AGE_KEY_FILE=/sops-age/key

Application uses ARGOCD_ENV_ prefix from version of Argo CD 2.4 or higher. Previous versions without prefix are not supported.

Plugin usage

After installing plugin into /custom-tools/ directory, you need to add it inside Argo CD config map under configManagementPlugins.

- name: replacer-helm
    command: ["/bin/sh", "-c"]
    args: ["helm dependency build"]
    command: [sh, -c]
    args: ["helm template --release-name $ARGOCD_APP_NAME --namespace $ARGOCD_APP_NAMESPACE . | argocd-secret-replacer sops -f $ARGOCD_ENV_SOPS_FILE"]
- name: replacer-kustomize
    command: ["sh", "-c"]
    args: ["kustomize build . | argocd-secret-replacer sops -f $ARGOCD_ENV_SOPS_FILE"]

Using plugins won't allow you to use the Argo CD build-in application helm/kustomize options.

More about using plugins you can find in Argo CD documentation.


In this example we will use sops as our provider.

Assuming that you have kustomize files that has secret configured and in secret.sec.yaml file you have it encrypted we will create example app as below.

apiVersion: argoproj.io/v1alpha1
kind: Application
  name: sops-replacer-test
    server: 'https://kubernetes.default.svc'
    namespace: sops-replacer-test
      selfHeal: true
      - CreateNamespace=true
    repoURL: '<your git repo>'
    path: sops-replacer-test
      name: replacer-kustomize
          - name: SOPS_FILE
            value: secret.sec.yaml
    targetRevision: HEAD

For more detailed examples, please go to examples directory.


You can modify the resulting output with the following modifiers:

  • base64: Will base64 encode the secret.