This repo contains example code that integrates Hashicorp Vault and OpenShift GitOps (Argo CD) to deploy secrets from Vault to an OpenShift cluster using the argocd-vault-plugin.
This code is based off the process outlined in this Red Hat Blog. Key differences between this implementation and the blog post:
- Blog was written for v0.x of argocd-vault-plugin, this works with v1.x
- Blog used the community Argo CD image from Docker.io, this uses the supported OpenShift GitOps image from Red Hat
- Blog configured Vault manually using CLI, this uses Vault Config Operator to configure Vault
- Install Vault
- Configure Vault for Kubernetes authentication
- Create custom Argo image with argocd-vault-plugin embedded
- Push custom Argo image to registry
- Install Vault Config Operator
- Install OpenShift GitOps Operator
- Deploy Argo instance using custom image to my-app namespace
- Deploy test application to Argo instance
- During application deployment, Argo with call the argocd-vault-plugin to replace the template value in secret with the actual secret value
- 🍻
- Build custom ArgoCD image with argo-vault-plugin installed:
$ make build
- Push image to local registry:
$ make push
First, deploy vault! You will need a fresh vault to run this.
After validating that vault is up (pods should be Ready), deploy manifests under ./manifests with make:
$ make install
Run this uninstall before running the vault uninstall, otherwise the vault-config-operator CRs will hang on delete. If you do accidentally uninstall this first, you can patch/edit the hanging CRs to remove their finalizers.
To unisntall:
$ make uninstall