Replies: 1 comment 7 replies
-
|
Hey @shxpark, were you able to get this working? I am currently trying to use the SSCSI driver to mount secrets directly into the argocd repo server. Really curious to know if you got this working. Thanks |
Beta Was this translation helpful? Give feedback.
-
|
What kind of secret are you trying to mount? |
Beta Was this translation helpful? Give feedback.
-
|
I am trying to mount an ssh key for ArgoCD to be able to access a private repository. |
Beta Was this translation helpful? Give feedback.
-
|
Hey there @shxpark, I think I might be at the part where you were 😄. I am now trying to get the CA cert for SSO into dex using a secret rather than pasting it in the config. I am following this documentation: https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/identity-center/ Specifically I am at this part: I can't figure out how to do this and which path I need to mount the the secret on. Which path did you mount the CA cert secret onto for dex? I am trying to do the entire deployment using helm. How did you reference the CA cert for dex from a k8s secret in your values? Really appreciate any insights you have. Thanks! |
Beta Was this translation helpful? Give feedback.
-
|
I didn't use Dex, so I didn't have to end up mounting anything. I just created a kubernetes secret then referenced that secret in my values file by just doing $kubernetes-secret-name:key-in-secret. Assuming you have the certificate inside a secret you created, you just need to create a volume and mount it. Example here: https://secrets-store-csi-driver.sigs.k8s.io/concepts.html |
Beta Was this translation helpful? Give feedback.
-
@Benjamin-Day that one gave me quite a bit of reading through docs. My understanding is that custom CA cert for DEX does not work, so I had to switch to "plain" OIDC integration like this: apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cm
...
data:
...
{{- if and .Values.argocd.sso .Values.argocd.sso.rootCA }}
# https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/#existing-oidc-provider
oidc.config: |-
name: {{ .Values.argocd.sso.name }}
clientID: $oidc.isv.clientID
clientSecret: $oidc.isv.clientSecret
issuer: ...
requestedScopes: ...
rootCA: {{- .Values.argocd.sso.rootCA | toYaml | indent 4 }}
{{ else }}
dex.config: |-
connectors:
...
{{- end }} |
Beta Was this translation helpful? Give feedback.
-
I have two secrets that are stored in Secrets Manager - the oidc client secret and a tls crt/key. How can I read values from Secrets Manager? I know the oidc.config is stored in the argocd-cm config map and I know you can also mask the client secret value by storing that value inside the argocd-secret secret but the values in there must be getting read somehow from a path. I've tried changing this part of the deployment.yaml
- mountPath: /app/config/server/tls name: argocd-repo-server-tlsto a different mount path so I can mount my secretsmanager value onto the path and my tls.crt and tls.key that I get from secrets manager successfully mounts onto /app/config/server/tls but the tls termination doesn't happen.
Any ideas what I can do that doesn't involve using k8s secrets and passing the values directly from secrets manager to a volume mount?
These are my secretsproviderclass for both values
apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: name: argocd-client-secret namespace: ${argocd_ns} spec: provider: aws parameters: objects: | - objectName: *secrets manager arn that contains client_secret* jmesPath: - path: client_secret objectAlias: client_secretapiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: name: argocd-tls-cert namespace: ${argocd_ns} spec: provider: aws parameters: objects: | - objectName: *secrets manager arn that contains tls.crt and tls.key* jmesPath: - path: cert objectAlias: tls.crt - path: key objectAlias: tls.keyBeta Was this translation helpful? Give feedback.
All reactions