argocd-vault-plugin approle

https://argocd-vault-plugin.readthedocs.io/en/stable/installation/

https://developer.hashicorp.com/vault/tutorials/auth-methods/approle

1.Approle

vault auth enable approle
Success! Enabled approle auth method at: approle/

vault kv put secret/argocd/mysecret username="admin" password="passw0rd"
======= Secret Path =======
secret/data/argocd/mysecret
======= Metadata =======
Key Value
--- -----
created_time  2023-11-18T15:24:17.981340925Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 1

vault kv get secret/argocd/mysecret
======= Secret Path =======
secret/data/argocd/mysecret
======= Metadata =======
Key Value
--- -----
created_time  2023-11-18T15:24:17.981340925Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 1
====== Data ======
Key  Value
---  -----
password passw0rd
username admin

Создадим политику

vault policy write argocd -<<EOF
# Read-only permission on secrets stored at 'secret/data/argocd/mysecret'
path "secret/data/argocd/*" {
capabilities = [ "read", "list" ]
}
EOF
Success! Uploaded policy: argocd

Создание роли для связывания APPROLE(argocd) с политикой (argocd)

vault write auth/approle/role/argocd token_policies="argocd"
Success! Data written to: auth/approle/role/argocd

vault read auth/approle/role/argocd
Key Value
--- -----
bind_secret_id  true
local_secret_ids  false
secret_id_bound_cidrs <nil>
secret_id_num_uses  0
secret_id_ttl 0s
token_bound_cidrs []
token_explicit_max_ttl  0s
token_max_ttl 0s
token_no_default_policy false
token_num_uses  0
token_period  0s
token_policies  [argocd]
token_ttl 0s
token_type  default

Now, you need to fetch the RoleID and SecretID of a role

vault read auth/approle/role/argocd/role-id
Key Value
--- -----
role_id 4050fe1b-5ffc-3af2-8c06-6547a9046546

vault write -force auth/approle/role/argocd/secret-id
Key  Value
---  -----
secret_id  48c1cdee-15d2-0ef9-a7f8-6b586c2516ad
secret_id_accessor 7b4d4cf8-90ed-02c1-7a73-a04060b91bbf
secret_id_num_uses 0
secret_id_ttl  0s

Now lets login using our new APPROLE

ROLEID=4050fe1b-5ffc-3af2-8c06-6547a9046546
SECRETID=48c1cdee-15d2-0ef9-a7f8-6b586c2516ad
vault write auth/approle/login role_id="${ROLEID}" secret_id="${SECRETID}"
Key  Value
---  -----
token  hvs.CAESIJqbChZ3vxw7BVy7ZeB7nabAZWA1QO1wvdeej1bOOYS-Gh4KHGh2cy5YejlXTmtaVm1LQzFXZlZEdnpKVW1uWHo
token_accessor KWYovBA9rxBvF3O7PHIXty0h
token_duration 768h
token_renewable  true
token_policies ["argocd" "default"]
identity_policies  []
policies ["argocd" "default"]
token_meta_role_name argocd

export VAULT_TOKEN=hvs.CAESIJqbChZ3vxw7BVy7ZeB7nabAZWA1QO1wvdeej1bOOYS-Gh4KHGh2cy5YejlXTmtaVm1LQzFXZlZEdnpKVW1uWHo

vault kv get secret/argocd/mysecret
======= Secret Path =======
secret/data/argocd/mysecret
======= Metadata =======
Key Value
--- -----
created_time  2023-11-18T15:24:17.981340925Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 1
====== Data ======
Key  Value
---  -----
password passw0rd
username admin

2.ArgoCD

Установка sidecar контейнером

https://github.com/argoproj-labs/argocd-vault-plugin/tree/main/manifests/cmp-sidecar

kubectl kustomize https://github.com/argoproj-labs/argocd-vault-plugin/tree/main/manifests/cmp-sidecar | kubectl apply -f -