argocdvault插件不能替换占位符
根据以下步骤修复此问题:
-
确保vault配置正确配置,包括正确的地址和访问令牌 apiVersion: v1 kind: Secret metadata: name: argocd-vault namespace: argocd type: Opaque data: vault-addr: https://vault.example.com vault-token: dXNlcjpwYXNzd29yZA==
-
确保您的kubernetes集群角色和策略已正确授予对Vault的访问权限。 示例: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: argocd-vault-cli rules:
- apiGroups: ["tunks.dev"] resources: ["vaults"] verbs: ["get", "list"] apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: argocd-vault-cli-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: argocd-vault-cli subjects:
- kind: ServiceAccount name: argocd-vault-plugin namespace: argocd
-
每个占位符和它们的值必须具有与资源相同的源标签,以便Argo CD Vault插件能够查找和替换占位符。 模板中的占位符应该像这样:
apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: myapp spec: source: repoURL: ssh://git@github.com/example/my-repo.git path: manifests plugin: name: vault env: - name: VAULT_ADDR valueFrom: secretKeyRef: name: argocd-vault key: vault-addr - name: VAULT_TOKEN valueFrom: secretKeyRef: name: argocd-vault key: vault-token - name: VAULT_ROLE value: my-role destination: server: https://kubernetes.default.svc namespace: my-namespace syncPolicy: automated: prune: true syncOptions: - Validate=false - CreateNamespace=true project: my-project labels: environment: dev secret-key