Reputation: 3406
ArgoCD with Sealed Secrets and Kustomize
I am trying to configure Bitnami SealedSecrets with ArgoCD and Kustomize.
I have managed to encrypt the secrets using the kubeseal CLI, these are already deployed on the Kubernetes cluster as Sealed secrets and can be unsealed by the Sealed Secret Controller running on the cluster. The unsealed Secrets contain the expected values. I have defined the secrets using Kustomize Secret Generators - as described in this tutorial: Sealing Secrets with Kustomize. This is also working fine, since ArgoCD recognizes that there should be Secrets generated.
However, ArgoCD expects the secrets to be empty, as they are defined as empty in the Secret Generator part of my kustomization.yaml for the application:
secretGenerator:
- name: secret1
type: Opaque
- name: secret2
type: Opaque
- name: secret3
type: Opaque
...
Since ArgoCD expects the secrets to be empty, they are detected to be "out of sync" after the Sealed Secrets Controller unseals and decrypts the secrets:
Since ArgoCD thinks that the secrets should be empty, these are replaced by empty secrets. Then the Sealed Secrets Operator updates the Secrets once again and populates the data fields with the decrypted data - leading to an endless loop of ArgoCD synchronization.
The secrets are marked to be managed by Bitnami Sealed Secrets using the sealedsecrets.bitnami.com/managed: "true" annotation. So they are being updated by the Sealed Secrets controller.
How could I change the manifest to make sure that the unsealed secrets are recognized as "in sync" and ArgoCD doesn't keep on syncing beceause of the "OutOfSync" status of the unsealed secrets? (Which seems to be caused by the decrypted data in the unsealed secrets - as shown in the diff on the screenshot above.)
Upvotes: 3
Views: 4009
Answers (1)
Reputation: 3406
It is possible to ignore some differences.
This can be defined in the ArgoCD Application manifest:
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: my-app
...
spec:
project: my-project
...
syncPolicy:
...
syncOptions:
...
- RespectIgnoreDifferences=true
...
ignoreDifferences:
- kind: Secret
jsonPointers:
- /data
The ignoreDifferences specification tells ArgoCD to ignore the differences in the specified path. (In our case everything under /data for secrets).
It is also important to avoid applying the changes. This can be defined using the RespectIgnoreDifferences syncOption.
After adding the ignoreDifferences entry for the Secret kind and setting RespectIgnoreDifferences to true, the Sync Status of the application is shown as "Synced" and the endless loop of syncing has stopped.
Upvotes: 7
Related Questions
- Access ArgoCD server
- Application not showing in ArgoCD when applying yaml
- How to secure kubernetes secrets?
- Get a secret with k8s.io library
- Sealed secrets with YAML list
- ArgoCD : resource already exists and is not managed by SealedSecret
- ArgoCD Kernel Capabilities
- Mounting a k8s secret using kustomize
- secret argocd/argo-cert-prod was updated and it is used in ingress annotations
- Kubernetes using secrets in pod