This repo contains example code that integrates Hashicorp Vault and OpenShift GitOps (Argo CD) to deploy secrets from Vault to an OpenShift cluster using the argocd-vault-plugin.

This code is based off the process outlined in this Red Hat Blog. Key differences between this implementation and the blog post:

• Blog was written for v0.x of argocd-vault-plugin, this works with v1.x
• Blog used the community Argo CD image from Docker.io, this uses the supported OpenShift GitOps image from Red Hat
• Blog configured Vault manually using CLI, this uses Vault Config Operator to configure Vault

• Install Vault
• Configure Vault for Kubernetes authentication
• Create custom Argo image with argocd-vault-plugin embedded
• Push custom Argo image to registry
• Install Vault Config Operator
• Install OpenShift GitOps Operator
• Deploy Argo instance using custom image to my-app namespace
• Deploy test application to Argo instance
• During application deployment, Argo with call the argocd-vault-plugin to replace the template value in secret with the actual secret value
• 🍻

1. Build custom ArgoCD image with argo-vault-plugin installed:

$ make build

2. Push image to local registry:

$ make push

First, deploy vault! You will need a fresh vault to run this.

After validating that vault is up (pods should be Ready), deploy manifests under ./manifests with make:

$ make install

Run this uninstall before running the vault uninstall, otherwise the vault-config-operator CRs will hang on delete. If you do accidentally uninstall this first, you can patch/edit the hanging CRs to remove their finalizers.

To unisntall:

$ make uninstall