The Secrets Vault

Sensitive values that should not be exposed in the Config Repository are stored as secrets in the Secrets Vault. Secrets are fetched at runtime using the ArgoCD Vault Plugin from some backend implementation (e.g. AWS Secrets Manager).

Secrets are referenced in the YAML configuration files in the Config Repository as inline-path placeholders. For example:

ibm_entitlement_key: "<path:arn:aws:secretsmanager:us-east-1:xxxxxxxxxxxx:secret:dev/cluster1/ibm_entitlement#image_pull_secret_b64>"

These are referenced in Helm Chart templates, e.g. 02-ibm-entitlement_Secret:

data:
  .dockerconfigjson: >-
    {{ .Values.ibm_entitlement_key }}

During rendering of the Helm Chart, the ArgoCD Vault Plugin will fetch the secret value from the Secrets Vault at runtime and substitute it into the template.

Info

MAS GitOps only supports AWS Secrets Manager at present. Support for other backends will be added in future releases.