Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How does the iam_role_arn get injected into the application template? #1

Closed
Almenon opened this issue Aug 18, 2023 · 4 comments
Closed

Comments

@Almenon
Copy link

Almenon commented Aug 18, 2023

In bootstrap/control-plane/addons/aws/addons-aws-csi-fsx-driver-appset.yaml there is a line of code eks.amazonaws.com/role-arn: {{metadata.annotations.aws_fsx_csi_driver_iam_role_arn}}. I know the metadata comes from the secret created by the gitops-bridge-bootstrap module, but I'm unclear on how argocd knows to use that secret when templating out metadata.annotations.aws_fsx_csi_driver_iam_role_arn.

@blakeromano
Copy link

It is from the cluster generator. The cluster generator will use the secret object for the cluster it is generating the application from. If you have cluster A and cluster B both have the label saying they want this addon, it'll generate out the application with that context. You can read more about it here https://argo-cd.readthedocs.io/en/stable/operator-manual/applicationset/Generators-Cluster/

@Almenon
Copy link
Author

Almenon commented Aug 23, 2023

Ahhh, thanks. So the flow is like this, in order from top to bottom:

An ArgoCD application yaml file is hardcoded in gitops-bridge-dev repo. This will be used for gitops_bridge_bootstrap later.
main.tf generates metadata with ISRA ARN's, and passes that to...
gitops-bridge-metadata, which creates the secret contents with "argocd.argoproj.io/secret-type" = "cluster" and a default of argocd namespace. The contents are passed to ...
gitops_bridge_bootstrap, which creates the secret. Then...
ArgoCD automatically picks up the secret via the Cluster generator.
The generator templates out ArgoCD Applications.

Is there any other way to template out custom values into ArgoCD applications that you know of? I'm curious if the Cluster Generator is the only way or if I have other options.

Relevant: argoproj/argo-cd#7189

@csantanapr
Copy link
Member

Hi @Almenon,

Thanks for looking at the gitops-bridge project

Currently the argocd secret that stores the metadata in annotations, and triggers in labels is done from terraform, it really doesn't matter how the data is added to the cluster secret.

You can also take the secret and have argocd deployed it if you put the argocd secret as yaml file in this location with the cluster name as folder if will be deploy then you can edit in git https://github.com/gitops-bridge-dev/gitops-bridge-argocd-control-plane-template/tree/main/clusters

You can also store the metadata in git and extract with git generator.

There are other methods people have use like a argocd plugin and the recent applicationset plugin
For example using the argocd vault plugin or helm-secret

For the first implementation of examples I wanted to use the most basic method that doesn't required a 3rd party plugin (enterprise customers sometimes can't use 3rd party dependencies)

There is proposal to implement in argocd Proposal to introduce dynamic application parameter this is will be similar to the current method of extracting from cluster secret but instead from any secret/configmap

@csantanapr
Copy link
Member

The main question was answered

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants