Problem statement: An ArgoCD application references a Vault secret via helm-secrets / vals (e.g. vault://kv-v2/services/foo#/apiKey). The application is created before the secret exists in Vault, or while the corresponding key is blank. The key is populated later on. The application keeps behaving as if the value is still missing — usually a 404 from Vault, or a permission denied on the cached lookup: Failed to load target state: failed to generate manifest for source 1 of 2: rpc error: code = Unknown desc = Manifest generation error (cached): failed to execute helm template command: [...] vals error: expand vault://kv-v2/services/foo#/apiKey: Error making API request. URL: GET http://vault.infra-services:8200/v1/sys/internal/ui/mounts/kv-v2/services/foo Code: 404. Note the (cached) part of the error. The argocd-repo-server caches the result of manifest generation, including failed vals / helm-secrets lookups. A normal sync or refresh happily reuses the cached (stale) failure and…
No comments yet. Log in to reply on the Fediverse. Comments will appear here.