This guide shows how to configure ejson private keys for the ArgoCD Config Management Plugin (CMP).
# Create a secret containing your ejson private key
kubectl create secret generic ejson-keys \
--from-literal=YOUR_PUBLIC_KEY_ID=YOUR_PRIVATE_KEY \
--namespace argocd
# Example:
kubectl create secret generic ejson-keys \
--from-literal=5218ea26fa01414883012c8a1c866c5331ebefba069f86a4183090b3b096a771=82d4af0a44dcabe9e44375e2bbe52842ae9497f068eede12833995bc6ab87020 \
--namespace argocdAdd the secret as a volume mount to the CMP sidecar container:
apiVersion: apps/v1
kind: Deployment
metadata:
name: argocd-repo-server
namespace: argocd
spec:
template:
spec:
containers:
- name: subst-cmp
# ... existing CMP sidecar configuration ...
volumeMounts:
- name: ejson-keys
mountPath: /opt/ejson/keys
readOnly: true
# ... other volume mounts ...
volumes:
- name: ejson-keys
secret:
secretName: ejson-keys
# ... other volumes ...The CMP plugin will automatically use keys from /opt/ejson/keys/ directory:
# This is already configured in cmp.yaml
spec:
generate:
command:
- /usr/local/bin/subst
args:
- render
- "."
- --kustomize-build-options
- "--load-restrictor LoadRestrictionsNone"
# No --ejson-key needed - automatically found in /opt/ejson/keys/kubectl create secret generic ejson-config \
--from-literal=private-key=82d4af0a44dcabe9e44375e2bbe52842ae9497f068eede12833995bc6ab87020 \
--namespace argocdapiVersion: apps/v1
kind: Deployment
metadata:
name: argocd-repo-server
namespace: argocd
spec:
template:
spec:
containers:
- name: repo-server
env:
- name: ARGOCD_ENV_EJSON_KEY
valueFrom:
secretKeyRef:
name: ejson-config
key: private-keyspec:
generate:
command:
- /usr/local/bin/subst
args:
- render
- "."
- --ejson-key
- "${ARGOCD_ENV_EJSON_KEY}"
- --kustomize-build-options
- "--load-restrictor LoadRestrictionsNone"For multiple ejson keys, combine a ConfigMap for public keys with a Secret for private keys:
kubectl create configmap ejson-public-keys \
--from-literal=public-key-1=5218ea26fa01414883012c8a1c866c5331ebefba069f86a4183090b3b096a771 \
--from-literal=public-key-2=ff4bbf46acd0b467ee48f6e75041bc5b45442bb4b32f4bb0a2bfa928d2c21e44 \
--namespace argocdkubectl create secret generic ejson-private-keys \
--from-literal=5218ea26fa01414883012c8a1c866c5331ebefba069f86a4183090b3b096a771=82d4af0a44dcabe9e44375e2bbe52842ae9497f068eede12833995bc6ab87020 \
--from-literal=ff4bbf46acd0b467ee48f6e75041bc5b45442bb4b32f4bb0a2bfa928d2c21e44=544f44d4ca525b1a497e39a1e8bb85147749f38d3f38ac25a70940827d0e8c3f \
--namespace argocdapiVersion: apps/v1
kind: Deployment
metadata:
name: argocd-repo-server
namespace: argocd
spec:
template:
spec:
containers:
- name: subst-cmp
# ... existing CMP sidecar configuration ...
volumeMounts:
- name: ejson-keys
mountPath: /opt/ejson/keys
readOnly: true
volumes:
- name: ejson-keys
secret:
secretName: ejson-private-keys# Check if the secret is mounted correctly
kubectl exec -it deployment/argocd-repo-server -n argocd -- ls -la /opt/ejson/keys/
# Test ejson decryption manually
kubectl exec -it deployment/argocd-repo-server -n argocd -- ejson decrypt /path/to/your/encrypted.ejson- Keys not found: Ensure the secret is mounted at
/opt/ejson/keys/ - Permission denied: Check that the secret files have correct permissions
- Decryption fails: Verify the private key matches the public key in your
.ejsonfiles
- Use RBAC: Limit access to the ejson secrets
- Rotate keys: Regularly rotate your ejson keys
- Audit access: Monitor who accesses the ejson secrets
- Separate environments: Use different keys for dev/staging/prod
Your ArgoCD Application should reference repositories with .ejson files:
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: my-app
namespace: argocd
spec:
source:
repoURL: https://github.com/your-org/your-repo
path: k8s/overlays/production
plugin:
name: subst
# ... rest of application configThe CMP will automatically detect subst.yaml files and decrypt any .ejson files using the mounted keys.