// the find
argoproj-labs/argocd-vault-plugin
An Argo CD plugin to retrieve secrets from Secret Management tools and inject them into Kubernetes secrets
A config-management plugin for Argo CD that replaces placeholder tokens in your manifests with real secrets pulled from Vault, AWS Secrets Manager, Azure Key Vault, GCP, and a handful of others. It runs as a sidecar in the repo-server, so secrets never hit Git. Aimed at teams running GitOps with Argo CD who need a secret injection layer without standing up an operator or CRD.
Backend coverage is genuinely broad — Vault, AWS, Azure, GCP, IBM, 1Password, Keeper, Kubernetes native secrets, and more, each with its own auth method support. The placeholder syntax (`<path:secret/data/foo#bar>`) is simple enough that it works in any YAML resource, not just Secrets — you can inject values into Deployments or ConfigMaps too. The fixture-based test suite (input/output YAML pairs) makes it easy to verify template rendering without standing up a real backend. Installation via sidecar is the right call post-Argo CD 2.4 — the legacy argocd-cm plugin approach is deprecated and the repo ships manifests for both paths.
Last push was December 2024 and the repo shows clear signs of slowing — Argo CD itself has been moving fast and compatibility lag is a real risk. Argocd-vault-plugin has historically required a hard-refresh after secret rotation because Argo CD doesn't know the rendered output changed; the workaround (annotating apps to force sync) is clunky and easy to miss in docs. There is no built-in secret caching or TTL — every sync hits the secret backend, which can cause rate-limit pain at scale or with slow backends like Azure Key Vault. Error messages when a placeholder doesn't resolve are terse and often require enabling debug logging to diagnose, which is frustrating in production.