Parent: #584
Priority: High
ArgoCD needs authenticated access to private git repositories for:
- Fetching addon charts and registry files
- Reading fleet member values and overlays
- Syncing bootstrap ApplicationSets
Implementation options:
- GitHub App (recommended) — install a GitHub App on the repo, store the App ID and private key in Secrets Manager, create an ArgoCD repo credential Secret via ExternalSecret
- Personal Access Token — store PAT in Secrets Manager, create repo credential Secret
- SSH key — store deploy key in Secrets Manager
Changes needed:
- Add
repo.auth section to config.yaml schema (type: github-app | token | ssh)
- Seed GitHub App credentials or token in Secrets Manager during bootstrap
- Create ArgoCD repo credential Secret (
argocd.argoproj.io/secret-type: repository) via ExternalSecret or bootstrap
- Update bootstrap ApplicationSets if repo URL format changes (HTTPS vs SSH)
- Document setup steps for each auth method
ArgoCD repo credential format:
apiVersion: v1
kind: Secret
metadata:
name: repo-creds
namespace: argocd
labels:
argocd.argoproj.io/secret-type: repo-creds
stringData:
type: git
url: https://github.com/your-org
githubAppID: "12345"
githubAppInstallationID: "67890"
githubAppPrivateKey: |
-----BEGIN RSA PRIVATE KEY-----
...
Parent: #584
Priority: High
ArgoCD needs authenticated access to private git repositories for:
Implementation options:
Changes needed:
repo.authsection toconfig.yamlschema (type:github-app | token | ssh)argocd.argoproj.io/secret-type: repository) via ExternalSecret or bootstrapArgoCD repo credential format: