Configure Repository Secret for ArgoCD

GitHub

Configure token or SSH keys

Use the following links:

• For token access
  • PAT (Classic): Create a personal access token with the required "repo permissions" for GitOps repositories. Note: This PAT can be used for all repos, so to segregate your usual repositories from GitOps, you can use "Fine-grained tokens" in GitHub.

  • PAT (Fine-grained): Allows you to select repositories from your GitHub organization which can use the token.Create a fine-grained token with the below-mentioned permissions for your GitOps repos:

    • Actions (Read and write)
    • Administration (Read and write)
    • Commit statuses (Read only)
    • Contents (Read and write)
    • Deployments (Read only)
    • Metadata (Read only) _
    • Pull requests (Read and write)

Once we create a PAT, it cannot be edited. Using same PAT (fine-grained) for multiple repositories, requires the repos to be created first and then added in the PAT.

By properly configuring the permissions and access levels for the PAT, you can ensure that it is only used for authorized actions within both the Infrastructure GitOps and Application GitOps workflows while maintaining the required level of security and separation of concerns.

• For SSH Access
  • Generate SSH Key Pair
  • Add SSH Public key to your GitHub Account or Add Deploy Key to your Repository Note: A deploy key is specific to a single repository and cannot be used for multiple repositories whereas, a single SSH key can be used for multiple repositories.

Kubernetes

Create a Kubernetes Secret with Token or SSH key

Create a Kubernetes Secret in ArgoCD namespace with repository credentials. Each repository secret must have a url field and, depending on whether you connect using HTTPS, SSH, username and password (for HTTPS), sshPrivateKey (for SSH).

Example for HTTPS:

apiVersion: v1
kind: Secret
metadata:
  name: private-repo
  namespace: argocd-ns
  labels:
    argocd.argoproj.io/secret-type: repository
stringData:
  type: git
  url: https://github.com/argoproj/private-repo
  # Use a personal access token in place of a password.
  password: my-pat-or-fgt
  username: my-username

Example for SSH:

apiVersion: v1
kind: Secret
metadata:
  name: private-repo
  namespace: argocd
  labels:
    argocd.argoproj.io/secret-type: repository
stringData:
  type: git
  url: git@github.com:argoproj/my-private-repository
  sshPrivateKey: |
    -----BEGIN OPENSSH PRIVATE KEY-----
    ...
    -----END OPENSSH PRIVATE KEY-----

More Info on Connecting ArgoCD to Private Repositories here

Login to the ArgoCD UI. Click Setting from left sidebar, then Repositories to view connected repositories.

Make sure connection status is successful

Create an External Secret

Ask stakater-admin or user belonging to customer-root-tent to add this secret via Vault and External Secrets to ArgoCD namespace.

Possible Issues

If connection status is failed, hover over the ❌ adjacent to Failed to view the error.

SSH Handshake Failed: Key mismatch

Related GitHub Issue: here

If you see the following error. Check argocd-ssh-known-hosts-cm config map in ArgoCD namespace to verify that public key for repository server is added as ssh_known_hosts.

Some known hosts public keys might be missing in argocd-ssh-known-hosts-cm for older ArgoCD versions, Find full list of public keys against repository server here.

Note

If the error persists, contact Stakater Support to review it.