Skip to content

Configure Repository Secret for ArgoCD


Configure token or SSH keys

Use the following links:

  • For token access
    • PAT (Classic): Create a personal access token with the required "repo permissions" for GitOps repositories. Note: This PAT can be used for all repos, so to segregate your usual repositories from GitOps, you can use "Fine-grained tokens" in GitHub.
    • PAT (Fine-grained): Allows you to select repositories from your GitHub organization which can use the token.Create a fine-grained token with the below-mentioned permissions for your GitOps repos:

      • Actions (Read and write)
      • Administration (Read and write)
      • Commit statuses (Read only)
      • Contents (Read and write)
      • Deployments (Read only)
      • Metadata (Read only) _
      • Pull requests (Read and write)

Once we create a PAT, it cannot be edited. Using same PAT (fine-grained) for multiple repositories, requires the repos to be created first and then added in the PAT.

By properly configuring the permissions and access levels for the PAT, you can ensure that it is only used for authorized actions within both the Infrastructure GitOps and Application GitOps workflows while maintaining the required level of security and separation of concerns.


Create a Kubernetes Secret with Token or SSH key

Create a Kubernetes Secret in ArgoCD namespace with repository credentials. Each repository secret must have a url field and, depending on whether you connect using HTTPS, SSH, username and password (for HTTPS), sshPrivateKey (for SSH).

Example for HTTPS:

apiVersion: v1
kind: Secret
  name: private-repo
  namespace: argocd-ns
  labels: repository
  type: git
  # Use a personal access token in place of a password.
  password: my-pat-or-fgt
  username: my-username

Example for SSH:

apiVersion: v1
kind: Secret
  name: private-repo
  namespace: argocd
  labels: repository
  type: git
  sshPrivateKey: |

More Info on Connecting ArgoCD to Private Repositories here

Login to the ArgoCD UI. Click Setting from left sidebar, then Repositories to view connected repositories.

Make sure connection status is successful


Create an External Secret

Ask stakater-admin or user belonging to customer-root-tent to add this secret via Vault and External Secrets to ArgoCD namespace.

Possible Issues

If connection status is failed, hover over the ❌ adjacent to Failed to view the error.

SSH Handshake Failed: Key mismatch

Related GitHub Issue: here

If you see the following error. Check argocd-ssh-known-hosts-cm config map in ArgoCD namespace to verify that public key for repository server is added as ssh_known_hosts. ArgoCD-repo-connection-ssh-issue

Some known hosts public keys might be missing in argocd-ssh-known-hosts-cm for older ArgoCD versions, Find full list of public keys against repository server here.


If the error persists, contact Stakater Support to review it.

Copyright © 2023 Stakater AB – Change cookie settings