Argo CD Git WebHook Secret from another secret

[alex-souslik-hs]

Is your feature request related to a problem?

I've configured a Git WebHook to Argo CD but couldn't figure out how to securely add the WebHook secret to my helm values. My values.yaml is stored in a GitHub repo and the argocd-secret is defined in it.

Related helm chart

argo-cd

Describe the solution you'd like

Ideally, I'd like this configuration to be handled the same way sensitive keys can be handled in argocd-cm.

Describe alternatives you've considered

• Not using the WebHook secret.
• Not creating the argocd-secret with the Argo CD chart.

Additional context

No response

[pdrastil]

Hi @alex-souslik-hs the sensitive values in argocd-cm are inderctly referencing K8s secret, however webhook tokens have to be stored in Secret callled argocd-secret. You can achieve this with various integrations where you take full control of secret creation.

See:

• https://argo-cd.readthedocs.io/en/stable/operator-manual/security/#secrets
• https://argo-cd.readthedocs.io/en/stable/operator-manual/argocd-secret-yaml/

You can also check sample snippet bellow that uses external-secret operator if you want to provision this without hardcoding anything sensitive in values.yaml.

configs:
  secret:
    createSecret: false

extraObjects:
  - apiVersion: external-secrets.io/v1beta1
    kind: ExternalSecret
    metadata:
       name: argocd-secret
    spec:
      secretStoreRef:
        name: aws-secretsmanager
        kind: SecretStore
      target:
        name: argocd-secret
      data:
      - secretKey: webhook.github.secret
        remoteRef:
          key: webhook
          property: webhook.github.secret