kubernetes

ArgoCD: Authenticate to private Github repository via ssh

Mateo Cuervo
· 2 min read
ArgoCD: Authenticate to private Github repository via ssh

In this article I'll share a step by step of how to add ssh authentication to a private Github repository:

Create the key pair (select empty passphrases on prompt)

ssh-keygen -t ed25519 -C "mateo.cuervo@example.com" -f ~/.ssh/argocd_ed25519

Copy the public key

cat ~/.ssh/argocd_ed25519.pub

Go to your Github repo, you should be admin, then click on "Settings" then on "Deploy keys" and finally save the key copied in last step.

Now copy the private key part

cat ~/.ssh/argocd_ed25519

Create a kubernetes secret with the key final result should look something like this:

apiVersion: v1
kind: Secret
metadata:
  name: repo-secret
  namespace: argocd
  labels:
	  # This annotation let's ArgoCD know it's for repository authentication
    argocd.argoproj.io/secret-type: repository
stringData:
  url: git@github.com:cooervo/my-repo-name.git
  sshPrivateKey: |
    -----BEGIN OPENSSH PRIVATE KEY-----
    ...
    -----END OPENSSH PRIVATE KEY-----
  insecure: "false"

To automate above step, you can use pulumi secrets to encrypt your secret and then programatically deploy it into your cluster. First read from source and pipe it into a pulumi secret.

# Read the private SSH key from the file
cat ~/.ssh/argocd_ed25519 | \ 
# Set the SSH key as a Pulumi secret in the config
  pulumi config set \
      --path my-path:dev-core.argoCdSShPrivateKey \  # Specify the configuration path
      --secret \  # Mark it as a secret
      -s dev-core  # Specify the stack (dev-core)

You can then create the k8s secret and deploy it in your cluster when running pulumi update 

const sshKeyForArgoCd = new k8s.core.v1.Secret(
    `${env}-ssh-argocd-github-infra-repo-private-key`,
    {
      metadata: {
        namespace: 'argocd', //should be in same ns as argocd-server
        labels: {
          // This label lets ArgoCD know it's for repository authentication
          "argocd.argoproj.io/secret-type": "repository",
        },
      },
      stringData: {
        url: "git@github.com:my-org/my-repo.git",
        // sshPrivateKey is the value from pulumi config secret at 
        // argoCdSShPrivateKey which is encrypted with GCP KMS
        sshPrivateKey: config.secrets.argoCdSShPrivateKey,
      },
    },
    { provider: k8sProvider }
  );

Next open your ArgoCD server UI navigate to "Settings" > "Repository", your repo should be connected:

Related Articles

Scalable multi-environment directory structure for a kubernetes project using kustomize, helm and ArgoCD

Personally I find ArgoCD works perfectly fine for kustomize and helm charts. Each tool is used in the following manner:...

· 3 min read

Create an nginx-ingress load balancer in Kubernetes (GKE), with explicit allowlist (whitelist) of IPs

Considering you already have a kubernetes cluster here we are going to use the kubernetes ingress-nginx helm chart to install...

· 2 min read

Integrate Istio's Service Mesh ingress gateway with a GCP Ingress Load Balancer

After realizing that there wasn't a comprehensive tutorial on integrating GCP's Ingress load balancer with Istio...

· 3 min read

Create a new ArgoCD user with custom permissions

In your ArgoCD helm values.yaml file create a new user by adding it to the ConfigMap named argocd-cm.yaml,...

· 1 min read

Authenticate to GCP's Artifact Registry Repository with argocd-image-updater

With argocd-image-updater we can automate deployments in our Kubernetes cluster, after our continous integration (CI) pipelines have built and pushed...

· 3 min read

Helm cheatsheet of the most used commands

The following are the most common commands you need to use helm on a day to day basis. With this...

· 1 min read