Skip to content

4ARMED/argocd-github-app-cloner

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

ArgoCD GitHub App Cloner

A command-line tool that leverages ArgoCD's GitHub App credentials stored in Kubernetes secrets to clone private GitHub repositories. This tool automatically finds matching credentials, generates installation tokens, and provides an easy way to clone repositories without managing GitHub tokens manually.

Features

  • 🔍 Automatic credential discovery: Searches ArgoCD repository and repo-creds secrets in your Kubernetes cluster
  • 🎯 Smart matching: Supports both exact URL matches and longest prefix matching for flexible credential management
  • 🔐 Secure token generation: Uses GitHub App JWT authentication to generate short-lived installation tokens
  • 🚀 Interactive cloning: Optionally clones repositories directly or outputs tokens for use in scripts
  • 📦 Kubernetes-native: Works seamlessly with existing ArgoCD installations

Prerequisites

  • Go 1.19 or later
  • Access to a Kubernetes cluster with ArgoCD installed
  • kubectl configured with appropriate permissions to read secrets in the ArgoCD namespace
  • ArgoCD secrets containing GitHub App credentials (either repository or repo-creds type)

Installation

From Source

git clone https://github.com/4ARMED/argocd-github-app-cloner.git
cd argocd-github-app-cloner
go build -o argocd-github-app-cloner

Using Go Install

go install github.com/4ARMED/argocd-github-app-cloner@latest

Usage

Basic Usage

argocd-github-app-cloner -url https://github.com/myorg/myrepo.git

Custom Namespace

If your ArgoCD secrets are in a different namespace:

argocd-github-app-cloner -url https://github.com/myorg/myrepo.git -namespace my-argocd

Get Help

argocd-github-app-cloner -help

Command-Line Options

  • -url (required): The GitHub repository URL to clone
  • -namespace (optional): Kubernetes namespace where ArgoCD secrets are stored (default: argocd)
  • -help: Show help message

How It Works

  1. Credential Discovery: The tool searches for ArgoCD secrets in the specified namespace:

    • First checks for exact URL matches in repository type secrets
    • Falls back to longest prefix matching in repo-creds type secrets

  2. Token Generation:

    • Extracts GitHub App credentials (App ID, Installation ID, and private key)
    • Generates a JWT token signed with the private key
    • Exchanges the JWT for a GitHub installation token via the GitHub API

  3. Repository Cloning:

    • When run interactively: Prompts to clone the repository or outputs the token
    • When piped: Outputs only the token for use in scripts

Examples

Interactive Mode

$ argocd-github-app-cloner -url https://github.com/myorg/private-repo.git
Found exact match in repository secret: myorg-repo-creds
Matched secret: myorg-repo-creds (prefix: https://github.com/myorg/)
Got installation token (expires in ~1 hour)

# Clone with:
git clone https://x-access-token:ghs_xxxxx@github.com/myorg/private-repo.git

# Or export the token:
export GITHUB_TOKEN='ghs_xxxxx'

Clone now? [y/N]: y
Cloning into 'private-repo'...

Script Mode

# Get token for use in scripts
TOKEN=$(argocd-github-app-cloner -url https://github.com/myorg/private-repo.git)
git clone https://x-access-token:$TOKEN@github.com/myorg/private-repo.git

Using with Different Namespaces

argocd-github-app-cloner \
  -url https://github.com/myorg/myrepo.git \
  -namespace argocd-prod

ArgoCD Secret Format

The tool expects ArgoCD secrets with the following structure:

Repository Secret

apiVersion: v1
kind: Secret
metadata:
  name: my-repo
  labels:
    argocd.argoproj.io/secret-type: repository
data:
  url: <base64-encoded-repo-url>
  githubAppID: <base64-encoded-app-id>
  githubAppInstallationID: <base64-encoded-installation-id>
  githubAppPrivateKey: <base64-encoded-private-key>

Repo Creds Secret

apiVersion: v1
kind: Secret
metadata:
  name: my-org-creds
  labels:
    argocd.argoproj.io/secret-type: repo-creds
data:
  url: <base64-encoded-url-prefix>
  githubAppID: <base64-encoded-app-id>
  githubAppInstallationID: <base64-encoded-installation-id>
  githubAppPrivateKey: <base64-encoded-private-key>

Troubleshooting

No matching credentials found

Ensure that:

  • ArgoCD secrets exist in the specified namespace
  • Secrets have the correct label (argocd.argoproj.io/secret-type=repository or argocd.argoproj.io/secret-type=repo-creds)
  • The repository URL matches or has a matching prefix in the secrets
  • You have permissions to read secrets in the namespace

Error loading kubeconfig

Make sure your kubectl is configured correctly:

kubectl get secrets -n argocd

GitHub API errors

  • Verify the GitHub App installation ID is correct
  • Check that the private key is valid and properly formatted
  • Ensure the GitHub App has access to the repository

Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

License

This project is licensed under the GNU General Public License v3.0 - see the LICENSE file for details.

About

No description, website, or topics provided.

Resources

Readme

License

GPL-3.0 license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages