github.com/argoproj/argo-cd/v3@v3.2.1/docs/proposals/manifest-hydrator/README.md (about)

     1  # Argo CD Manifest Hydrator
     2  
     3  Most Argo CD Applications don't directly use plain Kubernetes manifests. They reference a Helm chart or some Kustomize manifests, and then Argo CD transforms those sources into their final form (plain Kubernetes manifests).
     4  
     5  Having Argo CD quietly do this transformation behind the scenes is convenient. But it can make it harder for developers to understand the full state of their application, both current and past. Hydrating (also known as "rendering") the sources and pushing the hydrated manifests to git is a common technique to preserve a full history of an Application's state.
     6  
     7  Argo CD provides first-class tooling to hydrate manifests and push them to git. This document explains how to take advantage of that tooling.
     8  
     9  ## Setting up git Push Access
    10  
    11  To use Argo CD's source hydration tooling, you have to grant Argo CD push access to all the repositories for apps using the source hydrator.
    12  
    13  ### Security Considerations
    14  
    15  Argo CD stores git push secrets separately from the main Argo CD components and separately from git pull credentials to minimize the possibility of a malicious actor stealing the secrets or hijacking Argo CD components to push malicious changes.
    16  
    17  Pushing hydrated manifests to git can improve security by ensuring that all state changes are stored and auditable. If a malicious actor does manage to produce malicious changes in manifests, those changes will be discoverable in git instead of living only in the live cluster state.
    18  
    19  You should use your SCM's security mechanisms to ensure that Argo CD can only push to the allowed repositories and branches.
    20  
    21  ### Adding the Access Credentials
    22  
    23  To set up push access, add a secret to the `argocd-push` namespace with the following format:
    24  
    25  ```yaml
    26  apiVersion: v1
    27  kind: Secret
    28  metadata:
    29    name: argocd-example-apps
    30    labels:
    31      # Note that this is "repository-push" instead of "repository". The same secret should never be used for both push and pull access.
    32      argocd.argoproj.io/secret-type: repository-push
    33  type: Opaque
    34  stringData:
    35    url: https://github.com/argoproj/argocd-example-apps.git
    36    username: '****'
    37    password: '****'
    38  ```
    39  
    40  Once the secret is available, any Application which has pull access to a given repo will be able to use the source hydration tooling to also push to that repo.
    41  
    42  ## Using the `sourceHydrator` Field
    43  
    44  ## Migrating from the `source` or `sources` Field