Prerequisites #
Create Token #
Create a token (random string) used to authenticate the Git webhook with Argo CD:
# Create a token
openssl rand -hex 32
# Shell output:
7347fbd015e63b8f9eb34a56f03cb8a69a6b68b7daceb6055db36f18f8ad5dce
Argo CD #
Adapt Kubernetes Secret: Manual Version #
Backup the Secret #
# Create a backup of the secret
kubectl -n argocd get secret argocd-secret -o yaml > argocd-secret-backup.yaml
# Only if necessary: Restore the secret
kubectl apply -f argocd-secret-backup.yaml -n argocd
Edit the Secret #
# Edit the ArgoCD secret
kubectl edit secret argocd-secret -n argocd
Original Secret:
# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
data:
admin.password: ...
admin.passwordMtime: ...
oidc.azure.clientSecret: ...
server.secretkey: ...
tls.crt: ...
tls.key: ...
kind: Secret
metadata:
creationTimestamp: "2025-11-17T15:26:37Z"
labels:
app.kubernetes.io/name: argocd-secret
app.kubernetes.io/part-of: argocd
name: argocd-secret
namespace: argocd
resourceVersion: "3333037"
uid: a6a39178-ef1e-4f51-a977-63fb1725c0a8
type: Opaque
Add the GitLab Git webhook token:
# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
data:
admin.password: ...
admin.passwordMtime: ...
oidc.azure.clientSecret: ...
server.secretkey: ...
tls.crt: ...
tls.key: ...
stringData:
webhook.gitlab.secret: "7347fbd015e63b8f9eb34a56f03cb8a69a6b68b7daceb6055db36f18f8ad5dce"
kind: Secret
metadata:
creationTimestamp: "2025-11-17T15:26:37Z"
labels:
app.kubernetes.io/name: argocd-secret
app.kubernetes.io/part-of: argocd
name: argocd-secret
namespace: argocd
resourceVersion: "3333037"
uid: a6a39178-ef1e-4f51-a977-63fb1725c0a8
type: Opaque
Adapt Kubernetes Secret: Ansible Version #
Ansible Playbook #
---
- name: ArgoCD Git Webhook
hosts: localhost
connection: local
gather_facts: false
become: false
vars:
argocd_namespace: "argocd"
gitlab_webhook_token: "7347fbd015e63b8f9eb34a56f03cb8a69a6b68b7daceb6055db36f18f8ad5dce"
tasks:
- name: Merge GitLab webhook token to ArgoCD default secret
delegate_to: localhost
become: false
connection: local
kubernetes.core.k8s:
state: present
definition:
apiVersion: v1
kind: Secret
metadata:
name: argocd-secret
namespace: "{{ argocd_namespace }}"
stringData:
webhook.gitlab.secret: "{{ gitlab_webhook_token }}"
merge_type:
- merge
# Run Ansible playbook
ansible-playbook playbooks/argocd_git_webhook.yml -i inventory
Verify Webhook Token #
# Verify the webhook token value
kubectl -n argocd get secret argocd-secret \
-o jsonpath='{.data.webhook\.gitlab\.secret}' | base64 -d; echo
# Shell output:
7347fbd015e63b8f9eb34a56f03cb8a69a6b68b7daceb6055db36f18f8ad5dce
GitLab #
Network: Outbound Requests #
If “outbound request filtering” is enabled, GitLab can reject webhook URLs with “Invalid URL given” unless the destination is whitelisted.
-
Go to: “Admin” / “Admin area”
-
Select “Settings” > “Network”
-
Scroll to “Outbound requests”
-
Add the Argo CD URL:
argocd.jklug.work -
Click “Save changes”
Add Git Webhook #
In the Helm Chart repository:
-
Go to: (Project) “Settings” > “Webhooks”
-
Click “Add new webhook”
# Name (optional)
argocd
# URL
https://argocd.jklug.work/api/webhook
# Secret token
7347fbd015e63b8f9eb34a56f03cb8a69a6b68b7daceb6055db36f18f8ad5dce
# Trigger
Push events > All branches
Tag push events
-
Select “Enable SSL verification”
-
Click “Add webhook”
Test Git Webhook #
