Add argocd_github_repo_create role for declarative SSH repo registration

[Copilot]

Enables Argo CD to access this private repository via SSH deploy key managed by 1Password Operator.

Implementation

New role: ansible/roles/argocd_github_repo_create/

• Creates OnePasswordItem CRD in argocd namespace mapping vaults/HomeLab/items/Github[deploy-key] → sshPrivateKey
• Polls for 1Password Operator to materialize secret (30 retries × 5s)
• Validates extracted key is non-empty string before use
• Applies Argo repository Secret with label argocd.argoproj.io/secret-type: repository
• Cleans up temporary manifests from isolated temp directory

Deployment order:

roles:
  - argocd_deploy
  - onepassword_operator_deploy
  - argocd_github_repo_create  # ← new
  - tailscale_operator_deploy

Security posture

• SSH key extracted at runtime from 1Password-managed secret, never committed
• All secret operations use no_log: true
• Temporary manifests rendered to isolated directory with mode 0600, removed after apply
• Fails fast if CRD missing or namespace absent

Idempotency

Uses k8s_object_manager role (wraps kubernetes.core.k8s). Re-runs are no-op if resources exist unchanged.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• galaxy.ansible.com
  • Triggering command: /opt/pipx_bin/ansible-galaxy ansible-galaxy collection install -r requirements.yml frigate_deploy/defaults/main.yml (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Add argocd_github_repo_create role to register SRF-Audio/utility-scripts via SSH deploy key</issue_title>
<issue_description>## Goal

Create a new Ansible role argocd_github_repo_create that runs after onepassword_operator_deploy and registers this private GitHub repo in Argo CD using an SSH deploy key sourced from 1Password Operator:

• Repo URL (SSH): git@github.com:SRF-Audio/utility-scripts.git
• 1Password item: vaults/HomeLab/items/Github
• 1Password field containing private key: deploy-key
• Operator mapping pattern: spec.fields.sshPrivateKey.field: deploy-key

This enables downstream Argo Applications to reference paths in that repo without embedding credentials.

Authoritative reference (implementation must align):

• https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#repositories

---

Non-negotiables

• No guessing. Use only confirmed details from this issue + existing repo conventions.
• No secrets in plaintext Ansible vars, templates, or files.
• Must be idempotent.
• Must fail fast if prerequisites are missing (1Password CRD/operator, namespaces, etc.).
• Use existing k8s apply patterns in this repo (prefer the existing role(s) you already use for applying Kubernetes manifests; do not introduce ad-hoc kubectl unless the repo already does it that way).

---

Files / Paths to Create

Create a new role directory:

ansible/roles/argocd_github_repo_create/
├── defaults/main.yml
├── meta/argument_specs.yml
├── tasks/main.yml
└── templates/
    ├── onepassword-item.yml.j2
    └── argocd-repository-secret.yml.j2

---

Variables (role-prefixed; no config creep)

Add only what’s required:

defaults/main.yml

• argocd_github_repo_create_kubeconfig: "{{ k3s_kubeconfig_path | default('', true) }}"

• argocd_github_repo_create_context: "{{ k3s_context_name | default('', true) }}"

• argocd_github_repo_create_argocd_namespace: argocd

• argocd_github_repo_create_repo_url_ssh: "git@github.com:SRF-Audio/utility-scripts.git"

• argocd_github_repo_create_op_item_path: "vaults/HomeLab/items/Github"

• argocd_github_repo_create_op_deploy_key_field: "deploy-key"

• argocd_github_repo_create_op_item_name: "argocd-repo-utility-scripts" (name inside Kubernetes; must be unique in namespace)

• argocd_github_repo_create_repo_secret_name: "repo-utility-scripts" (Argo repo secret name; must be unique in Argo namespace)

If your repo has an established naming convention for these, match it (don’t invent a new one).

---

Argument validation (meta/argument_specs.yml)

Add a single options block that asserts:

• kubeconfig/context are optional but if provided must be non-empty strings
• namespace, repo URL, itemPath, and field names are non-empty strings

Also include a required_if / assertions inside tasks for:

• argocd_github_repo_create_argocd_namespace exists in cluster (explicit check)
• 1Password CRD exists before applying OnePasswordItem

---

Kubernetes resources to template (exact behavior)

1) OnePasswordItem (in Argo namespace)

Template: templates/onepassword-item.yml.j2

Resource:

• apiVersion: onepassword.com/v1
• kind: OnePasswordItem
• metadata.name: {{ argocd_github_repo_create_op_item_name }}
• metadata.namespace: {{ argocd_github_repo_create_argocd_namespace }}
• spec.itemPath: {{ argocd_github_repo_create_op_item_path }}
• spec.fields mapping MUST be used (Pattern A):

fields:
  sshPrivateKey:
    field: {{ argocd_github_repo_create_op_deploy_key_field }}

This must result in a Kubernetes Secret materializing with key sshPrivateKey.

2) Argo CD repository Secret (declarative)

Template: templates/argocd-repository-secret.yml.j2

Create a Kubernetes Secret in the Argo namespace with:

• metadata.name: {{ argocd_github_repo_create_repo_secret_name }}

• metadata.namespace: {{ argocd_github_repo_create_argocd_namespace }}

• label exactly:

  • argocd.argoproj.io/secret-type: repository

stringData must include the required Argo fields:

• type: git
• url: {{ argocd_github_repo_create_repo_url_ssh }}

The sshPrivateKey value must be sourced from the 1Password-rendered secret without copying secrets into Ansible. Implementer must follow the operator’s established behavior:

Required approach:

• The role must apply the OnePasswordItem
• Then wait/check until the corresponding Kubernetes Secret exists and contains data.sshPrivateKey or stringData.sshPrivateKey (depending on operator output), and only then apply the Argo repo secret in a way that references that secret data without storing it in Ansible logs/artifacts.

Do not implement by:

• kubectl get secret ... -o jsonpath and storing it into a registered var that might be logged
• writing the private k...

• Fixes Add argocd_github_repo_create role to register SRF-Audio/utility-scripts via SSH deploy key #135

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.