diff --git a/argocd/reset-ekman-cluster.sh b/argocd/reset-ekman-cluster.sh
index c113b361..c9a57384 100755
--- a/argocd/reset-ekman-cluster.sh
+++ b/argocd/reset-ekman-cluster.sh
@@ -5,8 +5,14 @@ kubectl --context ekman delete -f ekman-cluster-admin-token.yaml
 sleep 1
 kubectl --context ekman apply -f ekman-cluster-admin-token.yaml
 
-secret=$(kubectl --context ekman get secret -n kube-system | grep cluster-admin-token | cut -d' ' -f1)
-token=$(kubectl --context ekman get secret -n kube-system $secret -o yaml | grep ' token:' | cut -d' ' -f4 | base64 -d)
+# secret=$(kubectl --context ekman get secret -n kube-system | grep cluster-admin-token | cut -d' ' -f1)
+# token=$(kubectl --context ekman get secret -n kube-system $secret -o yaml | grep ' token:' | cut -d' ' -f4 | base64 -d)
+# sed "s/@token@/$token/" ekman.yaml > _ekman.yaml
+# echo "configure argocd ekman-cluster..."
+# cat _ekman.yaml
+# kubectl --context oceanbox apply -f _ekman.yaml
+
+token=$(kubectl --context ekman get secret -n kube-system argocd-manager-token -o yaml | grep ' token:' | cut -d' ' -f4 | base64 -d)
 sed "s/@token@/$token/" ekman.yaml > _ekman.yaml
 echo "configure argocd ekman-cluster..."
 cat _ekman.yaml
diff --git a/values/system/ekman/argocd-manager-rbac.yaml b/values/system/ekman/argocd-manager-rbac.yaml
new file mode 100644
index 00000000..865190c7
--- /dev/null
+++ b/values/system/ekman/argocd-manager-rbac.yaml
@@ -0,0 +1,44 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: argocd-manager
+rules:
+- apiGroups:
+  - '*'
+  resources:
+  - '*'
+  verbs:
+  - '*'
+- nonResourceURLs:
+  - '*'
+  verbs:
+  - '*'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: argocd-manager
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: argocd-manager
+subjects:
+- kind: ServiceAccount
+  name: argocd-manager
+  namespace: kube-system
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: argocd-manager
+  namespace: kube-system
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kubernetes.io/service-account.name: argocd-manager
+  name: argocd-manager-token
+  namespace: kube-system
+type: kubernetes.io/service-account-token