From e80973755ed6cd8c92b47ce70d6156381247781a Mon Sep 17 00:00:00 2001
From: Jonas Juselius <jonas.juselius@oceanbox.io>
Date: Sun, 22 Jun 2025 10:32:01 +0200
Subject: [PATCH] fix: remove explicit access token from helm-git urls (take 3)

---
 helmfile.d/atlantis.yaml.gotmpl       | 6 +-----
 helmfile.d/sorcerer.yaml.gotmpl       | 6 +-----
 shell.nix                             | 2 +-
 values/argo/values/argocd.yaml.gotmpl | 7 +++++++
 4 files changed, 10 insertions(+), 11 deletions(-)

diff --git a/helmfile.d/atlantis.yaml.gotmpl b/helmfile.d/atlantis.yaml.gotmpl
index 48c3f2fe..b7e24a4e 100644
--- a/helmfile.d/atlantis.yaml.gotmpl
+++ b/helmfile.d/atlantis.yaml.gotmpl
@@ -3,11 +3,7 @@ bases:
 
 repositories:
 - name: oceanbox
-  {{- if env "MANIFESTS_ACCESS_TOKEN" }}
-  url: "git+https://git:{{ requiredEnv "MANIFESTS_ACCESS_TOKEN" }}@gitlab.com/oceanbox/manifests@charts?ref=main"
-  {{- else }}
-  url: "git+https://gitlab.com/oceanbox/manifests@charts?ref=main"
-  {{- end }}
+  url: "git+https://git:{{ requiredEnv "HELM_GIT_ACCESS_TOKEN" }}@gitlab.com/oceanbox/manifests@charts?ref=main"
 
 commonLabels:
   tier: system
diff --git a/helmfile.d/sorcerer.yaml.gotmpl b/helmfile.d/sorcerer.yaml.gotmpl
index 9e8bc95d..c179723d 100644
--- a/helmfile.d/sorcerer.yaml.gotmpl
+++ b/helmfile.d/sorcerer.yaml.gotmpl
@@ -3,11 +3,7 @@ bases:
 
 repositories:
 - name: oceanbox
-  {{- if env "MANIFESTS_ACCESS_TOKEN" }}
-  url: "git+https://git:{{ requiredEnv "MANIFESTS_ACCESS_TOKEN" }}@gitlab.com/oceanbox/manifests@charts?ref=main"
-  {{- else }}
-  url: "git+https://gitlab.com/oceanbox/manifests@charts?ref=main"
-  {{- end }}
+  url: "git+https://git:{{ requiredEnv "HELM_GIT_ACCESS_TOKEN" }}@gitlab.com/oceanbox/manifests@charts?ref=main"
 
 commonLabels:
   tier: system
diff --git a/shell.nix b/shell.nix
index e2ad885a..4cf65763 100644
--- a/shell.nix
+++ b/shell.nix
@@ -37,5 +37,5 @@ pkgs.mkShellNoCC {
   ];
 
   ARGOCD_ENV_CLUSTER_NAME = "oceanbox";
-  MANIFESTS_ACCESS_TOKEN = "glpat-xxx";
+  HELM_GIT_ACCESS_TOKEN = "glpat-xxx";
 }
diff --git a/values/argo/values/argocd.yaml.gotmpl b/values/argo/values/argocd.yaml.gotmpl
index d68597e6..006d8a05 100644
--- a/values/argo/values/argocd.yaml.gotmpl
+++ b/values/argo/values/argocd.yaml.gotmpl
@@ -178,6 +178,13 @@ repoServer:
   - command:
     - /var/run/argocd/argocd-cmp-server
     image: registry.gitlab.com/oceanbox/manifests/helmfile-cmp:latest
+    env:
+    - name: HELM_GIT_ACCESS_TOKEN
+      valueFrom:
+        secretKeyRef:
+          key: password
+          name: oceanbox-gitops-repo
+          optional: false
     imagePullPolicy: Always
     name: helmfile-cmp
     securityContext: