Problem

Currently, kubechecks does not properly handle Kustomize applications that reference remote bases from private repositories. When an ArgoCD application uses a kustomize base from an external private repository, the manifest
generation fails because the repository credentials are not being passed through.

Root Cause

In pkg/argo_client/manifests.go, the code creates a basic Repository object with only the RepoURL:

Repo: &v1alpha1.Repository{Repo: source.RepoURL},

This approach works for public repositories but fails for private remote bases because it lacks the necessary authentication credentials (SSH keys, tokens, etc.) that ArgoCD has configured.

Proposed Solution

Retrieve the repository configuration with enriched credentials from ArgoCD's database before generating manifests:

 // Get repository with enriched credentials from ArgoCD database
 enrichedRepo, err := argoDB.GetRepository(ctx, source.RepoURL, app.Spec.Project)
 if err != nil {
     return nil, fmt.Errorf("failed to get repository with credentials: %w", err)
 }
 log.Debug().Msgf("using repository with credentials for %s", source.RepoURL)

 // Use enriched repo instead of basic repo URL
 Repo: enrichedRepo,

Benefits

• Enables kubechecks to validate ArgoCD applications that use private Kustomize remote bases
• Maintains consistency with how ArgoCD handles repository authentication
• No changes required to application configurations

Testing

Tested with ArgoCD applications referencing private Kustomize bases and confirmed that manifest generation now succeeds with proper credential handling.