Labsco
matthisholleville logo

ArgoCD

โ˜… 10

from matthisholleville

Expose the entire ArgoCD API to LLMs via MCP using just 2 auto-generated tools powered by the OpenAPI spec.

๐Ÿ”ฅ๐Ÿ”ฅ๐Ÿ”ฅ๐Ÿ”ฅโœ“ VerifiedFreeAdvanced setup

ArgoCD

argocd-mcp

The entire ArgoCD API, exposed to LLMs via MCP.
103+ endpoints. Zero hardcoded handlers. Two modes: search or generated tools.

Quick Start โ€ข How It Works โ€ข OAuth โ€ข Configuration


Most ArgoCD MCP servers hardcode a few operations: list apps, sync, get status. When ArgoCD adds a new feature, you wait for the maintainer to add it.

argocd-mcp takes a different approach, inspired by Cloudflare's MCP server which covers 2500+ endpoints with only 2 tools. It reads ArgoCD's OpenAPI spec at startup and exposes every endpoint through just 2 tools: search and execute. New ArgoCD version? Restart the server. Done.

  • 103+ endpoints from ArgoCD's OpenAPI spec, zero hardcoded handlers
  • Two tool modes: search (2 meta-tools) or generated (1 typed tool per endpoint)
  • Works with Claude Desktop, Claude Code, Cursor, or any MCP client
  • No code per endpoint โ€” the OpenAPI spec is the source of truth
  • Two auth modes: static token or OAuth via ArgoCD Dex (per-user RBAC)
  • Read-only mode โ€” disable all write operations with a single flag
  • Resource scoping โ€” restrict which ArgoCD resources are exposed with ALLOWED_RESOURCES
  • Rate limiting โ€” per-user token bucket to protect ArgoCD from excessive calls
  • Prompt templates โ€” pre-packaged workflows for common operations (unhealthy apps, diff, rollback, logs)
  • Audit logging โ€” structured JSON logs for every tool call (user, method, path, status, duration)
  • MCP annotations โ€” tools are annotated as read-only, destructive, or idempotent for proper client categorization
  • Optional semantic search via Ollama embeddings

How It Works

At startup, the server fetches ArgoCD's Swagger spec and parses every endpoint. Then it exposes them to LLMs via one of two modes:

Search mode (default, TOOL_MODE=search)

Two meta-tools handle all 103+ endpoints. The LLM discovers endpoints by searching, then calls them via a generic executor.

graph TD
    A[ArgoCD /swagger.json] -->|Fetch at startup| B[Parse Swagger 2.0]
    B --> C[103+ Endpoints in memory]
    C --> D[search_operations]
    C --> E[execute_operation]
    D -->|LLM discovers endpoints| F[Returns method, path, summary, params]
    E -->|LLM calls API| G[Proxies to ArgoCD with user token]

Generated mode (TOOL_MODE=generated)

One typed MCP tool per endpoint, generated dynamically at startup. The LLM calls argocd_application_sync(name, revision) directly โ€” no search step, no path construction.

graph TD
    A[ArgoCD /swagger.json] -->|Fetch at startup| B[Parse Swagger 2.0]
    B --> C[103+ Endpoints]
    C -->|Generate per endpoint| D[argocd_application_list]
    C --> E[argocd_application_sync]
    C --> F[argocd_cluster_get]
    C --> G[... 100+ more tools]
    D & E & F & G -->|Typed params, 1 call| H[Proxies to ArgoCD]

Which mode to choose?

SearchGenerated
Tools registered2103+
LLM round-trips2 (search โ†’ execute)1 (direct call)
Parameter typingRaw JSON stringsTyped individual params
Context usageLow (~200 tokens)Higher (mitigated by client deferred loading)
Best forLightweight clients, constrained contextClaude Code, Claude Desktop, Cursor

Clients like Claude Code and Claude Desktop support deferred tool loading โ€” they only load tool definitions into context when needed, so the 103+ tools don't consume context window upfront.


Semantic Search (optional)

Enable Ollama-powered vector search for better results on natural language queries:

docker compose up --build -d  # Starts Ollama + argocd-mcp with embeddings

Set EMBEDDINGS_ENABLED=true, OLLAMA_URL, and EMBEDDINGS_MODEL (defaults to nomic-embed-text).


Read-Only Mode (optional)

Set DISABLE_WRITE=true to prevent any disruptive action on your cluster. When enabled:

  • Write endpoints are hidden โ€” POST, PUT, PATCH, DELETE operations are filtered out from the search index, so the LLM never discovers them.
  • Write execution is blocked โ€” even if a caller manually crafts an execute_operation request with a write method, it is rejected.
  • Read operations work normally โ€” GET, HEAD, OPTIONS are unaffected.

This is ideal for production environments, demos, or any setup where you want LLMs to observe but never modify your ArgoCD resources.

# Claude Code
claude mcp add argocd -s user -- \
  docker run --rm -i \
  -e ARGOCD_BASE_URL=https://argocd.example.com \
  -e ARGOCD_TOKEN=your-token \
  -e DISABLE_WRITE=true \
  ghcr.io/matthisholleville/argocd-mcp:latest

Resource Scoping (optional)

Set ALLOWED_RESOURCES to restrict which ArgoCD resource types the LLM can discover and call. This filters both search results and blocks execution of out-of-scope endpoints.

# Only expose application and version endpoints
ALLOWED_RESOURCES=ApplicationService,VersionService

Composes with DISABLE_WRITE:

# Read-only access to applications only
DISABLE_WRITE=true
ALLOWED_RESOURCES=ApplicationService

Available resource tags (from ArgoCD's OpenAPI spec):

TagEndpoints
AccountService6
ApplicationService31
ApplicationSetService6
CertificateService3
ClusterService7
GPGKeyService4
NotificationService3
ProjectService12
RepoCredsService8
RepositoryService17
SessionService3
SettingsService2
VersionService1

Matching is case-insensitive (applicationservice works).


Generated Tools Mode (optional)

Set TOOL_MODE=generated to create one MCP tool per ArgoCD endpoint at startup. Instead of searching then executing, the LLM calls typed tools directly:

# Claude Code
claude mcp add argocd -s user -- \
  docker run --rm -i \
  -e ARGOCD_BASE_URL=https://argocd.example.com \
  -e ARGOCD_TOKEN=your-token \
  -e TOOL_MODE=generated \
  ghcr.io/matthisholleville/argocd-mcp:latest
How generated tools work

Each endpoint's operationId is converted to a snake_case tool name with argocd_ prefix:

operationIdTool name
ApplicationService_Syncargocd_application_sync
ClusterService_Getargocd_cluster_get
ApplicationSetService_Listargocd_application_set_list

Parameters are typed individually โ€” no raw JSON needed for common cases:

argocd_application_sync(
  name:      "frontend"      โ† path param (required)
  revision:  "HEAD"          โ† body param, flattened
  dryRun:    true            โ† body param, flattened
  strategy:  '{"apply":{}}'  โ† nested object stays JSON string
)

Tools are annotated with MCP hints (readOnlyHint, destructiveHint, idempotentHint) so clients like Claude Desktop categorize them correctly (read vs write/delete).

DISABLE_WRITE and ALLOWED_RESOURCES are enforced at startup โ€” forbidden tools are simply not generated. The LLM cannot even see them.


Rate Limiting (optional)

Protect ArgoCD from excessive API calls by setting RATE_LIMIT. Only execute_operation is rate limited โ€” search is local and not affected.

RATE_LIMIT=10              # 10 requests/sec per user
RATE_LIMIT_BURST=20        # allow short bursts up to 20
How rate limiting works

Rate limiting uses a token bucket per user. Each user gets a bucket that refills at RATE_LIMIT tokens per second, with a maximum of RATE_LIMIT_BURST tokens. When the bucket is empty, requests are rejected until tokens refill.

Auth modeBucket keyBehavior
OAuthUser email from JWTEach user has an independent limit
Static tokenShared "static-token" keyAll clients share one bucket

Note: In static token mode, an aggressive LLM can starve other clients. Prefer OAuth mode in multi-user production setups.

When a request is rate limited:

  • The call never reaches ArgoCD โ€” rejected before the proxy
  • An audit log entry is emitted with blocked: true
  • The LLM receives a clear error: "rate limit exceeded: too many requests, please slow down"

If RATE_LIMIT_BURST is not set, it defaults to the RATE_LIMIT value. Set RATE_LIMIT=0 (or omit it) to disable rate limiting entirely.


Prompt Templates

Pre-packaged workflows for common ArgoCD operations. MCP clients (Claude Desktop, Cursor) show these as selectable prompts in their UI.

PromptDescriptionArguments
unhealthy-appsFind all apps with degraded health or out-of-sync statusโ€”
sync-statusDashboard-style overview of all appsโ€”
app-diffShow what would change on syncappName (required)
rollbackShow history and rollback to a previous revisionappName (required)
app-logsFetch and analyze container logsappName (required), container (optional)

Each prompt guides the LLM through a step-by-step workflow using search_operations and execute_operation. No additional tools are needed.


Audit Logging

Audit logging is enabled by default. Every search_operations and execute_operation call emits a structured JSON log entry to stderr:

{"time":"2026-03-22T10:00:00Z","level":"INFO","msg":"audit","tool":"execute_operation","method":"GET","path":"/api/v1/applications","blocked":false,"duration_ms":142,"status_code":200,"user":"alice@example.com"}

Each entry includes:

  • tool โ€” search_operations or execute_operation
  • user โ€” email from the OAuth token (empty in static token mode)
  • method / path โ€” the ArgoCD API call (execute) or query (search)
  • status_code โ€” upstream HTTP response code
  • blocked โ€” true if the call was rejected by DISABLE_WRITE or ALLOWED_RESOURCES
  • duration_ms โ€” round-trip time in milliseconds
  • error โ€” error message (logged at ERROR level when present)

Set AUDIT_LOG=false to disable.


Build from source

make build
ARGOCD_BASE_URL=https://argocd.example.com ARGOCD_TOKEN=xxx ./bin/argocd-mcp