Support ArgoCD repository credentials when cloning Git repositories

[Copilot]

This change allows Nyl to automatically use ArgoCD's repository credentials instead of requiring basic auth to be embedded in HTTPS URLs when cloning Git repositories for Helm charts.

Problem

Previously, when referencing a Helm chart from a private Git repository, users had to embed credentials directly in the HTTPS URL using Nyl templating:

apiVersion: nyl.io/v1
kind: HelmChart
metadata:
  name: my-app
spec:
  chart:
    git: 'https://{{ .secrets.git_username }}:{{ .secrets.git_token }}@github.com/myorg/charts.git'
    path: charts/webapp

This approach had several drawbacks:

• Credentials needed to be managed in multiple places
• Security risk of exposing tokens in configuration files
• Cumbersome templating required for each repository reference

Solution

Nyl now automatically queries ArgoCD repository credentials from Kubernetes and applies them during Git cloning operations. The same example now works with clean URLs:

apiVersion: nyl.io/v1
kind: HelmChart
metadata:
  name: my-app
spec:
  chart:
    git: 'https://github.com/myorg/charts.git'  # Credentials applied automatically!
    path: charts/webapp

Implementation

The implementation adds a new argocd_repo_credentials module that:

1. Queries ArgoCD credentials: Searches for Kubernetes secrets with labels argocd.argoproj.io/secret-type: repository or argocd.argoproj.io/secret-type: repo-creds

2. Implements credential matching: Uses ArgoCD's matching logic with exact URL matches taking precedence over prefix matches

3. Applies authentication: For HTTPS repositories, embeds username/password credentials in the Git clone URL

4. Maintains compatibility: Only activates when both ArgoCD credentials exist and Kubernetes connectivity is available

Authentication Support

• ✅ HTTPS with username/password: Fully supported by embedding credentials in URLs
• ⚠️ SSH with private keys: Detected but not yet fully implemented (would require temporary key file setup)

Benefits

• Centralized credential management: Credentials are stored once in ArgoCD and reused across all applications
• Enhanced security: No need to embed tokens in configuration files
• Seamless integration: Works automatically with existing ArgoCD repository configurations
• Zero breaking changes: Existing workflows continue to work unchanged

The feature gracefully falls back to the original behavior when no matching credentials are found, ensuring full backward compatibility.

Fixes #28.

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.