ArgoCD Interlace

ArgoCD is widely used for enabling CD GitOps. ArgoCD internally builds manifest from source data in Git repository, and auto-sync it with target clusters.

ArgoCD Interlace enhances ArgoCD capability from end-to-end software supply chain security viewpoint. Interlace adds authenticity of the manifest and the traceability to the source to ArgoCD.

ArgoCD Interlace works as a Kubernetes Custom Resource Definition (CRD) controller. Interlace monitors the trigger from state changes of Application resources on the ArgoCD cluster. When detecting new manifest build, Interlace sign the manifest, record the detail of manifest build such as the source files for the build, the command to produce the manifest for reproducibility. Interlace stores those details as provenance records in in-toto format and upload it to Sigstore log for verification.


The features are

  • Pluggable to ArgoCD
  • Capture manifest and provenance from application.status automatically
  • Sign manifest
  • Record provenance in intoto format


Prerequisite: Install ArgoCD on your Kubernetes cluster before you install ArgoCD Interlace.

To install the latest version of ArgoCD Interlace to your cluster, run:

kubectl apply --filename

This creates a default installation of ArgoCD Interlace, however you will need futher setup for seeing it in action.

To verify that installation was successful, ensure Status of pod argocd-interlace-controller become Running:

$ kubectl get pod -n argocd-interlace -w
NAME                                              READY   STATUS    RESTARTS   AGE
pod/argocd-interlace-controller-f57fd69fb-72l4h   1/1     Running   0          19m


To complete setting up ArgoCD Interlace, configure secrets for:

Example Scenario

To see ArgoCD Interlace in action, check the example scenario.