diff --git a/argocd/config/helm b/argocd/config/helm
new file mode 100644
index 00000000..638d35e9
--- /dev/null
+++ b/argocd/config/helm
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+HELM_BIN=${HELM_BIN:-helm}
+
+new_args=()
+template_found=false
+
+for arg in "$@"; do
+  if [[ "$arg" == "template" ]]; then
+    template_found=true
+    new_args+=("$arg")
+  elif $template_found && [[ "${#new_args[@]}" -eq 1 ]]; then
+    new_args+=("--dry-run=server" "$arg")
+    template_found=false
+  else
+    new_args+=("$arg")
+  fi
+done
+
+$HELM_BIN "${new_args[@]}"
diff --git a/argocd/kustomization.yaml b/argocd/kustomization.yaml
index a720ef17..9bb5d980 100644
--- a/argocd/kustomization.yaml
+++ b/argocd/kustomization.yaml
@@ -5,13 +5,22 @@ resources:
   - appset-ingress-route.yaml
   - certificate.yaml
   - ingress-route.yaml
+  # https://github.com/argoproj/argo-cd/issues/5202#issuecomment-2081661930
+  - repo-server-cr.yaml
+  - repo-server-crb.yaml
+
+configMapGenerator:
+  - name: helm-replace
+    files:
+      - config/helm
 
 patches:
   - path: patches/argocd-cm.yaml
   - path: patches/argocd-cmd-params-cm.yaml
   - path: patches/argocd-notifications-cm.yaml
   - path: patches/argocd-rbac-cm.yaml
-  - path: patches/argocd-repo-server.yaml
+  - path: patches/argocd-repo-server-helm.yaml
+  - path: patches/argocd-repo-server-ksops.yaml
   - path: patches/argocd-ssh-known-hosts-cm.yaml
 
 generators:
diff --git a/argocd/patches/argocd-repo-server-helm.yaml b/argocd/patches/argocd-repo-server-helm.yaml
new file mode 100644
index 00000000..aceba373
--- /dev/null
+++ b/argocd/patches/argocd-repo-server-helm.yaml
@@ -0,0 +1,24 @@
+# https://github.com/argoproj/argo-cd/issues/5202#issuecomment-2081661930
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: argocd-repo-server
+
+spec:
+  template:
+    spec:
+      volumes:
+        - name: helm-replace
+          configMap:
+            name: helm-replace
+            defaultMode: 0777
+      containers:
+        - name: argocd-repo-server
+          volumeMounts:
+            # https://github.com/argoproj/argo-cd/issues/5202#issuecomment-2081661930
+            - name: helm-replace
+              mountPath: /usr/local/sbin/helm
+              subPath: helm
+          env:
+            - name: HELM_BIN
+              value: /usr/local/bin/helm
diff --git a/argocd/patches/argocd-repo-server.yaml b/argocd/patches/argocd-repo-server-ksops.yaml
similarity index 100%
rename from argocd/patches/argocd-repo-server.yaml
rename to argocd/patches/argocd-repo-server-ksops.yaml
diff --git a/argocd/repo-server-cr.yaml b/argocd/repo-server-cr.yaml
new file mode 100644
index 00000000..507c5c2d
--- /dev/null
+++ b/argocd/repo-server-cr.yaml
@@ -0,0 +1,8 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: argocd-repo-server
+rules:
+  - apiGroups: [""]
+    resources: ["configmaps", "secrets"]
+    verbs: ["get", "list", "watch"]
diff --git a/argocd/repo-server-crb.yaml b/argocd/repo-server-crb.yaml
new file mode 100644
index 00000000..01d0aa4d
--- /dev/null
+++ b/argocd/repo-server-crb.yaml
@@ -0,0 +1,12 @@
+  apiVersion: rbac.authorization.k8s.io/v1
+  kind: ClusterRoleBinding
+  metadata:
+    name: argocd-repo-server
+  subjects:
+    - kind: ServiceAccount
+      name: argocd-repo-server
+      namespace: argocd
+  roleRef:
+    kind: ClusterRole
+    name: argocd-repo-server
+    apiGroup: rbac.authorization.k8s.io