diff --git a/Dockerfile b/Dockerfile
index aa6e7d0..a02b79d 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -38,13 +38,21 @@ RUN curl -fsSL https://github.com/helmfile/vals/releases/download/${VALS_VERSION
     | tar xzf - -C /usr/local/bin/ vals \
     && chmod +x /usr/local/bin/vals
 
-RUN ln -sf "$(helm env HELM_PLUGINS)/helm-secrets/scripts/wrapper/helm.sh" /usr/local/sbin/helm && \
+# helm-secrets
+RUN mkdir -p /home/argocd/.local/share/helm/plugins && \
+    curl -fsSL https://github.com/jkroepke/helm-secrets/releases/download/${HELM_SECRETS_VERSION}/helm-secrets.tar.gz \
+    | tar -C /home/argocd/.local/share/helm/plugins -xzf- && \
+    chown -R root: /home/argocd/.local/share/helm && \
+    ln -sf /home/argocd/.local/share/helm/plugins/helm-secrets/scripts/wrapper/helm.sh /usr/local/sbin/helm && \
+    sed -i -e 's/secrets/secrets --evaluate-templates/' /home/argocd/.local/share/helm/plugins/helm-secrets/scripts/wrapper/helm.sh && \
     rm -f /usr/local/bin/argocd-repo-server
 
+
+
 # replace argocd-repo-server with wrapper to install kubectl config
 ADD argocd-repo-server-wrapper.sh /usr/local/bin/argocd-repo-server
 
-USER ${ARGOCD_USER_ID}
+# register vals "cmp plugin"
+ADD plugin.yaml /home/argocd/cmp-server/config/plugin.yaml
 
-RUN helm plugin install --version ${HELM_SECRETS_VERSION#v} https://github.com/jkroepke/helm-secrets
-RUN sed -i -e 's/secrets/secrets --evaluate-templates/' "$(helm env HELM_PLUGINS)/helm-secrets/scripts/wrapper/helm.sh"
+USER ${ARGOCD_USER_ID}
diff --git a/plugin.yaml b/plugin.yaml
new file mode 100644
index 0000000..7fc2086
--- /dev/null
+++ b/plugin.yaml
@@ -0,0 +1,10 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ConfigManagementPlugin
+metadata:
+  name: kubezero-git-sync
+spec:
+  generate:
+    command: [sh, -c, 'find . -name "*.yaml" -o -name "*.yml" | while read f; do cat $f; echo "---"; done | vals eval -f -']
+# discover:
+#   find:
+#     command: [sh, -c, find . -name "*.yaml"]