diff --git a/Dockerfile b/Dockerfile
index 27e4ec8..aa6e7d0 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -16,7 +16,8 @@ ENV HELM_SECRETS_BACKEND="vals" \
     HELM_SECRETS_VALUES_ALLOW_SYMLINKS=false \
     HELM_SECRETS_VALUES_ALLOW_ABSOLUTE_PATH=true \
     HELM_SECRETS_VALUES_ALLOW_PATH_TRAVERSAL=false \
-    HELM_SECRETS_WRAPPER_ENABLED=true
+    HELM_SECRETS_WRAPPER_ENABLED=true \
+    KUBECONFIG=/tmp/kubectl.config
 
 # Optionally, set default gpg key for sops files
 # ENV HELM_SECRETS_LOAD_GPG_KEYS=/path/to/gpg.key
@@ -37,12 +38,13 @@ RUN curl -fsSL https://github.com/helmfile/vals/releases/download/${VALS_VERSION
     | tar xzf - -C /usr/local/bin/ vals \
     && chmod +x /usr/local/bin/vals
 
-RUN ln -sf "$(helm env HELM_PLUGINS)/helm-secrets/scripts/wrapper/helm.sh" /usr/local/sbin/helm
+RUN ln -sf "$(helm env HELM_PLUGINS)/helm-secrets/scripts/wrapper/helm.sh" /usr/local/sbin/helm && \
+    rm -f /usr/local/bin/argocd-repo-server
 
-# Add init script to convert SA token into kubeconfig for vals
-ADD sa2kubeconfig.sh /usr/local/bin/sa2kubeconfig.sh
+# replace argocd-repo-server with wrapper to install kubectl config
+ADD argocd-repo-server-wrapper.sh /usr/local/bin/argocd-repo-server
 
 USER ${ARGOCD_USER_ID}
 
 RUN helm plugin install --version ${HELM_SECRETS_VERSION#v} https://github.com/jkroepke/helm-secrets
-RUN mkdir -p /home/argocd/.kube && sed -i -e 's/secrets/secrets --evaluate-templates/' "$(helm env HELM_PLUGINS)/helm-secrets/scripts/wrapper/helm.sh"
+RUN sed -i -e 's/secrets/secrets --evaluate-templates/' "$(helm env HELM_PLUGINS)/helm-secrets/scripts/wrapper/helm.sh"
diff --git a/README.md b/README.md
index dc1089d..51776c3 100644
--- a/README.md
+++ b/README.md
@@ -5,7 +5,7 @@ Customized ArgoCD image for KubeZero
 ## Changes
 - added sops, helm-secrets and vals binaries
 - configured helm-secrets to use vals backend
-- init script to allow vals to access the local cluster Kube API using Argo's SA account to eg. lookup values from a central secret
+- argocd-repo-server wrapper script to allow vals to access the local cluster Kube API using Argo's SA account to eg. lookup values from a central secret
 
 ## Credits:
 - https://github.com/jkroepke/helm-secrets/wiki/ArgoCD-Integration#option-1-custom-docker-image
diff --git a/sa2kubeconfig.sh b/argocd-repo-server-wrapper.sh
similarity index 84%
rename from sa2kubeconfig.sh
rename to argocd-repo-server-wrapper.sh
index bde4194..c87638e 100755
--- a/sa2kubeconfig.sh
+++ b/argocd-repo-server-wrapper.sh
@@ -1,6 +1,6 @@
-#!/bin/sh -e
+#!/bin/sh
 
-KUBECONFIG=$1
+KUBECONFIG=/tmp/kubectl.config
 SA_NAME=argo-argocd-repo-server
 
 CA64=$(cat /run/secrets/kubernetes.io/serviceaccount/ca.crt | base64 -w0)
@@ -27,3 +27,5 @@ current-context: ${SA_NAME}_context
 EOF
 
 chmod 600 $KUBECONFIG
+
+ARGOCD_BINARY_NAME=argocd-repo-server /usr/local/bin/argocd $@