diff --git a/ansible/roles/firstboot/files/ansible_payload/roles/workloadcluster/tasks/clusterapi.yml b/ansible/roles/firstboot/files/ansible_payload/roles/workloadcluster/tasks/clusterapi.yml
index 27880e7..b180474 100644
--- a/ansible/roles/firstboot/files/ansible_payload/roles/workloadcluster/tasks/clusterapi.yml
+++ b/ansible/roles/firstboot/files/ansible_payload/roles/workloadcluster/tasks/clusterapi.yml
@@ -103,14 +103,18 @@
       {{ clusterctl_newcluster.stdout }}
     wait: yes
     kubeconfig: "{{ kubeconfig.path }}"
+# TODO: move to git repo
+
 - name: Initialize tempfile
   ansible.builtin.tempfile:
     state: file
   register: capi_kubeconfig
+
 - name: Retrieve kubeconfig
   ansible.builtin.command:
-    cmd: kubectl config view --raw
+    cmd: clusterctl get kubeconfig {{ vapp['workloadcluster.name'] | lower }}
   register: capi_kubectl_config
+
 - name: Store kubeconfig in tempfile
   ansible.builtin.copy:
     dest: "{{ capi_kubeconfig.path }}"
@@ -129,23 +133,11 @@
   retries: "{{ playbook.retries }}"
   delay: "{{ playbook.delays.long }}"
 
-- name: Generate serviceaccount
-  # TODO: move to GitOps
-  kubernetes.core.k8s:
-    template: serviceaccount.j2
-    state: present
-    kubeconfig: "{{ capi_kubeconfig.path }}"
-  vars:
-    _template:
-      account:
-        name: argocd-sa
-        namespace: default
-      clusterrolebinding:
-        name: argocd-crb
+# TODO: move to git repo
 - name: Apply cni plugin manifest
-  # TODO: move to GitOps
   kubernetes.core.k8s:
     src: /opt/metacluster/cluster-api/cni-calico/{{ components.clusterapi.workload.version.calico }}/calico.yaml
     state: present
     wait: yes
     kubeconfig: "{{ capi_kubeconfig.path }}"
+# TODO: move to git repo
diff --git a/ansible/roles/firstboot/files/ansible_payload/roles/workloadcluster/tasks/gitops.yml b/ansible/roles/firstboot/files/ansible_payload/roles/workloadcluster/tasks/gitops.yml
index 043c65a..770fb0b 100644
--- a/ansible/roles/firstboot/files/ansible_payload/roles/workloadcluster/tasks/gitops.yml
+++ b/ansible/roles/firstboot/files/ansible_payload/roles/workloadcluster/tasks/gitops.yml
@@ -1 +1,35 @@
-# - name: Register workload cluster in argo-cd
+- block:
+
+    - name: Generate service account in workload cluster
+      kubernetes.core.k8s:
+        template: serviceaccount.j2
+        state: present
+        kubeconfig: "{{ capi_kubeconfig.path }}"
+
+    - name: Retrieve service account bearer token
+      kubernetes.core.k8s_info:
+        kind: ServiceAccount
+        name: "{{ _template.account.name }}"
+        namespace: "{{ _template.account.namespace }}"
+      register: workloadcluster_serviceaccount
+
+    - name: Retrieve service account bearer token
+      kubernetes.core.k8s_info:
+        kind: Secret
+        name: "{{ workloadcluster_serviceaccount.resources | json_query('[].secrets[].name') | first }}"
+        namespace: "{{ _template.account.namespace }}"
+      register: workloadcluster_bearertoken
+
+    - debug:
+        msg: "{{ workloadcluster_bearertoken.resources | json_query('[].data.token') }}"
+
+  vars:
+    _template:
+      account:
+        name: argocd-sa
+        namespace: default
+      clusterrolebinding:
+        name: argocd-crb
+  module_defaults:
+    group/k8s:
+      kubeconfig: "{{ capi_kubeconfig.path }}"