Implementing ArgoCD Image Updater using Artifact Registry Google Cloud Platform

Implementing ArgoCD Image Updater using Artifact Registry Google Cloud Platform

Overview

The Argo CD Image Updater can check for new versions of the container images that are deployed with your Kubernetes workloads and automatically update them to their latest allowed version using Argo CD.

Usage is simple: You annotate your Argo CD Application resources with a list of images to be considered for update, along with a version constraint to restrict the maximum allowed new version for each image. Argo CD Image Updater then regularly polls the configured applications from Argo CD and queries the corresponding container registry for possible new versions. If a new version of the image is found in the registry, and the version constraint is met, Argo CD Image Updater instructs Argo CD to update the application with the new image.

There are 4 update strategies available for Argo CD image updater:

  • semver: update to highest allowed version according to given image constraint,

  • latest: update to the most recently created image tag,

  • name: update to the last tag in an alphabetically sorted list

  • digest: update to the most recent pushed version of a mutable tag

And for this tutorial, we will use digest update strategies.

Installation

You can install the Image Updater alongside Argo CD, typically as a separate pod within the same namespace as Argo CD:

kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj-labs/argocd-image-updater/stable/manifests/install.yaml

Usage

  1. Authenticate to Artifact Registry

    To fully utilize the Argo CD Image Updater, it’s crucial to configure it to connect with your image registry properly, especially if you are using private registries or private repositories on public registries. Make sure you have service account key file with json format with appropriate permissions. Please read Create Service Account for more information.

     cat sa-gcr-prd.json | docker login -u _json_key --password-stdin https://asia-southeast2-docker.pkg.dev
    

    The second step is to create secret from docker config file, so the ArgoCD Image Updater can use that for scanning dan watch every time there are new images pushed. Mostly docker saved the credential to authenticate with Registry in /home/user/.docker/config.json so you can take that file for generating secret.

      apiVersion: v1
     kind: Secret
     metadata:
       name: gcr-prd
       namespace: argocd
     data:
       .dockerconfigjson: <base64 encoded dockerconfigjson>
     type: kubernetes.io/dockerconfigjson
    
  2. Configuring ArgoCD Image Updater

    After setting up the credentials, include them in the ArgoCD Image Updater’s configurationto authenticate with the image registry.

     apiVersion: v1
     kind: ConfigMap
     metadata:
       labels:
         app.kubernetes.io/name: argocd-image-updater-config
         app.kubernetes.io/part-of: argocd-image-updater
       name: argocd-image-updater-config
     data:
       git.commit-message-template: |
         Auto-commit by Argocd Image Updater [{{ .AppName }}]
    
         {{ range .AppChanges -}}
         updates image {{ .Image }} tag '{{ .OldTag }}' to '{{ .NewTag }}'
         {{ end -}}
       log.level: debug
       registries.conf: |
         registries:
         - name: asia-southeast2-docker.pkg.dev
           api_url: https://asia-southeast2-docker.pkg.dev
           ping: no
           credentials: pullsecret:argocd/gcr-prd #namespaceName/secretName
           defaultns: library
           prefix: asia-southeast2-docker.pkg.dev
    

    As i mentioned above, we annotate Argo CD Application resources with a list of images to be considered for update, and here is the example.

     apiVersion: argoproj.io/v1alpha1
     kind: Application
     metadata:
       name: your-argocd-app-name
       namespace: argocd
       labels:
         key: value
       finalizers:
         - resources-finalizer.argocd.argoproj.io
       annotations:
         notifications.argoproj.io/subscribe.on-deployed.slack: report-argocd
         notifications.argoproj.io/subscribe.on-sync-failed.slack: report-argocd
         argocd-image-updater.argoproj.io/image-list: frontend=asia-southeast2-docker.pkg.dev/PROJECT-ID/REPOSITORY/IMAGE:tag,backend=asia-southeast2-docker.pkg.dev/PROJECT-ID/REPOSITORY/IMAGE:tag
         argocd-image-updater.argoproj.io/frontend.update-strategy: digest
         argocd-image-updater.argoproj.io/backend.update-strategy: digest
         argocd-image-updater.argoproj.io/write-back-method: git
     spec:
       project: your-argocd-project-name
       source:
         repoURL: https://gitlab.com/your-gitops-repository/repository.git
         targetRevision: your-branch-name
         path: target-folder-git
       destination:
         server: https://your-cluster-external-endpoint
         namespace: your-target-deployed-to
       syncPolicy:
         automated:
           selfHeal: true
           prune: true
    
  3. Once everything is applied, Argo CD Image updater will be able to do this kind of commit to your repository, and Argo CD will do the rest:

    If you are interested in testing it, I hope this post showed you how easy it is to configure Argo CD Image Updater for your infrastructure. 😄