Implementing ArgoCD Image Updater using Artifact Registry Google Cloud Platform
Overview
The Argo CD Image Updater can check for new versions of the container images that are deployed with your Kubernetes workloads and automatically update them to their latest allowed version using Argo CD.
Usage is simple: You annotate your Argo CD Application
resources with a list of images to be considered for update, along with a version constraint to restrict the maximum allowed new version for each image. Argo CD Image Updater then regularly polls the configured applications from Argo CD and queries the corresponding container registry for possible new versions. If a new version of the image is found in the registry, and the version constraint is met, Argo CD Image Updater instructs Argo CD to update the application with the new image.
There are 4 update strategies available for Argo CD image updater:
semver
: update to highest allowed version according to given image constraint,latest
: update to the most recently created image tag,name
: update to the last tag in an alphabetically sorted listdigest
: update to the most recent pushed version of a mutable tag
And for this tutorial, we will use digest update strategies.
Installation
You can install the Image Updater alongside Argo CD, typically as a separate pod within the same namespace as Argo CD:
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj-labs/argocd-image-updater/stable/manifests/install.yaml
Usage
Authenticate to Artifact Registry
To fully utilize the Argo CD Image Updater, it’s crucial to configure it to connect with your image registry properly, especially if you are using private registries or private repositories on public registries. Make sure you have service account key file with json format with appropriate permissions. Please read Create Service Account for more information.
cat sa-gcr-prd.json | docker login -u _json_key --password-stdin https://asia-southeast2-docker.pkg.dev
The second step is to create secret from docker config file, so the ArgoCD Image Updater can use that for scanning dan watch every time there are new images pushed. Mostly docker saved the credential to authenticate with Registry in /home/user/.docker/config.json so you can take that file for generating secret.
apiVersion: v1 kind: Secret metadata: name: gcr-prd namespace: argocd data: .dockerconfigjson: <base64 encoded dockerconfigjson> type: kubernetes.io/dockerconfigjson
Configuring ArgoCD Image Updater
After setting up the credentials, include them in the ArgoCD Image Updater’s configurationto authenticate with the image registry.
apiVersion: v1 kind: ConfigMap metadata: labels: app.kubernetes.io/name: argocd-image-updater-config app.kubernetes.io/part-of: argocd-image-updater name: argocd-image-updater-config data: git.commit-message-template: | Auto-commit by Argocd Image Updater [{{ .AppName }}] {{ range .AppChanges -}} updates image {{ .Image }} tag '{{ .OldTag }}' to '{{ .NewTag }}' {{ end -}} log.level: debug registries.conf: | registries: - name: asia-southeast2-docker.pkg.dev api_url: https://asia-southeast2-docker.pkg.dev ping: no credentials: pullsecret:argocd/gcr-prd #namespaceName/secretName defaultns: library prefix: asia-southeast2-docker.pkg.dev
As i mentioned above, we annotate Argo CD
Application
resources with a list of images to be considered for update, and here is the example.apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: your-argocd-app-name namespace: argocd labels: key: value finalizers: - resources-finalizer.argocd.argoproj.io annotations: notifications.argoproj.io/subscribe.on-deployed.slack: report-argocd notifications.argoproj.io/subscribe.on-sync-failed.slack: report-argocd argocd-image-updater.argoproj.io/image-list: frontend=asia-southeast2-docker.pkg.dev/PROJECT-ID/REPOSITORY/IMAGE:tag,backend=asia-southeast2-docker.pkg.dev/PROJECT-ID/REPOSITORY/IMAGE:tag argocd-image-updater.argoproj.io/frontend.update-strategy: digest argocd-image-updater.argoproj.io/backend.update-strategy: digest argocd-image-updater.argoproj.io/write-back-method: git spec: project: your-argocd-project-name source: repoURL: https://gitlab.com/your-gitops-repository/repository.git targetRevision: your-branch-name path: target-folder-git destination: server: https://your-cluster-external-endpoint namespace: your-target-deployed-to syncPolicy: automated: selfHeal: true prune: true
Once everything is applied, Argo CD Image updater will be able to do this kind of commit to your repository, and Argo CD will do the rest:
If you are interested in testing it, I hope this post showed you how easy it is to configure Argo CD Image Updater for your infrastructure. 😄