Implementing ArgoCD Image Updater using Artifact Registry Google Cloud Platform

Implementing ArgoCD Image Updater using Artifact Registry Google Cloud Platform


The Argo CD Image Updater can check for new versions of the container images that are deployed with your Kubernetes workloads and automatically update them to their latest allowed version using Argo CD.

Usage is simple: You annotate your Argo CD Application resources with a list of images to be considered for update, along with a version constraint to restrict the maximum allowed new version for each image. Argo CD Image Updater then regularly polls the configured applications from Argo CD and queries the corresponding container registry for possible new versions. If a new version of the image is found in the registry, and the version constraint is met, Argo CD Image Updater instructs Argo CD to update the application with the new image.

There are 4 update strategies available for Argo CD image updater:

  • semver: update to highest allowed version according to given image constraint,

  • latest: update to the most recently created image tag,

  • name: update to the last tag in an alphabetically sorted list

  • digest: update to the most recent pushed version of a mutable tag

And for this tutorial, we will use digest update strategies.


You can install the Image Updater alongside Argo CD, typically as a separate pod within the same namespace as Argo CD:

kubectl apply -n argocd -f


  1. Authenticate to Artifact Registry

    To fully utilize the Argo CD Image Updater, it’s crucial to configure it to connect with your image registry properly, especially if you are using private registries or private repositories on public registries. Make sure you have service account key file with json format with appropriate permissions. Please read Create Service Account for more information.

     cat sa-gcr-prd.json | docker login -u _json_key --password-stdin

    The second step is to create secret from docker config file, so the ArgoCD Image Updater can use that for scanning dan watch every time there are new images pushed. Mostly docker saved the credential to authenticate with Registry in /home/user/.docker/config.json so you can take that file for generating secret.

      apiVersion: v1
     kind: Secret
       name: gcr-prd
       namespace: argocd
       .dockerconfigjson: <base64 encoded dockerconfigjson>
  2. Configuring ArgoCD Image Updater

    After setting up the credentials, include them in the ArgoCD Image Updater’s configurationto authenticate with the image registry.

     apiVersion: v1
     kind: ConfigMap
       labels: argocd-image-updater-config argocd-image-updater
       name: argocd-image-updater-config
       git.commit-message-template: |
         Auto-commit by Argocd Image Updater [{{ .AppName }}]
         {{ range .AppChanges -}}
         updates image {{ .Image }} tag '{{ .OldTag }}' to '{{ .NewTag }}'
         {{ end -}}
       log.level: debug
       registries.conf: |
         - name:
           ping: no
           credentials: pullsecret:argocd/gcr-prd #namespaceName/secretName
           defaultns: library

    As i mentioned above, we annotate Argo CD Application resources with a list of images to be considered for update, and here is the example.

     kind: Application
       name: your-argocd-app-name
       namespace: argocd
         key: value
       annotations: report-argocd report-argocd, digest digest git
       project: your-argocd-project-name
         targetRevision: your-branch-name
         path: target-folder-git
         server: https://your-cluster-external-endpoint
         namespace: your-target-deployed-to
           selfHeal: true
           prune: true
  3. Once everything is applied, Argo CD Image updater will be able to do this kind of commit to your repository, and Argo CD will do the rest:

    If you are interested in testing it, I hope this post showed you how easy it is to configure Argo CD Image Updater for your infrastructure. 😄