generated from layer5io/academy-example
-
Notifications
You must be signed in to change notification settings - Fork 24
Added Argo CD Image Updater with Helm #123
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
leecalcote
merged 9 commits into
layer5io:master
from
ARYANSHAH1567:aryanshah/add_argo_cd
Sep 1, 2025
Merged
Changes from 5 commits
Commits
Show all changes
9 commits
Select commit
Hold shift + click to select a range
14a11a5
Added Argo CD Image Updater with Helm
ARYANSHAH1567 da1f5b5
Merge branch 'master' into aryanshah/add_argo_cd
Namanv0509 27f5740
Added the headers and maintained consistency
ARYANSHAH1567 5e02872
Merge branch 'aryanshah/add_argo_cd' of https://github.com/ARYANSHAH1…
ARYANSHAH1567 aed79c1
Merge branch 'master' into aryanshah/add_argo_cd
ARYANSHAH1567 9e83fe5
Update _index.md
ARYANSHAH1567 e185a31
Merge branch 'master' into aryanshah/add_argo_cd
leecalcote 7e46a41
Refactor documentation for Linkerd service mesh tutorials and challenges
leecalcote a94d864
```shell
leecalcote File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
9 changes: 9 additions & 0 deletions
9
...1-1111-111111111111/configure-argo-cd-image-updater-challenge/content/_index.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| --- | ||
| title: "Configuring Argo CD Image Updater with Helm" | ||
| description: "This challenge provides a walkthrough on automating Kubernetes deployments by integrating Argo CD Image Updater with Helm." | ||
| weight: 3 | ||
| id: "9136f21d-c87f-478a-8f8b-6687597a2841" | ||
| banner: "kubernetes-icon.svg" | ||
| categories: "kubernetes" | ||
| --- | ||
|
|
29 changes: 29 additions & 0 deletions
29
...-argo-cd-image-updater-challenge/content/argo-cd-image-updater-binary/_index.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| --- | ||
| id: "argo-cd-image-updater-binary" | ||
| title: 'Argo CD Image Updater Binary' | ||
| description: "" | ||
| weight: 7 | ||
| --- | ||
|
|
||
| ### Testing Image Updates with argocd-image-updater | ||
|
|
||
| The **argocd-image-updater** binary and specifically the **test** subcommand provides a variety of test options, including testing registry access, multi-arch images, semver constrains, update strategies, and credentials before configuring annotations on your Argo CD applications. It is available in the **argocd-image-updater** pod or you can install it locally. Here are the **argocd-image-updater** test command options: | ||
|
|
||
|
|
||
| ``` bash | ||
| Flags: | ||
|
|
||
| --allow-tags string only consider tags in registry that satisfy the match function | ||
| --credentials string the credentials definition for the test (overrides registry config) | ||
| --disable-kubernetes whether to disable the Kubernetes client | ||
| --disable-kubernetes-events Disable kubernetes events | ||
| -h, --help help for test | ||
| --ignore-tags stringArray ignore tags in registry that match given glob pattern | ||
| --kubeconfig string path to your Kubernetes client configuration | ||
| --loglevel string log level to use (one of trace, debug, info, warn, error) (default "debug") | ||
| --platforms strings limit images to given platforms (default [linux/amd64]) | ||
| --rate-limit int specify registry rate limit (overrides registry.conf) (default 20) | ||
| --registries-conf-path string path to registries configuration | ||
| --semver-constraint string only consider tags matching semantic version constraint | ||
| --update-strategy string update strategy to use, one of: semver, latest (default "semver") | ||
| ``` |
12 changes: 12 additions & 0 deletions
12
...1111111/configure-argo-cd-image-updater-challenge/content/conclusions/_index.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| --- | ||
| id: "conclusions" | ||
| title: 'Conclusions' | ||
| description: "" | ||
| weight: 10 | ||
| --- | ||
|
|
||
| ### Conclusions | ||
|
|
||
| The Argo CD Image Updater is a powerful tool that enhances the continuous delivery process in Kubernetes environments. Automating the process of updating container images not only streamlines deployments but also reduces the risk of human error associated with manual updates. | ||
|
|
||
| Moreover, its flexibility allows developers to tailor the update policies to suit their specific workflows, ensuring that only the necessary updates are applied. This ultimately leads to improved application reliability and performance. |
40 changes: 40 additions & 0 deletions
40
...igure-argo-cd-image-updater-challenge/content/configuration-and-setup/_index.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| --- | ||
| id: "configuration-and-setup" | ||
| title: 'Configuration and Setup' | ||
| description: "" | ||
| weight: 3 | ||
| --- | ||
|
|
||
| ### Setting Up Argo CD Image Updater | ||
|
|
||
|
|
||
| In this example implementation, we are using the official [argocd-image-updater](https://github.com/argoproj/argo-helm/tree/main/charts/argocd-image-updater) Helm chart. It is deployed as an **argocd** application in the same cluster and namespace as Argo CD: | ||
|
|
||
| ```yaml | ||
| apiVersion: argoproj.io/v1alpha1 | ||
| kind: Application | ||
| metadata: | ||
| name: argocd-image-updater | ||
| namespace: argocd | ||
| spec: | ||
| destination: | ||
| namespace: argocd | ||
| server: https://kubernetes.default.svc(opens in a new tab) | ||
| project: 'applications' | ||
| source: | ||
| helm: | ||
| valueFiles: | ||
| - ../argocd-image-updater/values.yaml | ||
| path: helm/argocd-image-updater | ||
| repoURL: https://gitlab.org.com/demo.git | ||
| targetRevision: HEAD | ||
| syncPolicy: | ||
| automated: | ||
| prune: true | ||
| selfHeal: true | ||
| allowEmpty: false | ||
| syncOptions: | ||
| revisionHistoryLimit: 3 | ||
| ``` | ||
|
|
||
| Let’s review the **values** file, where we will explore some of the essential configuration options required. These options are critical to ensuring proper functionality and deployment of the service. |
37 changes: 37 additions & 0 deletions
37
...gure-argo-cd-image-updater-challenge/content/enabling-service-account/_index.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| --- | ||
| id: "service-account-and-RBAC" | ||
| title: 'Service Account and RBAC' | ||
| description: "" | ||
| weight: 5 | ||
| --- | ||
|
|
||
| ### Enabling the Service Account and RBAC Creation | ||
|
|
||
| ```yaml | ||
| rbac: | ||
| # -- Enable RBAC creation | ||
| enabled: true | ||
|
|
||
| serviceAccount: | ||
| # -- Specifies whether a service account should be created | ||
| create: true | ||
| # -- Annotations to add to the service account | ||
| annotations: {} | ||
| # -- Labels to add to the service account | ||
| labels: {} | ||
| # -- The name of the service account to use. | ||
| # If not set and create is true, a name is generated using the fullname template | ||
| name: "" | ||
| ``` | ||
|
|
||
| --- | ||
|
|
||
| - **ServiceAccount** provides the necessary identity for ArgoCD Image Updater to authenticate and interact with the Kubernetes API to perform updates on deployment manifests or Helm charts (e.g., changing container image tags). | ||
|
|
||
| - **RBAC** ensures that ArgoCD Image Updater is granted only the permissions it needs, helping to secure your cluster by restricting its access and reducing the attack surface. | ||
|
|
||
| --- | ||
|
|
||
| Without enabling both, the ArgoCD Image Updater would either lack the permissions to modify Kubernetes resources (failing to update your applications) or could have overly broad permissions, which could be a security risk. | ||
|
|
||
| In the default installation scenario, i.e., Argo CD Image Updater installed to the `argocd` namespace, no further configuration is needed for Argo CD Image Updater to access the Kubernetes API. If your Argo CD installation is in a different namespace than `argocd`, you must adapt the **RoleBinding** to bind to the **ServiceAccount** in the correct namespace. | ||
1 change: 1 addition & 0 deletions
1
...111111111/configure-argo-cd-image-updater-challenge/content/kubernetes-icon.svg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
16 changes: 16 additions & 0 deletions
16
...111111111/configure-argo-cd-image-updater-challenge/content/log-level/_index.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| --- | ||
| id: "log-level" | ||
| title: 'Log Level' | ||
| description: "" | ||
| weight: 6 | ||
| --- | ||
|
|
||
| ### Configuring Log Levels in Argo CD Image Updater | ||
|
|
||
| ```yaml | ||
| # -- Argo CD Image Update log level | ||
| logLevel: "debug" | ||
| ``` | ||
|
|
||
| Changing the log level from `"info"` to `"debug"` in the Argo CD Image Updater `values` file can be beneficial in certain scenarios where you need deeper insights into the system’s behavior. | ||
|
|
18 changes: 18 additions & 0 deletions
18
...1111111111/configure-argo-cd-image-updater-challenge/content/overview/_index.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| --- | ||
| id: "introduction" | ||
| title: 'Introduction' | ||
| description: "" | ||
| weight: 1 | ||
| --- | ||
|
|
||
ARYANSHAH1567 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| ### Overview | ||
|
|
||
| This challenge provides a walkthrough on automating Kubernetes deployments by integrating Argo CD Image Updater with Helm. It details the setup process, including configuring container registries like Amazon ECR and GitHub Container Registry, and emphasizes the importance of proper authentication and role-based access control (RBAC) to ensure secure and efficient operations. It also explores various update strategies—such as semantic versioning (semver), latest, digest, and name—demonstrating how to annotate Argo CD applications to enable these strategies effectively. | ||
|
|
||
| ### Understanding Argo CD Image Updater | ||
|
|
||
| In modern Kubernetes environments, managing container images and ensuring that applications are always running the latest, most secure versions can be daunting. Argo CD Image Updater simplifies this process by automatically checking for new container image versions and updating your applications accordingly. Integrating seamlessly with Argo CD enables fully automated updates to Kubernetes workloads. | ||
|
|
||
| The beauty of Argo CD Image Updater lies in its simplicity and flexibility. The Image Updater takes over the heavy lifting by annotating your Argo CD application resources with a list of images and defining version constraints. It regularly polls for new image versions from your container registry, checks if they meet the specified constraints, and updates your applications automatically. | ||
|
|
||
| Argo CD Image Updater also offers a range of advanced features, such as support for Helm and Kustomize-based applications, various update strategies (like semver, latest, name, and digest), and seamless integration with private container registries. Additionally, it allows parallel updates and supports filtering tags with custom matchers, making it highly customizable and suitable for both small and large-scale Kubernetes environments. | ||
94 changes: 94 additions & 0 deletions
94
...11111111/configure-argo-cd-image-updater-challenge/content/registires/_index.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,94 @@ | ||
| --- | ||
| id: "registries" | ||
| title: 'Registries' | ||
| description: "" | ||
| weight: 4 | ||
| --- | ||
|
|
||
ARYANSHAH1567 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| ### Configuring the container registries | ||
|
|
||
| Let's configure the container registries that we are using. Argo CD Image Updater supports the majority of container registries (public and private), that implement Docker registry v2 API and has been tested against registries such as Docker Hub, Docker Registry v2 reference implementation (on-premise), Red Had Quay, Jfrog Artifactory, Github Container Registry, GitHub Packages Registry, GitLab Container Registry, and Google Container Registry. | ||
|
|
||
| In the following examples, we will configure two of the most widely used container registries – Amazon Elastic Container Registry (ECR) and GitHub Container Registry (GHCR). In our case, we are working with private registries to ensure secure storage and access control for container images. | ||
|
|
||
|
|
||
| ### Amazon Elastic Container Registry (ECR) configuration | ||
|
|
||
| ```yaml | ||
| registries: | ||
| - name: ECR | ||
| api_url: https://000000000000.dkr.ecr.eu-west-1.amazonaws.com | ||
| prefix: 000000000000.dkr.ecr.eu-west-1.amazonaws.com | ||
| ping: yes | ||
| insecure: false | ||
| credentials: ext:/scripts/login.sh | ||
| credsexpire: 10h | ||
| ``` | ||
|
|
||
| For Amazon Elastic Container Registry, authentication is possible through a script that executes an API call to retrieve the necessary credentials. In the values file, we can include this script in the **authScripts** section: | ||
|
|
||
| ```yaml | ||
| authScripts: | ||
| # -- Whether to mount the defined scripts that can be used to authenticate with a registry, the scripts will be mounted at `/scripts` | ||
| enabled: true | ||
| # -- Map of key-value pairs where the key consists of the name of the script and the value the contents | ||
| scripts: | ||
| login.sh: | | ||
| #!/bin/sh | ||
| aws ecr --region "eu-west-1" get-authorization-token --output text --query 'authorizationData[].authorizationToken' | base64 -d | ||
| ``` | ||
|
|
||
| The script is executed by the pod and is responsible for obtaining the ECR authorization token. We use a role attached to our EKS node group, which includes the AWS-managed policy **AmazonEC2ContainerRegistryReadOnly**. This policy permits the **GetAuthorizationToken** API call: | ||
|
|
||
|
|
||
| ```bash | ||
| { | ||
ARYANSHAH1567 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| "Version": "2012-10-17", | ||
| "Statement": [ | ||
| { | ||
| "Effect": "Allow", | ||
| "Action": [ | ||
| "ecr:GetAuthorizationToken", | ||
| "ecr:BatchCheckLayerAvailability", | ||
| "ecr:GetDownloadUrlForLayer", | ||
| "ecr:GetRepositoryPolicy", | ||
| "ecr:DescribeRepositories", | ||
| "ecr:ListImages", | ||
| "ecr:DescribeImages", | ||
| "ecr:BatchGetImage", | ||
| "ecr:GetLifecyclePolicy", | ||
| "ecr:GetLifecyclePolicyPreview", | ||
| "ecr:ListTagsForResource", | ||
| "ecr:DescribeImageScanFindings" | ||
| ], | ||
| "Resource": "*" | ||
| } | ||
| ``` | ||
|
|
||
| ### Github Container Registry configuration | ||
|
|
||
| ```yaml | ||
| registries: | ||
| - name: GitHub Container Registry | ||
| api_url: https://ghcr.io | ||
|
|
||
| prefix: ghcr.io | ||
|
|
||
| ping: yes | ||
|
|
||
| credentials: secret:argocd/ghcr-secret#token | ||
| ``` | ||
|
|
||
| For registry authentication, in the credentials section, we are using a Kubernetes secret. The **#token** part refers to the specific key (usually containing a personal access token or authentication token) inside the secret. The token must have at least **read:packages** permissions. Here is a manifest of the Kubernetes secret which has to be applied in the **argocd** namespace: | ||
|
|
||
| ```yaml | ||
| apiVersion: v1 | ||
| kind: Secret | ||
| metadata: | ||
| name: ghcr-secret3 | ||
| namespace: argocd | ||
|
|
||
| stringData: | ||
| token: user_name:access_token | ||
| ``` | ||
|
|
||
21 changes: 21 additions & 0 deletions
21
...1111/configure-argo-cd-image-updater-challenge/content/update-methods/_index.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| --- | ||
| id: "update-methods" | ||
| title: 'Update Methods' | ||
| description: "" | ||
| weight: 8 | ||
| --- | ||
|
|
||
ARYANSHAH1567 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| ### Propagating New Image Versions in Argo CD | ||
|
|
||
| Argo CD Image Updater supports two write-back methods for propagating new image versions to Argo CD. | ||
|
|
||
| - **argocd**: | ||
| Directly modifies the Argo CD application resource via Kubernetes or the Argo CD API, depending on the configuration. | ||
|
|
||
| - **git**: Creates a Git commit in the application’s repository with the updated image information. | ||
|
|
||
| The write-back method and its configuration are set per application, with further configuration options available depending on the method used. | ||
|
|
||
|
|
||
|
|
||
| > In this microcourse, the examples are applied using the **argocd update** method, which is the default update method and does not need further configuration. For **production environments**, it is recommended to use the **git update** method to persist the changes made by **Argo CD Image Updater** in your git repository. | ||
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.