What’s on Image Updater
A tool to automatically update the container images of Kubernetes workloads that are managed by Argo CD.
Capabilities :
- Argo CD Image Updater can check for new versions of the container images that are deployed with your Kubernetes workloads and automatically update them to their latest allowed version using Argo CD.
- It works by setting appropriate
application parameters for Argo CD applications, i.e. similar to
argocd app set --helm-set image.tag=v1.0.1
- but in a fully automated manner.
Prerequisite :
- Kubernetes Cluster
- ArgoCD setup
Steps
Installation of ArgoCD Image Updater
- To install argocd image updater in your cluster ( same one as argocd), run the below command:
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj-labs/argocd-image-updater/stable/manifests/install.yaml
- Once it’s installed, let’s check the logs of the pod:
kubectl logs -n argocd -l app.kubernetes.io/name=argocd-image-updater
time="2022-01-16T06:21:00Z" level=info msg="Starting image update cycle, considering 0 annotated application(s) for update"
time="2022-01-16T06:21:00Z" level=info msg="Processing results: applications=0 images_considered=0 images_skipped=0 images_updated=0 errors=0"
Looks clean, let’s move forward.
Configure Remote Repository Secret
- One of the main features of image updater is to write back / update the new image tag to the remote git repo i.e. it will update the image tag, for example, v1.2.3 in the manifest file every time a new image is pushed to image registry.
- I’ll be using Gitlab in this case. Feel free to use Github also.
- Obtain the Access token of your account from Gitlab .
- Once received, run the below command to create the secret :
kubectl --namespace argocd \
create secret generic gitlab-token \
-from-literal=username=GITLAB_USERNAME \
--from-literal=password=GITLAB_TOKEN
- Verify the secret that has been created, by running the below command :
kubectl describe secret gitlab-token -n argocd
Configure Container registry secret
- I’m using DigitalOcean Registry as my cloud provider for storing docker images.
- There are two ways to configure the secret that Kubernetes will use to authenticate to registry endpoint i.e
registry.digitalocean.com
.
- Automatic: Follow the on-screen instructions on the DigitalOcean console to auto-integrate the Kubernetes secret into every namespace.
- Manual: Download the Docker Credentials and follow steps on this link to manually create a Kubernetes secret and then patch to service account of your namespace, argocd in this scenario.
Configure Image updater to watch for Image updates.
Image updater needs access to container registry to watch the Image updates.
Out of the box below Registries are supported :
- Docker Hub Registry
- Google Container Registry (gcr.io)
- RedHat Quay Registry (quay.io)
- GitHub Docker Packages (docker.pkg.github.com)
- GitHub Container Registry (ghcr.io)
If you’re storing images in any other registry other than the above-mentioned, no need to worry, we can utilize the config map to add the registry configs.
To Digital Ocean configs, Add the below to configmap :
argocd-image-updater-config
inargocd
namespace:
registries:
- name: 'Digital Ocean'
api_url: https://registry.digitalocean.com
ping: no
credentials: pullsecret:argocd/SECRET_NAME ( configured from above step )
defaultns: library
prefix: registry.digitalocean.com
Here the credentials are in this order : credentials:pullsecret:namespace/secret-name
There are other forms of secret configuration as well. Please refer to them here.
Configure ArgoCD Application and Annotation
- Once the Gitlab secret is configured, let’s move to the application configuration part.
- Create the Application manifest file for your application.
- Here’s a sample definition for kube-ops-view application :
Let’s understand the above file in detail :
- We’re installing this resource in argocd namespace. ( this is mandatory for argocd resources)
Annotations
:image-list
: tells the image updater, which docker image to watch & update.write-back-method
: is updating the image tag back to manifest files via git commitgit-branch
: we’ll write back to the branch: main.
server
: we’re deploying this to the default cluster.namespace
: the actual namespace in which the application will be deployed.path
: the path of your helm chart inside the remote git repository.targetRevision
: the branch name to which argocd syncs apps.- Since we’re using helm, I’m updating to use values from
values.yaml
file. CreateNamespace
: if the mentioned namespace is not found, argocd will create it.
Once we’re good with the above configurations, to see the image updater in action…
- Push a new image tag to your container registry :
> docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
registry.digitalocean.com/tanmaybhat/kube-ops-view latest a645de6a07a3 21 months ago 253MB
registry.digitalocean.com/tanmaybhat/kube-ops-view v1.2.3 a645de6a07a3 21 months ago 253MB
> docker tag registry.digitalocean.com/tanmaybhat/kube-ops-view:latest registry.digitalocean.com/tanmaybhat/kube-ops-view:v1.2.4
> docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
registry.digitalocean.com/tanmaybhat/kube-ops-view latest a645de6a07a3 21 months ago 253MB
registry.digitalocean.com/tanmaybhat/kube-ops-view v1.2.3 a645de6a07a3 21 months ago 253MB
registry.digitalocean.com/tanmaybhat/kube-ops-view v1.2.4 a645de6a07a3 21 months ago 253MB
> docker push registry.digitalocean.com/tanmaybhat/kube-ops-view:v1.2.4
Once the image is pushed, let’s check the logs of image updater pod logs, it should look like this:
time="2022-01-18T13:09:11Z" level=info msg="git push origin main" dir=/tmp/git-kube-ops-view-demo405157222 execID=mvIL8
time="2022-01-18T13:09:13Z" level=info msg=Trace args="[git push origin main]" dir=/tmp/git-kube-ops-view-demo405157222 operation_name="exec git" time_ms=2058.666776
time="2022-01-18T13:09:13Z" level=info msg="Successfully updated the live application spec" application=kube-ops-view-demo
time="2022-01-18T13:09:14Z" level=info msg="Processing results: applications=1 images_considered=1 images_skipped=0 images_updated=1 errors=0
Here’s what image updater did :
- Detected a new image tag update in the registry
- Cloned the repository
- Made the image update in the manifest file
- Pushed a commit back to the repository main branch
For further verification, let’s go to the repo where the helm chart exists, we should be seeing a new commit :
Let’s see what changed in the file :
Now, all we have to do is wait for 3 min ( default sync period of argocd), and argocd notices that a new image tag has been updated and the same will be applied to the application.
Let’s check the image tag as well :
kubectl describe deploy kube-ops-view -n kube-ops-view | grep Image
Image: registry.digitalocean.com/tanmaybhat/kube-ops-view:v1.2.4