diff --git a/apps/base/argocd-image-updater/kustomization.yaml b/apps/base/argocd-image-updater/kustomization.yaml new file mode 100644 index 0000000..cc622a0 --- /dev/null +++ b/apps/base/argocd-image-updater/kustomization.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - namespace.yaml + - vaultauth.yaml + - vaultstaticsecret.yaml diff --git a/apps/base/argocd-image-updater/namespace.yaml b/apps/base/argocd-image-updater/namespace.yaml new file mode 100644 index 0000000..b5135e8 --- /dev/null +++ b/apps/base/argocd-image-updater/namespace.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: argocd-image-updater diff --git a/apps/base/argocd-image-updater/vaultauth.yaml b/apps/base/argocd-image-updater/vaultauth.yaml new file mode 100644 index 0000000..2f6b851 --- /dev/null +++ b/apps/base/argocd-image-updater/vaultauth.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: default + namespace: argocd-image-updater +spec: + allowedNamespaces: + - argocd-image-updater + kubernetes: + audiences: + - vault + role: argocd-image-updater + serviceAccount: argocd-image-updater + tokenExpirationSeconds: 600 + method: kubernetes + mount: k8s/au/syd1 + vaultConnectionRef: vso-system/default diff --git a/apps/base/argocd-image-updater/vaultstaticsecret.yaml b/apps/base/argocd-image-updater/vaultstaticsecret.yaml new file mode 100644 index 0000000..4e3f4f8 --- /dev/null +++ b/apps/base/argocd-image-updater/vaultstaticsecret.yaml @@ -0,0 +1,40 @@ +--- +# Credentials for polling the git.unkin.net container registry. +# Vault KV path: kv/service/argocd-image-updater/registry-creds +# Required key: creds — value format: ":" +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: registry-creds + namespace: argocd-image-updater +spec: + destination: + create: true + name: registry-creds + overwrite: true + hmacSecretData: true + mount: kv + path: service/argocd-image-updater/registry-creds + refreshAfter: 5m + type: kv-v2 + vaultAuthRef: default +--- +# ArgoCD API token for image updater to discover and update Applications. +# Vault KV path: kv/service/argocd-image-updater/argocd-token +# Required key: token — generate via: argocd account generate-token --account image-updater +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: argocd-token + namespace: argocd-image-updater +spec: + destination: + create: true + name: argocd-token + overwrite: true + hmacSecretData: true + mount: kv + path: service/argocd-image-updater/argocd-token + refreshAfter: 5m + type: kv-v2 + vaultAuthRef: default diff --git a/apps/overlays/au-syd1/argocd-image-updater/kustomization.yaml b/apps/overlays/au-syd1/argocd-image-updater/kustomization.yaml new file mode 100644 index 0000000..fd1b7db --- /dev/null +++ b/apps/overlays/au-syd1/argocd-image-updater/kustomization.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../../base/argocd-image-updater + +helmCharts: + - name: argocd-image-updater + repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm + version: "0.10.3" + releaseName: argocd-image-updater + namespace: argocd-image-updater + valuesFile: values.yaml diff --git a/apps/overlays/au-syd1/argocd-image-updater/values.yaml b/apps/overlays/au-syd1/argocd-image-updater/values.yaml new file mode 100644 index 0000000..ff99e0e --- /dev/null +++ b/apps/overlays/au-syd1/argocd-image-updater/values.yaml @@ -0,0 +1,33 @@ +config: + argocd: + grpcWeb: false + serverAddress: argocd-server.argocd + insecure: true + plaintext: false + + registries: + - name: git.unkin.net + api_url: https://git.unkin.net + prefix: git.unkin.net + credentials: secret:argocd-image-updater/registry-creds#creds + insecure: false + +authScripts: + enabled: false + +extraEnv: + - name: ARGOCD_TOKEN + valueFrom: + secretKeyRef: + name: argocd-token + key: token + +gitCommitUser: "ArgoCD Image Updater" +gitCommitEmail: "argocd-image-updater@unkin.net" + +rbac: + enabled: true + +serviceAccount: + create: true + name: argocd-image-updater