feat: deploy argocd-image-updater via Helm

Deploys ArgoCD Image Updater into the argocd-image-updater namespace.
Vault-managed secrets provide registry credentials for git.unkin.net
and an ArgoCD API token.

Prerequisites before syncing:
- Create Vault role argocd-image-updater in k8s/au/syd1
- Populate kv/service/argocd-image-updater/registry-creds (key: creds, value: <user>:<token>)
- Create ArgoCD local user image-updater and store token at kv/service/argocd-image-updater/argocd-token
This commit is contained in:
2026-05-10 22:53:06 +10:00
parent 296c569cc8
commit f03eb6f651
6 changed files with 118 additions and 0 deletions
@@ -0,0 +1,8 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- vaultauth.yaml
- vaultstaticsecret.yaml
@@ -0,0 +1,5 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: argocd-image-updater
@@ -0,0 +1,18 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: default
namespace: argocd-image-updater
spec:
allowedNamespaces:
- argocd-image-updater
kubernetes:
audiences:
- vault
role: argocd-image-updater
serviceAccount: argocd-image-updater
tokenExpirationSeconds: 600
method: kubernetes
mount: k8s/au/syd1
vaultConnectionRef: vso-system/default
@@ -0,0 +1,40 @@
---
# Credentials for polling the git.unkin.net container registry.
# Vault KV path: kv/service/argocd-image-updater/registry-creds
# Required key: creds — value format: "<username>:<token>"
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: registry-creds
namespace: argocd-image-updater
spec:
destination:
create: true
name: registry-creds
overwrite: true
hmacSecretData: true
mount: kv
path: service/argocd-image-updater/registry-creds
refreshAfter: 5m
type: kv-v2
vaultAuthRef: default
---
# ArgoCD API token for image updater to discover and update Applications.
# Vault KV path: kv/service/argocd-image-updater/argocd-token
# Required key: token — generate via: argocd account generate-token --account image-updater
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: argocd-token
namespace: argocd-image-updater
spec:
destination:
create: true
name: argocd-token
overwrite: true
hmacSecretData: true
mount: kv
path: service/argocd-image-updater/argocd-token
refreshAfter: 5m
type: kv-v2
vaultAuthRef: default