7 Commits

Author SHA1 Message Date
unkinben f03eb6f651 feat: deploy argocd-image-updater via Helm
Deploys ArgoCD Image Updater into the argocd-image-updater namespace.
Vault-managed secrets provide registry credentials for git.unkin.net
and an ArgoCD API token.

Prerequisites before syncing:
- Create Vault role argocd-image-updater in k8s/au/syd1
- Populate kv/service/argocd-image-updater/registry-creds (key: creds, value: <user>:<token>)
- Create ArgoCD local user image-updater and store token at kv/service/argocd-image-updater/argocd-token
2026-05-10 22:53:06 +10:00
unkinben 296c569cc8 feat: move artifactapi to image-updater ApplicationSet with annotations
Moves artifactapi out of platform-apps ApplicationSet and into a dedicated
image-updater-apps ApplicationSet so image updater annotations are scoped
only to artifactapi. Reserves apps/overlays/*/argocd-image-updater in
platform-apps for the image updater deployment (followup).
2026-05-10 22:51:25 +10:00
unkinben c1d831176d feat(artifactapi): add argo-helm as a remote and virtual helm member
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful
2026-05-10 22:50:14 +10:00
unkinben 1cefd3b78e feat: change argocd crds source to artifactapi (#118)
- migrate argocd crds to come from the artifactapi service

Reviewed-on: #118
2026-05-10 21:12:44 +10:00
unkinben 842d774fc3 feat: deploy gatewayapi crds (#117)
- enable gateway api crds

Reviewed-on: #117
2026-05-10 21:05:56 +10:00
unkinben 4c8827ce35 feat: add traefik/gatewayapi (#116)
enable access to charts/containers/api-specs so that we can migrate from
nginx-ingress to gateway api and traefik

Reviewed-on: #116
2026-05-10 17:07:33 +10:00
unkinben 5e03215f4d chore: migrate reloader/reflector to virtual/helm (#115)
Reviewed-on: #115
2026-05-05 21:42:23 +10:00
24 changed files with 194 additions and 20 deletions
@@ -0,0 +1,8 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- vaultauth.yaml
- vaultstaticsecret.yaml
@@ -0,0 +1,5 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: argocd-image-updater
@@ -0,0 +1,18 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: default
namespace: argocd-image-updater
spec:
allowedNamespaces:
- argocd-image-updater
kubernetes:
audiences:
- vault
role: argocd-image-updater
serviceAccount: argocd-image-updater
tokenExpirationSeconds: 600
method: kubernetes
mount: k8s/au/syd1
vaultConnectionRef: vso-system/default
@@ -0,0 +1,40 @@
---
# Credentials for polling the git.unkin.net container registry.
# Vault KV path: kv/service/argocd-image-updater/registry-creds
# Required key: creds — value format: "<username>:<token>"
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: registry-creds
namespace: argocd-image-updater
spec:
destination:
create: true
name: registry-creds
overwrite: true
hmacSecretData: true
mount: kv
path: service/argocd-image-updater/registry-creds
refreshAfter: 5m
type: kv-v2
vaultAuthRef: default
---
# ArgoCD API token for image updater to discover and update Applications.
# Vault KV path: kv/service/argocd-image-updater/argocd-token
# Required key: token — generate via: argocd account generate-token --account image-updater
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: argocd-token
namespace: argocd-image-updater
spec:
destination:
create: true
name: argocd-token
overwrite: true
hmacSecretData: true
mount: kv
path: service/argocd-image-updater/argocd-token
refreshAfter: 5m
type: kv-v2
vaultAuthRef: default
@@ -30,6 +30,7 @@ remotes:
- "^hashicorp/vault-secrets-operator"
- "^jfrog/"
- "^rancher/"
- "^traefik/"
- "^ubi9/ubi-minimal"
- "^victoriametrics/"
- "^woodpeckerci/"
@@ -26,6 +26,7 @@ remotes:
- "helmfile/helmfile/.*/helmfile_.*_linux_amd64.tar.gz$"
- "helmfile/vals/.*/vals_.*_linux_amd64.tar.gz$"
- "jesseduffield/lazydocker/.*/lazydocker_.*_Linux_x86_64.tar.gz$"
- "kubernetes-sigs/gateway-api/.*/standard-install.yaml$"
- "lxc/incus/.*.tar.gz$"
- "mikefarah/yq/.*/yq_linux_amd64$"
- "neovim/neovim-releases/.*/nvim-linux-x86_64.tar.gz$"
@@ -109,6 +109,17 @@ remotes:
immutable_ttl: 0
mutable_ttl: 3600
traefik:
base_url: "https://traefik.github.io/charts"
package: "helm"
description: "Traefik Helm charts"
check_mutable_updates: true
immutable_patterns:
- "\\.tgz$"
cache:
immutable_ttl: 0
mutable_ttl: 3600
victoriametrics:
base_url: "https://victoriametrics.github.io/helm-charts/"
package: "helm"
@@ -119,3 +130,14 @@ remotes:
cache:
immutable_ttl: 0
mutable_ttl: 3600
argo-helm:
base_url: "https://argoproj.github.io/argo-helm"
package: "helm"
description: "Argo Project Helm charts (ArgoCD, Image Updater, Rollouts, etc.)"
check_mutable_updates: true
immutable_patterns:
- "\\.tgz$"
cache:
immutable_ttl: 0
mutable_ttl: 3600
@@ -13,4 +13,6 @@ virtuals:
- purelb
- rancher-stable
- stakater
- traefik
- victoriametrics
- argo-helm
@@ -7,12 +7,12 @@ resources:
helmCharts:
- name: intel-device-plugins-operator
repo: https://intel.github.io/helm-charts/
repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm
version: "0.35.0"
releaseName: intel-device-plugins-operator
namespace: inteldeviceplugins-system
- name: intel-device-plugins-gpu
repo: https://intel.github.io/helm-charts/
repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm
version: "0.34.1"
releaseName: intel-gpu-plugin
namespace: inteldeviceplugins-system
@@ -0,0 +1,14 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../../base/argocd-image-updater
helmCharts:
- name: argocd-image-updater
repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm
version: "0.10.3"
releaseName: argocd-image-updater
namespace: argocd-image-updater
valuesFile: values.yaml
@@ -0,0 +1,33 @@
config:
argocd:
grpcWeb: false
serverAddress: argocd-server.argocd
insecure: true
plaintext: false
registries:
- name: git.unkin.net
api_url: https://git.unkin.net
prefix: git.unkin.net
credentials: secret:argocd-image-updater/registry-creds#creds
insecure: false
authScripts:
enabled: false
extraEnv:
- name: ARGOCD_TOKEN
valueFrom:
secretKeyRef:
name: argocd-token
key: token
gitCommitUser: "ArgoCD Image Updater"
gitCommitEmail: "argocd-image-updater@unkin.net"
rbac:
enabled: true
serviceAccount:
create: true
name: argocd-image-updater
@@ -7,7 +7,7 @@ resources:
helmCharts:
- name: rancher
repo: https://releases.rancher.com/server-charts/stable
repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm
version: "2.13.1"
releaseName: rancher
namespace: cattle-system
@@ -7,7 +7,7 @@ resources:
helmCharts:
- name: cert-manager
repo: https://charts.jetstack.io
repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm
version: "v1.19.2"
releaseName: cert-manager
namespace: cert-manager
@@ -7,7 +7,7 @@ resources:
helmCharts:
- name: cloudnative-pg
repo: https://cloudnative-pg.github.io/charts
repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm
version: "0.27.0"
releaseName: cloudnative-pg-operator
namespace: cnpg-system
@@ -9,7 +9,7 @@ resources:
helmCharts:
- name: eck-operator
repo: https://helm.elastic.co
repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm
version: "3.2.0"
releaseName: elastic-operator
namespace: elastic-system
@@ -7,7 +7,7 @@ resources:
helmCharts:
- name: external-dns
repo: https://kubernetes-sigs.github.io/external-dns/
repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm
version: "1.19.0"
releaseName: externaldns
namespace: externaldns
@@ -9,13 +9,13 @@ resources:
helmCharts:
- name: victoria-metrics-cluster
repo: https://victoriametrics.github.io/helm-charts/
repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm
version: "0.33.0"
releaseName: victoria-metrics-cluster
namespace: observability
valuesFile: values-vmcluster.yaml
- name: victoria-metrics-agent
repo: https://victoriametrics.github.io/helm-charts/
repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm
version: "0.30.0"
releaseName: victoria-metrics-agent
namespace: observability
@@ -7,7 +7,7 @@ resources:
helmCharts:
- name: reflector
repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm
repo: oci://ghcr.io/emberstack/helm-charts
version: "10.0.1"
releaseName: reflector
namespace: reflector-system
+36
View File
@@ -0,0 +1,36 @@
---
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: image-updater-apps
namespace: argocd
spec:
generators:
- git:
repoURL: https://git.unkin.net/unkin/argocd-apps
revision: HEAD
directories:
- path: apps/overlays/*/artifactapi
template:
metadata:
name: 'platform-{{path[3]}}'
annotations:
argocd-image-updater.argoproj.io/image-list: "artifactapi=git.unkin.net/unkin/artifactapi"
argocd-image-updater.argoproj.io/artifactapi.update-strategy: semver
argocd-image-updater.argoproj.io/write-back-method: git
argocd-image-updater.argoproj.io/git-branch: main
spec:
project: platform
source:
repoURL: https://git.unkin.net/unkin/argocd-apps
targetRevision: HEAD
path: '{{path}}'
destination:
server: https://kubernetes.default.svc
namespace: '{{path[3]}}'
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- ServerSideApply=true
@@ -4,6 +4,7 @@ kind: Kustomization
resources:
- aitooling.yaml
- imageupdater.yaml
- observability.yaml
- platform.yaml
- storage.yaml
+1 -1
View File
@@ -10,7 +10,7 @@ spec:
repoURL: https://git.unkin.net/unkin/argocd-apps
revision: HEAD
directories:
- path: apps/overlays/*/artifactapi
- path: apps/overlays/*/argocd-image-updater
- path: apps/overlays/*/cattle-system
- path: apps/overlays/*/cert-manager
- path: apps/overlays/*/certificates
-1
View File
@@ -8,7 +8,6 @@ spec:
description: Observability stack (metrics, monitoring)
sourceRepos:
- https://git.unkin.net/unkin/argocd-apps
- https://victoriametrics.github.io/helm-charts/
destinations:
- namespace: 'observability'
server: https://kubernetes.default.svc
-7
View File
@@ -9,14 +9,7 @@ spec:
sourceRepos:
- https://git.unkin.net/unkin/argocd-apps
- https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm
- https://charts.jetstack.io
- https://cloudnative-pg.github.io/charts
- https://helm.elastic.co
- https://purelb.github.io/purelb/charts
- https://intel.github.io/helm-charts/
- https://kubernetes-sigs.github.io/external-dns/
- https://releases.rancher.com/server-charts/stable
- https://victoriametrics.github.io/helm-charts/
- oci://gcr.io/k8s-staging-nfd/charts
- oci://ghcr.io/woodpecker-ci/helm/woodpecker
destinations:
@@ -3,7 +3,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- https://raw.githubusercontent.com/argoproj/argo-cd/refs/tags/v3.3.2/manifests/ha/install.yaml
- https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/github_user/argoproj/argo-cd/refs/tags/v3.3.2/manifests/ha/install.yaml
- https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/github/kubernetes-sigs/gateway-api/releases/download/v1.5.1/standard-install.yaml
- au-syd1-apps.yaml
- argocd-self-app.yaml