3 Commits

Author SHA1 Message Date
unkinben f03eb6f651 feat: deploy argocd-image-updater via Helm
Deploys ArgoCD Image Updater into the argocd-image-updater namespace.
Vault-managed secrets provide registry credentials for git.unkin.net
and an ArgoCD API token.

Prerequisites before syncing:
- Create Vault role argocd-image-updater in k8s/au/syd1
- Populate kv/service/argocd-image-updater/registry-creds (key: creds, value: <user>:<token>)
- Create ArgoCD local user image-updater and store token at kv/service/argocd-image-updater/argocd-token
2026-05-10 22:53:06 +10:00
unkinben 296c569cc8 feat: move artifactapi to image-updater ApplicationSet with annotations
Moves artifactapi out of platform-apps ApplicationSet and into a dedicated
image-updater-apps ApplicationSet so image updater annotations are scoped
only to artifactapi. Reserves apps/overlays/*/argocd-image-updater in
platform-apps for the image updater deployment (followup).
2026-05-10 22:51:25 +10:00
unkinben c1d831176d feat(artifactapi): add argo-helm as a remote and virtual helm member
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful
2026-05-10 22:50:14 +10:00
11 changed files with 168 additions and 1 deletions
@@ -0,0 +1,8 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- vaultauth.yaml
- vaultstaticsecret.yaml
@@ -0,0 +1,5 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: argocd-image-updater
@@ -0,0 +1,18 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: default
namespace: argocd-image-updater
spec:
allowedNamespaces:
- argocd-image-updater
kubernetes:
audiences:
- vault
role: argocd-image-updater
serviceAccount: argocd-image-updater
tokenExpirationSeconds: 600
method: kubernetes
mount: k8s/au/syd1
vaultConnectionRef: vso-system/default
@@ -0,0 +1,40 @@
---
# Credentials for polling the git.unkin.net container registry.
# Vault KV path: kv/service/argocd-image-updater/registry-creds
# Required key: creds — value format: "<username>:<token>"
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: registry-creds
namespace: argocd-image-updater
spec:
destination:
create: true
name: registry-creds
overwrite: true
hmacSecretData: true
mount: kv
path: service/argocd-image-updater/registry-creds
refreshAfter: 5m
type: kv-v2
vaultAuthRef: default
---
# ArgoCD API token for image updater to discover and update Applications.
# Vault KV path: kv/service/argocd-image-updater/argocd-token
# Required key: token — generate via: argocd account generate-token --account image-updater
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: argocd-token
namespace: argocd-image-updater
spec:
destination:
create: true
name: argocd-token
overwrite: true
hmacSecretData: true
mount: kv
path: service/argocd-image-updater/argocd-token
refreshAfter: 5m
type: kv-v2
vaultAuthRef: default
@@ -130,3 +130,14 @@ remotes:
cache:
immutable_ttl: 0
mutable_ttl: 3600
argo-helm:
base_url: "https://argoproj.github.io/argo-helm"
package: "helm"
description: "Argo Project Helm charts (ArgoCD, Image Updater, Rollouts, etc.)"
check_mutable_updates: true
immutable_patterns:
- "\\.tgz$"
cache:
immutable_ttl: 0
mutable_ttl: 3600
@@ -15,3 +15,4 @@ virtuals:
- stakater
- traefik
- victoriametrics
- argo-helm
@@ -0,0 +1,14 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../../base/argocd-image-updater
helmCharts:
- name: argocd-image-updater
repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm
version: "0.10.3"
releaseName: argocd-image-updater
namespace: argocd-image-updater
valuesFile: values.yaml
@@ -0,0 +1,33 @@
config:
argocd:
grpcWeb: false
serverAddress: argocd-server.argocd
insecure: true
plaintext: false
registries:
- name: git.unkin.net
api_url: https://git.unkin.net
prefix: git.unkin.net
credentials: secret:argocd-image-updater/registry-creds#creds
insecure: false
authScripts:
enabled: false
extraEnv:
- name: ARGOCD_TOKEN
valueFrom:
secretKeyRef:
name: argocd-token
key: token
gitCommitUser: "ArgoCD Image Updater"
gitCommitEmail: "argocd-image-updater@unkin.net"
rbac:
enabled: true
serviceAccount:
create: true
name: argocd-image-updater
+36
View File
@@ -0,0 +1,36 @@
---
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: image-updater-apps
namespace: argocd
spec:
generators:
- git:
repoURL: https://git.unkin.net/unkin/argocd-apps
revision: HEAD
directories:
- path: apps/overlays/*/artifactapi
template:
metadata:
name: 'platform-{{path[3]}}'
annotations:
argocd-image-updater.argoproj.io/image-list: "artifactapi=git.unkin.net/unkin/artifactapi"
argocd-image-updater.argoproj.io/artifactapi.update-strategy: semver
argocd-image-updater.argoproj.io/write-back-method: git
argocd-image-updater.argoproj.io/git-branch: main
spec:
project: platform
source:
repoURL: https://git.unkin.net/unkin/argocd-apps
targetRevision: HEAD
path: '{{path}}'
destination:
server: https://kubernetes.default.svc
namespace: '{{path[3]}}'
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- ServerSideApply=true
@@ -4,6 +4,7 @@ kind: Kustomization
resources:
- aitooling.yaml
- imageupdater.yaml
- observability.yaml
- platform.yaml
- storage.yaml
+1 -1
View File
@@ -10,7 +10,7 @@ spec:
repoURL: https://git.unkin.net/unkin/argocd-apps
revision: HEAD
directories:
- path: apps/overlays/*/artifactapi
- path: apps/overlays/*/argocd-image-updater
- path: apps/overlays/*/cattle-system
- path: apps/overlays/*/cert-manager
- path: apps/overlays/*/certificates