f03eb6f651
Deploys ArgoCD Image Updater into the argocd-image-updater namespace. Vault-managed secrets provide registry credentials for git.unkin.net and an ArgoCD API token. Prerequisites before syncing: - Create Vault role argocd-image-updater in k8s/au/syd1 - Populate kv/service/argocd-image-updater/registry-creds (key: creds, value: <user>:<token>) - Create ArgoCD local user image-updater and store token at kv/service/argocd-image-updater/argocd-token
41 lines
1.1 KiB
YAML
41 lines
1.1 KiB
YAML
---
|
|
# Credentials for polling the git.unkin.net container registry.
|
|
# Vault KV path: kv/service/argocd-image-updater/registry-creds
|
|
# Required key: creds — value format: "<username>:<token>"
|
|
apiVersion: secrets.hashicorp.com/v1beta1
|
|
kind: VaultStaticSecret
|
|
metadata:
|
|
name: registry-creds
|
|
namespace: argocd-image-updater
|
|
spec:
|
|
destination:
|
|
create: true
|
|
name: registry-creds
|
|
overwrite: true
|
|
hmacSecretData: true
|
|
mount: kv
|
|
path: service/argocd-image-updater/registry-creds
|
|
refreshAfter: 5m
|
|
type: kv-v2
|
|
vaultAuthRef: default
|
|
---
|
|
# ArgoCD API token for image updater to discover and update Applications.
|
|
# Vault KV path: kv/service/argocd-image-updater/argocd-token
|
|
# Required key: token — generate via: argocd account generate-token --account image-updater
|
|
apiVersion: secrets.hashicorp.com/v1beta1
|
|
kind: VaultStaticSecret
|
|
metadata:
|
|
name: argocd-token
|
|
namespace: argocd-image-updater
|
|
spec:
|
|
destination:
|
|
create: true
|
|
name: argocd-token
|
|
overwrite: true
|
|
hmacSecretData: true
|
|
mount: kv
|
|
path: service/argocd-image-updater/argocd-token
|
|
refreshAfter: 5m
|
|
type: kv-v2
|
|
vaultAuthRef: default
|