From 59f4da0b040f66378a20479f830aef7e8865f354 Mon Sep 17 00:00:00 2001 From: Jarvis Yang <45811933+jwhy89@users.noreply.github.com> Date: Wed, 28 May 2025 21:19:20 -0500 Subject: [PATCH] docs(argocd-image-updater): adding examples of using workload identity with Azure Container Registry (#3319) * Adding verbiage for auth scripts and Azure Container Registry if using workload identity. Signed-off-by: Jarvis Yang * doc: ran the helm-docs script Signed-off-by: Jarvis Yang * Bumping the chart version Signed-off-by: Jarvis Yang * Revert pipe and run readme script Signed-off-by: Jarvis Yang * Revert a few more comments and run readme script Signed-off-by: Jarvis Yang * Adding some periods and run readme script Signed-off-by: Jarvis Yang * Forgot the rest of the values and run readme script Signed-off-by: Jarvis Yang * Revert a few more comments and run readme script Signed-off-by: Jarvis Yang * Updating a few more comments and run readme script Signed-off-by: Jarvis Yang * Minor typo Signed-off-by: Jarvis Yang * rm some verbiage and running readme script Signed-off-by: Jarvis Yang * revert verbiage and running readme script Signed-off-by: Jarvis Yang * revert verbiage and running readme script Signed-off-by: Jarvis Yang * rm trailing space and running readme script Signed-off-by: Jarvis Yang --------- Signed-off-by: Jarvis Yang Co-authored-by: Aikawa Co-authored-by: Marco Maurer (-Kilchhofer) --- charts/argocd-image-updater/Chart.yaml | 4 +-- charts/argocd-image-updater/README.md | 14 ++++---- charts/argocd-image-updater/values.yaml | 43 +++++++++++++++++++------ 3 files changed, 43 insertions(+), 18 deletions(-) diff --git a/charts/argocd-image-updater/Chart.yaml b/charts/argocd-image-updater/Chart.yaml index a04f5c6f..573591b1 100644 --- a/charts/argocd-image-updater/Chart.yaml +++ b/charts/argocd-image-updater/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: argocd-image-updater description: A Helm chart for Argo CD Image Updater, a tool to automatically update the container images of Kubernetes workloads which are managed by Argo CD type: application -version: 0.12.1 +version: 0.12.2 appVersion: v0.16.0 home: https://github.com/argoproj-labs/argocd-image-updater icon: https://argocd-image-updater.readthedocs.io/en/stable/assets/logo.png @@ -19,4 +19,4 @@ annotations: url: https://argoproj.github.io/argo-helm/pgp_keys.asc artifacthub.io/changes: | - kind: changed - description: Bump argocd-image-updater to v0.16.0 + description: Adding verbiage for auth scripts and Azure Container Registry if using workload identity. diff --git a/charts/argocd-image-updater/README.md b/charts/argocd-image-updater/README.md index d77ee710..49b462a6 100644 --- a/charts/argocd-image-updater/README.md +++ b/charts/argocd-image-updater/README.md @@ -71,7 +71,7 @@ The `config.registries` value can be used exactly as it looks in the documentati | affinity | object | `{}` | Kubernetes affinity settings for the deployment | | authScripts.enabled | bool | `false` | Whether to mount the defined scripts that can be used to authenticate with a registry, the scripts will be mounted at `/scripts` | | authScripts.name | string | `"argocd-image-updater-authscripts"` | Name of the authentication scripts ConfigMap | -| authScripts.scripts | object | `{}` | Map of key-value pairs where the key consists of the name of the script and the value the contents | +| authScripts.scripts | object | `{}` | Map of key-value pairs where the key consists of the name of the script and the value the contents. | | config.applicationsAPIKind | string | `""` | API kind that is used to manage Argo CD applications (`kubernetes` or `argocd`) | | config.argocd.grpcWeb | bool | `true` | Use the gRPC-web protocol to connect to the Argo CD API | | config.argocd.insecure | bool | `false` | If specified, the certificate of the Argo CD API server is not verified. | @@ -88,14 +88,14 @@ The `config.registries` value can be used exactly as it looks in the documentati | config.gitCommitUser | string | `""` | Username to use for Git commits | | config.logLevel | string | `"info"` | Argo CD Image Update log level | | config.name | string | `"argocd-image-updater-config"` | Name of the ConfigMap | -| config.registries | list | `[]` | Argo CD Image Updater registries list configuration. More information [here](https://argocd-image-updater.readthedocs.io/en/stable/configuration/registries/) | -| config.sshConfig.config | string | `""` | Argo CD Image Updater ssh client parameter configuration. | +| config.registries | list | `[]` | Argo CD Image Updater registries list configuration. More information [here](https://argocd-image-updater.readthedocs.io/en/stable/configuration/registries/). | +| config.sshConfig.config | string | `""` | Argo CD Image Updater ssh client parameter configuration | | config.sshConfig.name | string | `"argocd-image-updater-ssh-config"` | Name of the sshConfig ConfigMap | | createClusterRoles | bool | `true` | Create cluster roles for cluster-wide installation. | -| extraArgs | list | `[]` | Extra arguments for argocd-image-updater not defined in `config.argocd`. If a flag contains both key and value, they need to be split to a new entry | -| extraEnv | list | `[]` | Extra environment variables for argocd-image-updater | +| extraArgs | list | `[]` | Extra arguments for argocd-image-updater not defined in `config.argocd`. If a flag contains both key and value, they need to be split to a new entry. | +| extraEnv | list | `[]` | Extra environment variables for argocd-image-updater. | | extraEnvFrom | list | `[]` | Extra envFrom to pass to argocd-image-updater | -| extraObjects | list | `[]` | Extra K8s manifests to deploy for argocd-image-updater | +| extraObjects | list | `[]` | Extra K8s manifests to deploy for argocd-image-updater. | | fullnameOverride | string | `""` | Global fullname (argocd-image-updater.fullname in _helpers.tpl) override | | image.pullPolicy | string | `"Always"` | Default image pull policy | | image.repository | string | `"quay.io/argoprojlabs/argocd-image-updater"` | Default image repository | @@ -126,7 +126,7 @@ The `config.registries` value can be used exactly as it looks in the documentati | serviceAccount.annotations | object | `{}` | Annotations to add to the service account | | serviceAccount.create | bool | `true` | Specifies whether a service account should be created | | serviceAccount.labels | object | `{}` | Labels to add to the service account | -| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | +| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template. | | tolerations | list | `[]` | Kubernetes toleration settings for the deployment | | updateStrategy | object | `{"type":"Recreate"}` | The deployment strategy to use to replace existing pods with new ones | | volumeMounts | list | `[]` | Additional volumeMounts to the image updater main container | diff --git a/charts/argocd-image-updater/values.yaml b/charts/argocd-image-updater/values.yaml index 15832520..9c0fcf9e 100644 --- a/charts/argocd-image-updater/values.yaml +++ b/charts/argocd-image-updater/values.yaml @@ -26,7 +26,7 @@ namespaceOverride: "" createClusterRoles: true # -- Extra arguments for argocd-image-updater not defined in `config.argocd`. -# If a flag contains both key and value, they need to be split to a new entry +# If a flag contains both key and value, they need to be split to a new entry. extraArgs: [] # - --disable-kubernetes # - --dry-run @@ -44,10 +44,15 @@ extraArgs: [] # - --registries-conf-path # - /app/config/registries.conf -# -- Extra environment variables for argocd-image-updater +# -- Extra environment variables for argocd-image-updater. +## These variables are also available to the authentication scripts mounted under /scripts, provided 'authScripts.enabled' is set to 'true'. extraEnv: [] # - name: AWS_REGION # value: "us-west-1" + # - name: ACR1_NAME + # value: "acr1.azurecr.io" + # - name: ACR1_CLIENT_ID + # value: "00000000-0000-0000-0000-000000000000" # -- Extra envFrom to pass to argocd-image-updater extraEnvFrom: [] @@ -56,8 +61,8 @@ extraEnvFrom: [] # - secretRef: # name: secret-name -# -- Extra K8s manifests to deploy for argocd-image-updater -## Note: Supports use of custom Helm templates +# -- Extra K8s manifests to deploy for argocd-image-updater. +## Note: Supports use of custom Helm templates. extraObjects: [] # - apiVersion: secrets-store.csi.x-k8s.io/v1 # kind: SecretProviderClass @@ -154,7 +159,7 @@ config: # -- Argo CD Image Update log level logLevel: "info" - # -- Argo CD Image Updater registries list configuration. More information [here](https://argocd-image-updater.readthedocs.io/en/stable/configuration/registries/) + # -- Argo CD Image Updater registries list configuration. More information [here](https://argocd-image-updater.readthedocs.io/en/stable/configuration/registries/). registries: [] # - name: Docker Hub # api_url: https://registry-1.docker.io @@ -178,25 +183,34 @@ config: # insecure: no # credentials: ext:/scripts/auth1.sh # credsexpire: 10h + # - name: Azure Container Registry + # api_url: https://acr1.azurecr.io + # prefix: acr1.azurecr.io + # ping: yes + # credentials: ext:/scripts/azure-workload-identity.sh + # credsexpire: 1h sshConfig: # -- Name of the sshConfig ConfigMap name: argocd-image-updater-ssh-config - # -- Argo CD Image Updater ssh client parameter configuration. + # -- Argo CD Image Updater ssh client parameter configuration config: "" # config: | # Host * # PubkeyAcceptedAlgorithms +ssh-rsa # HostkeyAlgorithms +ssh-rsa -# whether to mount authentication scripts, if enabled, the authentication scripts will be mounted on /scripts that can be used to authenticate with registries (ECR) +# whether to mount authentication scripts, if enabled, the authentication scripts will be mounted on /scripts that can be used to authenticate with registries (Azure, ECR) # refer to https://argocd-image-updater.readthedocs.io/en/stable/configuration/registries/#specifying-credentials-for-accessing-container-registries for more info authScripts: # -- Whether to mount the defined scripts that can be used to authenticate with a registry, the scripts will be mounted at `/scripts` enabled: false # -- Name of the authentication scripts ConfigMap name: argocd-image-updater-authscripts - # -- Map of key-value pairs where the key consists of the name of the script and the value the contents + # -- Map of key-value pairs where the key consists of the name of the script and the value the contents. + ## Expect the script to output Docker credentials in the form: : + ## Authentication scripts can be used for various cloud providers like ECR or Azure Workload Identity. + ## For Azure Workload Identity, you can place your authentication script here to handle token acquisition. scripts: {} # auth1.sh: | # #!/bin/sh @@ -204,16 +218,26 @@ authScripts: # auth2.sh: | # #!/bin/sh # echo "auth script 2 here" + # azure-workload-identity.sh: | + # #!/bin:sh + # # Example script for Azure Workload Identity. + # # This script would typically use environment variables set by the workload identity + # # to acquire an Azure AD token and authenticate with Azure Container Registry (ACR). + # # It should output the Docker username and password on stdout, e.g., '00000000-0000-0000-0000-000000000000:' serviceAccount: # -- Specifies whether a service account should be created create: true # -- Annotations to add to the service account annotations: {} + # Example for Azure Workload Identity: + # azure.workload.identity/client-id: "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" # -- Labels to add to the service account labels: {} + # Example for Azure Workload Identity: + # azure.workload.identity/use: "true" # -- The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template + # If not set and create is true, a name is generated using the fullname template. name: "" # -- Pod Annotations for the deployment @@ -221,6 +245,7 @@ podAnnotations: {} # -- Pod Labels for the deployment podLabels: {} + # azure.workload.identity/use: "true" # -- Pod security context settings for the deployment podSecurityContext: {}