From 879453808c9ada59d758200fe2bf2170dde1804d Mon Sep 17 00:00:00 2001 From: Wylie Hobbs Date: Mon, 16 Aug 2021 09:23:02 -0600 Subject: [PATCH] feat(argo-cd): Add argocd image updater (#477) * Add argocd-image-updater chart Signed-off-by: Wylie Hobbs * Add maintainers Signed-off-by: Wylie Hobbs * update rbac and chart metadata Signed-off-by: Wylie Hobbs * fix chompstyle Signed-off-by: Wylie Hobbs * add README/template with helm-docs Signed-off-by: Wylie Hobbs * Use correct icon url and use a generic maintainer section Signed-off-by: Marco Kilchhofer Co-authored-by: Marco Kilchhofer --- charts/argocd-image-updater/.helmignore | 23 ++++ charts/argocd-image-updater/Chart.yaml | 18 ++++ charts/argocd-image-updater/README.md | 86 +++++++++++++++ charts/argocd-image-updater/README.md.gotmpl | 58 ++++++++++ .../templates/_helpers.tpl | 63 +++++++++++ .../templates/configmap.yaml | 13 +++ .../templates/deployment.yaml | 95 ++++++++++++++++ .../argocd-image-updater/templates/rbac.yaml | 48 +++++++++ .../templates/serviceaccount.yaml | 12 +++ charts/argocd-image-updater/values.yaml | 102 ++++++++++++++++++ 10 files changed, 518 insertions(+) create mode 100644 charts/argocd-image-updater/.helmignore create mode 100644 charts/argocd-image-updater/Chart.yaml create mode 100644 charts/argocd-image-updater/README.md create mode 100644 charts/argocd-image-updater/README.md.gotmpl create mode 100644 charts/argocd-image-updater/templates/_helpers.tpl create mode 100644 charts/argocd-image-updater/templates/configmap.yaml create mode 100644 charts/argocd-image-updater/templates/deployment.yaml create mode 100644 charts/argocd-image-updater/templates/rbac.yaml create mode 100644 charts/argocd-image-updater/templates/serviceaccount.yaml create mode 100644 charts/argocd-image-updater/values.yaml diff --git a/charts/argocd-image-updater/.helmignore b/charts/argocd-image-updater/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/charts/argocd-image-updater/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/argocd-image-updater/Chart.yaml b/charts/argocd-image-updater/Chart.yaml new file mode 100644 index 00000000..1ace2616 --- /dev/null +++ b/charts/argocd-image-updater/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v2 +name: argocd-image-updater +description: A Helm chart for Argo CD Image Updater, a tool to automatically update the container images of Kubernetes workloads which are managed by Argo CD +type: application +version: 0.1.0 +appVersion: v0.10.1 +home: https://github.com/argoproj-labs/argocd-image-updater +icon: https://argocd-image-updater.readthedocs.io/en/stable/assets/logo.png +keywords: + - argoproj + - argocd + - gitops +maintainers: + - name: argoproj + url: https://argoproj.github.io/ +annotations: + artifacthub.io/changes: | + - "[Added]: First chart release" diff --git a/charts/argocd-image-updater/README.md b/charts/argocd-image-updater/README.md new file mode 100644 index 00000000..d3440dd6 --- /dev/null +++ b/charts/argocd-image-updater/README.md @@ -0,0 +1,86 @@ +# argocd-image-updater + +A Helm chart for Argo CD Image Updater, a tool to automatically update the container images of Kubernetes workloads which are managed by Argo CD + +To regenerate this document, from the root of this chart directory run: +```shell +docker run --rm --volume "$(pwd):/helm-docs" -u $(id -u) jnorwood/helm-docs:latest +``` + +## Installation + +```console +helm repo add argo https://argoproj.github.io/argo-helm +helm install argocd-image-updater argo/argocd-image-updater +``` + +You will also need to run through the [secret setup documentation](https://argocd-image-updater.readthedocs.io/en/stable/install/start/#connect-using-argo-cd-api-server) so ArgoCD ImageUpdater can talk to the ArgoCD API (until its automated in this chart). + +## TODO + +- Automate setting up the ArgoCD API Authentication user/secret using a Helm Hook or something. + +## Prerequisites + +* Helm v3.0.0+ + +## Configuration options + +In order for your deployment of ArgoCD Image Updater to be successful, you will need to make sure you set the correct configuration options described in detail on the [argocd-image-updater flags page](https://argocd-image-updater.readthedocs.io/en/stable/install/running/#flags). + +All of the `argocd-` prefixed flags, which tell `argocd-image-updater` how your ArgoCD instance is setup, are set in the `config.argocd` values block. For instance: + +```yaml +config: + argocd: + grpcWeb: false + serverAddress: "http://argocd.argo" + insecure: true + plaintext: true +``` + +Any additional arguments mentioned on the [argocd-image-updater flags page](https://argocd-image-updater.readthedocs.io/en/stable/install/running/#flags) can be configured using the `extraArgs` value, like so. + +### Registries + +ArgoCD Image Updater natively supports the following registries (as mentioned in [the documentation](https://argocd-image-updater.readthedocs.io/en/stable/configuration/registries/)): + +- Docker Hub +- Google Container Registry +- RedHat Quay +- GitHub Container Registry +- GitHub Docker Packages + +If you need support for ECR, you can reference [this issue](https://github.com/argoproj-labs/argocd-image-updater/issues/112) for configuration. + +The `config.registries` value can be used exactly as it looks in the documentation as it gets dumped directly into a configmap in this chart. + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | Kubernetes affinity settings for the deployment | +| config.argocd.grpcWeb | bool | `true` | Use the gRPC-web protocol to connect to the Argo CD API | +| config.argocd.insecure | bool | `false` | If specified, the certificate of the Argo CD API server is not verified. | +| config.argocd.plaintext | bool | `false` | If specified, use an unencrypted HTTP connection to the ArgoCD API instead of TLS. | +| config.argocd.serverAddress | string | `""` | Connect to the Argo CD API server at server address | +| config.logLevel | string | `"info"` | ArgoCD Image Update log level | +| config.registries | list | `[]` | ArgoCD Image Updater registries list configuration. More information [here](https://argocd-image-updater.readthedocs.io/en/stable/configuration/registries/) | +| extraArgs | list | `[]` | Extra arguments for argocd-image-updater not defined in config.argocd | +| fullnameOverride | string | `""` | Global fullname (argocd-image-updater.fullname in _helpers.tpl) override | +| image.pullPolicy | string | `"Always"` | Default image pull policy | +| image.repository | string | `"argoprojlabs/argocd-image-updater"` | Default image repository | +| image.tag | string | `"v0.10.1"` | Default image tag | +| imagePullSecrets | list | `[]` | ImagePullSecrets for the image updater deployment | +| nameOverride | string | `""` | Global name (argocd-image-updater.name in _helpers.tpl) override | +| nodeSelector | object | `{}` | Kubernetes nodeSelector settings for the deployment | +| podAnnotations | object | `{}` | Pod Annotations for the deployment | +| podSecurityContext | object | `{}` | Pod security context settings for the deployment | +| rbac.enabled | bool | `true` | Enable RBAC creation | +| replicaCount | int | `1` | Replica count for the deployment. It is not advised to run more than one replica. | +| resources | object | `{}` | Pod memory and cpu resource settings for the deployment | +| securityContext | object | `{}` | Security context settings for the deployment | +| serviceAccount.annotations | object | `{}` | Annotations to add to the service account | +| serviceAccount.create | bool | `true` | Specifies whether a service account should be created | +| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | +| tolerations | list | `[]` | Kubernetes toleration settings for the deployment | diff --git a/charts/argocd-image-updater/README.md.gotmpl b/charts/argocd-image-updater/README.md.gotmpl new file mode 100644 index 00000000..eab46779 --- /dev/null +++ b/charts/argocd-image-updater/README.md.gotmpl @@ -0,0 +1,58 @@ +{{ template "chart.header" . }} + +{{ template "chart.description" . }} + +To regenerate this document, from the root of this chart directory run: +```shell +docker run --rm --volume "$(pwd):/helm-docs" -u $(id -u) jnorwood/helm-docs:latest +``` + +## Installation + +```console +helm repo add argo https://argoproj.github.io/argo-helm +helm install argocd-image-updater argo/argocd-image-updater +``` + +You will also need to run through the [secret setup documentation](https://argocd-image-updater.readthedocs.io/en/stable/install/start/#connect-using-argo-cd-api-server) so ArgoCD ImageUpdater can talk to the ArgoCD API (until its automated in this chart). + +## TODO + +- Automate setting up the ArgoCD API Authentication user/secret using a Helm Hook or something. + +## Prerequisites + +* Helm v3.0.0+ + +## Configuration options + +In order for your deployment of ArgoCD Image Updater to be successful, you will need to make sure you set the correct configuration options described in detail on the [argocd-image-updater flags page](https://argocd-image-updater.readthedocs.io/en/stable/install/running/#flags). + +All of the `argocd-` prefixed flags, which tell `argocd-image-updater` how your ArgoCD instance is setup, are set in the `config.argocd` values block. For instance: + +```yaml +config: + argocd: + grpcWeb: false + serverAddress: "http://argocd.argo" + insecure: true + plaintext: true +``` + +Any additional arguments mentioned on the [argocd-image-updater flags page](https://argocd-image-updater.readthedocs.io/en/stable/install/running/#flags) can be configured using the `extraArgs` value, like so. + +### Registries + +ArgoCD Image Updater natively supports the following registries (as mentioned in [the documentation](https://argocd-image-updater.readthedocs.io/en/stable/configuration/registries/)): + +- Docker Hub +- Google Container Registry +- RedHat Quay +- GitHub Container Registry +- GitHub Docker Packages + +If you need support for ECR, you can reference [this issue](https://github.com/argoproj-labs/argocd-image-updater/issues/112) for configuration. + +The `config.registries` value can be used exactly as it looks in the documentation as it gets dumped directly into a configmap in this chart. + +{{ template "chart.valuesSection" . }} diff --git a/charts/argocd-image-updater/templates/_helpers.tpl b/charts/argocd-image-updater/templates/_helpers.tpl new file mode 100644 index 00000000..5c0be1da --- /dev/null +++ b/charts/argocd-image-updater/templates/_helpers.tpl @@ -0,0 +1,63 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "argocd-image-updater.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "argocd-image-updater.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "argocd-image-updater.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "argocd-image-updater.labels" -}} +helm.sh/chart: {{ include "argocd-image-updater.chart" . }} +{{ include "argocd-image-updater.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "argocd-image-updater.selectorLabels" -}} +app.kubernetes.io/name: {{ include "argocd-image-updater.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "argocd-image-updater.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "argocd-image-updater.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/charts/argocd-image-updater/templates/configmap.yaml b/charts/argocd-image-updater/templates/configmap.yaml new file mode 100644 index 00000000..dab468a2 --- /dev/null +++ b/charts/argocd-image-updater/templates/configmap.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + {{- include "argocd-image-updater.labels" . | nindent 4 }} + name: argocd-image-updater-config +data: + registries.conf: | + {{- with .Values.config.registries }} + registries: + {{- toYaml . | nindent 6 }} + {{- end }} diff --git a/charts/argocd-image-updater/templates/deployment.yaml b/charts/argocd-image-updater/templates/deployment.yaml new file mode 100644 index 00000000..cfc350ec --- /dev/null +++ b/charts/argocd-image-updater/templates/deployment.yaml @@ -0,0 +1,95 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "argocd-image-updater.fullname" . }} + labels: + {{- include "argocd-image-updater.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "argocd-image-updater.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + labels: + {{- include "argocd-image-updater.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "argocd-image-updater.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + command: + - /usr/local/bin/argocd-image-updater + - run + {{- with .Values.extraArgs }} + {{- toYaml . | nindent 12 }} + {{- end }} + env: + - name: ARGOCD_GRPC_WEB + value: {{ .Values.config.argocd.grpcWeb | quote }} + - name: ARGOCD_SERVER + value: {{ .Values.config.argocd.serverAddress }} + - name: ARGOCD_INSECURE + value: {{ .Values.config.argocd.insecure | quote }} + - name: ARGOCD_PLAINTEXT + value: {{ .Values.config.argocd.plaintext | quote }} + - name: ARGOCD_TOKEN + valueFrom: + secretKeyRef: + key: argocd.token + name: argocd-image-updater-secret + optional: true + - name: IMAGE_UPDATER_LOGLEVEL + value: {{ .Values.config.logLevel }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - containerPort: 8080 + readinessProbe: + httpGet: + path: /healthz + port: 8080 + initialDelaySeconds: 3 + periodSeconds: 30 + livenessProbe: + httpGet: + path: /healthz + port: 8080 + initialDelaySeconds: 3 + periodSeconds: 30 + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumeMounts: + - mountPath: /app/config + name: registries-conf + volumes: + - configMap: + items: + - key: registries.conf + path: registries.conf + name: argocd-image-updater-config + name: registries-conf + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/argocd-image-updater/templates/rbac.yaml b/charts/argocd-image-updater/templates/rbac.yaml new file mode 100644 index 00000000..cb508a43 --- /dev/null +++ b/charts/argocd-image-updater/templates/rbac.yaml @@ -0,0 +1,48 @@ +{{- if .Values.rbac.enabled }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + {{ include "argocd-image-updater.labels" . | nindent 4 }} + name: {{ include "argocd-image-updater.fullname" . }} +rules: + - apiGroups: + - '' + resources: + - secrets + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - argoproj.io + resources: + - applications + verbs: + - get + - list + - update + - patch + - apiGroups: + - "" + resources: + - events + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + {{ include "argocd-image-updater.labels" . | nindent 4 }} + name: {{ include "argocd-image-updater.fullname" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "argocd-image-updater.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "argocd-image-updater.serviceAccountName" . }} +{{- end }} diff --git a/charts/argocd-image-updater/templates/serviceaccount.yaml b/charts/argocd-image-updater/templates/serviceaccount.yaml new file mode 100644 index 00000000..c208ee69 --- /dev/null +++ b/charts/argocd-image-updater/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "argocd-image-updater.serviceAccountName" . }} + labels: + {{- include "argocd-image-updater.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/argocd-image-updater/values.yaml b/charts/argocd-image-updater/values.yaml new file mode 100644 index 00000000..f939137c --- /dev/null +++ b/charts/argocd-image-updater/values.yaml @@ -0,0 +1,102 @@ +# -- Replica count for the deployment. It is not advised to run more than one replica. +replicaCount: 1 +image: + # -- Default image repository + repository: argoprojlabs/argocd-image-updater + # -- Default image pull policy + pullPolicy: Always + # -- Default image tag + tag: v0.10.1 + +# -- ImagePullSecrets for the image updater deployment +imagePullSecrets: [] +# -- Global name (argocd-image-updater.name in _helpers.tpl) override +nameOverride: "" +# -- Global fullname (argocd-image-updater.fullname in _helpers.tpl) override +fullnameOverride: "" + +# -- Extra arguments for argocd-image-updater not defined in config.argocd +extraArgs: [] + # - --disable-kubernetes + # - --dry-run + # - --health-port 8080 + # - --interval 2m + # - --kubeconfig ~/.kube/config + # - --match-application-name staging-* + # - --max-concurrency 5 + # - --once + # - --registries-conf-path /app/config/registries.conf + +config: + # Described in detail here https://argocd-image-updater.readthedocs.io/en/stable/install/running/#flags + argocd: + # -- Use the gRPC-web protocol to connect to the Argo CD API + grpcWeb: true + # -- Connect to the Argo CD API server at server address + serverAddress: "" + # -- If specified, the certificate of the Argo CD API server is not verified. + insecure: false + # -- If specified, use an unencrypted HTTP connection to the ArgoCD API instead of TLS. + plaintext: false + + # -- ArgoCD Image Update log level + logLevel: "info" + + # -- ArgoCD Image Updater registries list configuration. More information [here](https://argocd-image-updater.readthedocs.io/en/stable/configuration/registries/) + registries: [] + # - name: Docker Hub + # api_url: https://registry-1.docker.io + # ping: yes + # credentials: secret:foo/bar#creds + # defaultns: library + # - name: Google Container Registry + # api_url: https://gcr.io + # prefix: gcr.io + # ping: no + # credentials: pullsecret:foo/bar + # - name: RedHat Quay + # api_url: https://quay.io + # ping: no + # prefix: quay.io + # credentials: env:REGISTRY_SECRET + +serviceAccount: + # -- Specifies whether a service account should be created + create: true + # -- Annotations to add to the service account + annotations: {} + # -- The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +# -- Pod Annotations for the deployment +podAnnotations: {} + +# -- Pod security context settings for the deployment +podSecurityContext: {} + # fsGroup: 2000 + +# -- Security context settings for the deployment +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +rbac: + # -- Enable RBAC creation + enabled: true + +# -- Pod memory and cpu resource settings for the deployment +resources: {} + +# -- Kubernetes nodeSelector settings for the deployment +nodeSelector: {} + +# -- Kubernetes toleration settings for the deployment +tolerations: [] + +# -- Kubernetes affinity settings for the deployment +affinity: {}