gitkubernetesargocdgitops

Kubernetes/ArgoCD: Download new image

I have a project which is built and stored in a Docker repo (specifically, AWS ECR), I have a Github Actions pipeline that automatically uploads the new image and tags it as latest. I have also set up ArgoCD pointing to my git project, which has a Deployment object:

apiVersion: apps/v1
kind: Deployment

metadata:
  name: k8s-argocd-deployment
  labels:
    app.kubernetes.io/name: k8s-argocd-deployment

spec:
  replicas: 3

  selector:
    matchLabels:
      app.kubernetes.io/name: k8s-argocd

  template:
    metadata:
      labels:
        app.kubernetes.io/name: k8s-argocd

    spec:
      containers:
        - name: k8s-argocd-app
          image: [......].dkr.ecr.us-east-1.amazonaws.com/k8s-argocd:latest
          imagePullPolicy: Always
          ports:
            - containerPort: 80
          resources:
              requests:
                memory: "128Mi"
                cpu: "250m"
              limits:
                memory: "512Mi"
                cpu: "500m"
      imagePullSecrets:
        - name: us-east-1-ecr-registry

Is there a way to let ArgoCD know when to fetch and update the Kubernetes state? Since, the deployment file itself hasn't changed, so ArgoCD doesn't know there's a newer image. I know you can do it kind of with Kustomization, for example using a kustomization.yaml file such as this:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- service.yaml
- deployment.yaml
images:
- name: [......].dkr.ecr.us-east-1.amazonaws.com/k8s-argocd
  newName: [......].dkr.ecr.us-east-1.amazonaws.com/k8s-argocd
  newTag: new-commit-tag

But that requires a new commit in the CI pipeline updating the newTag property which usually spams the dev/main branch. Any help would be appreciated, thanks!

Solution

  • This can be achieved with argocd image updater. You can deploy this using helm chart as ArgoCD app and configure with your artifact/docker registry.

    Once configured it will monitor for the latest image pushes.

    If it discovers new tag it will merge to your argo repo master or HEAD branch. For this reason argocd image updater Service account will need write access to GITHUB repo, so it can merge to master with latest discovered SHA or whatever tagging strategy you want to use.

    Please check the official docs here

    Helm values example for Google Artifact Registry in my case:

    fullnameOverride: argocd-image-updater
config:
  registries:
    - name: artifact-registry-europe
      prefix: europe-docker.pkg.dev
      api_url: https://europe-docker.pkg.dev
      credentials: secret:argocd/artifact-registry#credentials
      default: true

serviceAccount:
  annotations:
    'iam.gke.io/gcp-service-account': ${ service_account }

    It is not super easy to implement, but refer to the docs of the tool and you should be fine. It works really well once setup.