argocd-ecr-updater

command module

v1.1.5 Latest Latest Go to latest Published: Nov 14, 2022 License: MIT Imports: 1 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/karlderkaefer/argocd-ecr-updater

Links

Open Source Insights

README ¶

ArgoCD ECR updater

If you are using a private AWS ECR repository to store helm charts, the stored password will become expired at latest in 12h.
The argocd-ecr-updater will refresh the token in defined interval.

The updater will only consider secrets with these labels for update.

kind: Secret
metadata:
  labels:
    argocd-ecr-updater: enabled
    argocd.argoproj.io/secret-type: repository

The data field password will be updated with a fresh token from AWS ECR.

To give ArgoCD permission to get the ECR token create IRSA role with following permissions

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken",
                "ecr:DescribeRepositories"
            ],
            "Resource": "*"
        }
    ]
}

This token is valid to authenticate against any registry id, the user has access. Depending on how you set the trust relationship on ECR repository policy.

Finally annotate the service account with your role arn

serviceAccount:
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::123456:role/argocd-ecr-updater

Install with Helm

helm repo add argocd-ecr-updater https://karlderkaefer.github.io/argocd-ecr-updater
helm search repo argocd-ecr-updater 
helm upgrade --install argocd-ecr-updater -n argocd argocd-ecr-updater/argocd-ecr-updater

Usage CLI

Usage:
  argocd-ecr-updater [flags]

Flags:
  -h, --help                help for argocd-ecr-updater
      --interval string     interval to refresh token (default "6h")
      --kubeconfig string   kubernetes config file
      --namespace string    kubernetes namespace

--kubeconfig: will use in-cluster config by default, optional you can provide own kubeconfig for testing
--interval: defined in which interval the token will refreshed
--namespace: if empty, then mutate secrets from all namespaces matching the label

You can also set these values by providing environment variable with prefix ARGOCD_ECR_UPDATER

ARGOCD_ECR_UPDATER_NAMESPACE="argocd"
ARGOCD_ECR_UPDATER_INTERVAL="6h0m0s"
ARGOCD_ECR_UPDATER_KUBECONFIG="/home/user/.kube/config"

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
cmd
pkg
app Package app Logic mainly copied from ArgoCD Image Updater https://github.com/argoproj-labs/argocd-image-updater/blob/master/cmd/run.go	Package app Logic mainly copied from ArgoCD Image Updater https://github.com/argoproj-labs/argocd-image-updater/blob/master/cmd/run.go
aws
kube

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL