argocd-image-updater icon indicating copy to clipboard operation
argocd-image-updater copied to clipboard

Published 20 hours ago verified publisher icon argoproj-labs

[Question] Is it possible to use image updater together with argocd-vault-plugin

Open ricardojdsilva87 opened this issue 3 years ago • 4 comments

Hello, I have a question regarding using the the image updater together with the argocd-vault-plugin. The image updater can update argocd values directly if used in the following way:

project: project1
source:
  repoURL: 'repo URL'
  path: path
  targetRevision: main
  helm:
    valueFiles:
      - values.yaml
    parameters:
      - name: image.tag
        value: v1
        forceString: true
      - name: image.repository
        value: repo/image
      - name: image.credentials
        value: <path:secret-name#password>
    values: 'ingress: testurl.com'
destination:
  server: 'https://mycluster.com'
  namespace: test
syncPolicy: {}

The annotations for image updater just need to "know" which parameter to replace. I have opened a similar issue in the argo-vault-plugin github: https://github.com/argoproj-labs/argocd-vault-plugin/issues/333

Since the plugin allows to use the entire helm chart as an ENV value (so that the plugin command can replace the secrets values in the helm templating). Is there an option for the image updater to replace the values directly in the yaml manifest and not by parameter?

The plugin configuration is the following one:

      - name: argocd-vault-plugin
        init:
          command: [sh, -c]
          args: ["helm dependency build"]
        generate:
          command: ["bash", "-c"]
          args: ['helm template "$ARGOCD_APP_NAME" -f <(echo "$HELM_VALUES") . | argocd-vault-plugin generate -s <namespace>:<secret with plugin configurations> -']

So we can have something similar to the following:

source:
  repoURL: repo
  targetRevision: 1.0.0
  plugin:
    name: test
    env:
      - name: HELM_VALUES
        value: |
            image.tag=v1
            image.repository=repo/image
            image.credentials=<path:secret-name#password>

In this case the image updater would crawl those HELM_VALUES and look for the corresponding entry to replace, for example the image.repository.

If the values are replaced, the argo-vault-plugin would still be able to helm template the values file to replace the needed secrets, but with this time with the latest image digest replaced by the image updater for example.

Thank you very much for the help

ricardojdsilva87 avatar Apr 11 '22 09:04 ricardojdsilva87

Hi, currently it is not possible to use argocd-image-updater with plugins. There is a workaround for Kustomize based plugins, when you are using Git write-back with a kustomization target. But I figure that argocd-vault-plugin is using Helm.

So, no, it's not possible as of as now to use argocd-vault-plugin with argocd-image-updater, unfortunately.

jannfis avatar Apr 12 '22 07:04 jannfis

@jannfis Is there a workaround to this problem?

mudassar-nazar-dbank avatar Oct 20 '23 09:10 mudassar-nazar-dbank

I've made a proposal to mitigate this issue, which we are using in our own setup: https://github.com/argoproj-labs/argocd-image-updater/pull/637

fivetran-arnaudvangelder avatar Oct 31 '23 13:10 fivetran-arnaudvangelder

@jannfis what's the workaround if using kustomize to be able to use argocd-vault-plugin with image updater?

chrisfel-dev avatar Jan 01 '24 21:01 chrisfel-dev