Comments (44)
mubarak-j
commented on May 29, 2024
78
I wanted to point out that most of these steps are now simplified by the helm chart. e.g:
registries config can be configured as follow:
config:
registries:
- name: Docker Hub
api_url: https://registry-1.docker.io
prefix: docker.io
- name: ECR
api_url: https://xxx.dkr.ecr.us-west-1.amazonaws.com
prefix: xxx.dkr.ecr.us-west-1.amazonaws.com # before v0.12 this needed to be set empty, prefix: ""
default: true # not supported before v0.12
ping: yes
insecure: no
credentials: ext:/scripts/ecr-login.sh #script name should match here and in authScripts
credsexpire: 11hand configure ECR authentication script as follow:
authScripts:
enabled: true
scripts:
ecr-login.sh: | # notice script name matches above
#!/bin/sh
aws ecr --region $AWS_REGION get-authorization-token --output text --query 'authorizationData[].authorizationToken' | base64 -dIn my case, $AWS_REGION is set as environment variable.
extraEnv:
- name: AWS_REGION
value: "us-west-1"This setup will mount the login script as /scripts/ecr-login.sh and will run every 11 hours.
I'm able to run image-updater on EKS with IRSA configured. Again using the current helm version, you will need to enable service account for image-updater and assign a role with appropriate IAM permissions, e.g:
serviceAccount:
create: true
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::<Account-ID>:role/<role-name>
name: "argocd-image-updater" # I think this is the defaultFor IAM permissions you will at least need AmazonEC2ContainerRegistryReadOnly.
I hope this helps others get started with image-updater on AWS.
@jannfis if you think this is worth adding to the docs, im happy to create a PR.
from argocd-image-updater.
diranged
commented on May 29, 2024
33
Just for anyone who finds this and is wondering what the TLDR is ... this seems to work:
registries.conf:
registries:
- name: ECR
api_url: https://xxx.dkr.ecr.us-west-2.amazonaws.com
prefix: xxx.dkr.ecr.us-west-2.amazonaws.com
ping: yes
insecure: no
tagsortmode: latest-first
credentials: ext:/path/to/ecr.sh
credsexpire: 10h
ecr.sh
#!/bin/sh
aws ecr --region us-west-2 get-authorization-token --output text --query 'authorizationData[].authorizationToken' | base64 -d
$ ./dist/argocd-image-updater test xxx.dkr.ecr.us-west-2.amazonaws.com/dev/xyz-batch-serving --registries-conf ./registries.conf
INFO[0000] getting image image_name=dev/xxx-batch-serving registry=xxx.dkr.ecr.us-west-2.amazonaws.com
DEBU[0000] rate limit for https://xxx.dkr.ecr.us-west-2.amazonaws.com is 2147483647
INFO[0000] Loaded 1 registry configurations from ./registries.conf
INFO[0000] git/argocd-image-updater/ecr.sh dir= execID=c6FS4
INFO[0000] Fetching available tags and metadata from registry image_name=dev/xyz-batch-serving
INFO[0001] Found 288 tags in registry image_name=dev/xxx-batch-serving
DEBU[0001] could not parse input tag abc-xyz as semver: Invalid Semantic Version
...
from argocd-image-updater.
NickLarsenNZ
commented on May 29, 2024
23
IMO, there are too many additional steps to make this work.
@jannfis I think this should be reopened, and have the image-updater support ECR (and other major registries).
from argocd-image-updater.
vistrcm
commented on May 29, 2024
16
It looks like credentials are cached if defined as a parameter of registry configuration and not cached if specified as annotation for the application.
So using that knowledge, I was able to annotate my applications with
annotations:
argocd-image-updater.argoproj.io/image-list: org/app=XXXXXXXXXXXX.dkr.ecr.region.amazonaws.com/org/app
argocd-image-updater.argoproj.io/org_app.update-strategy: latest
argocd-image-updater.argoproj.io/org_app.kustomize.image-name: org/app
argocd-image-updater.argoproj.io/org_app.pull-secret: secret:argocd-image-updater/aws-ecr-creds#credsAnd create simple k8s CronJob to get token and update secret value:
apiVersion: v1
kind: ServiceAccount
metadata:
name: ecr-secret-udpater
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: ecr-secret-udpater
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: ecr-secret-udpater
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ecr-secret-udpater
subjects:
- kind: ServiceAccount
name: ecr-secret-udpater
---
apiVersion: v1
kind: Secret
metadata:
annotations:
description: this secret is dynamically updated by the k8s CronJob ecr-secret-update. store ECR registry user/token
name: aws-ecr-creds
stringData:
creds: will_be_set_by_the_job
---
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: ecr-secret-update
spec:
jobTemplate:
spec:
template:
spec:
containers:
- args:
- -c
- kubectl create secret generic aws-ecr-creds --from-literal=creds=AWS:$(cat /store/token) --dry-run=client -o yaml | kubectl replace -f -
command:
- sh
image: org/kubectl:v1.19.4
name: kubectl
volumeMounts:
- mountPath: /store
name: store
initContainers:
- args:
- -c
- aws ecr get-login-password --region us-west-2 > /store/token
command:
- sh
image: amazon/aws-cli:2.1.6
name: get-login-password
volumeMounts:
- mountPath: /store
name: store
restartPolicy: OnFailure
serviceAccountName: ecr-secret-udpater
volumes:
- emptyDir:
medium: Memory
name: store
ttlSecondsAfterFinished: 100
schedule: '* */6 * * *'This approach works for me on v0.7.0. I can share AWS related policies I used to grant permissions and details on org/kubectl:v1.19.4 image is someone is interested.
from argocd-image-updater.
diranged
commented on May 29, 2024
5
Sorry for the radio silence.. so here's an example of our image updater statefulset. To answer the questions, we put the awscli command in there by using an initcontainer. We get the ecr script in there through a mounted configmap.
apiVersion: apps/v1
kind: StatefulSet
metadata:
labels:
app.kubernetes.io/component: image-updater
app.kubernetes.io/instance: argocd-service
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
name: argocd-service-image-updater
namespace: argocd
spec:
podManagementPolicy: OrderedReady
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app.kubernetes.io/name: argocd-service-image-updater
serviceName: argocd-service-image-updater
template:
metadata:
annotations:
config.value.checksum: 6b0afb78dbf20fea4bacf969b90124be13f4f583502bf014e5fa2371ab8d1acd
creationTimestamp: null
labels:
app: argocd-service-image-updater
app.kubernetes.io/name: argocd-service-image-updater
spec:
containers:
- command:
- argocd-image-updater
- run
env:
- name: PATH
value: /shared/bin:/opt/bitnami/aws-cli/venv/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
- name: HOME
value: /tmp
- name: APPLICATIONS_API
valueFrom:
configMapKeyRef:
key: applications_api
name: argocd-service-image-updater-config
optional: true
- name: ARGOCD_GRPC_WEB
valueFrom:
configMapKeyRef:
key: argocd.grpc_web
name: argocd-service-image-updater-config
optional: true
- name: ARGOCD_SERVER
valueFrom:
configMapKeyRef:
key: argocd.server_addr
name: argocd-service-image-updater-config
optional: true
- name: ARGOCD_INSECURE
valueFrom:
configMapKeyRef:
key: argocd.insecure
name: argocd-service-image-updater-config
optional: true
- name: ARGOCD_PLAINTEXT
valueFrom:
configMapKeyRef:
key: argocd.plaintext
name: argocd-service-image-updater-config
optional: true
- name: ARGOCD_TOKEN
valueFrom:
secretKeyRef:
key: argocd.token
name: argocd-image-updater-secret
optional: true
- name: IMAGE_UPDATER_LOGLEVEL
valueFrom:
configMapKeyRef:
key: log.level
name: argocd-service-image-updater-config
optional: true
- name: GIT_COMMIT_USER
valueFrom:
configMapKeyRef:
key: git.user
name: argocd-service-image-updater-config
optional: true
- name: GIT_COMMIT_EMAIL
valueFrom:
configMapKeyRef:
key: git.email
name: argocd-service-image-updater-config
optional: true
image: public.ecr.aws/bitnami/aws-cli:latest
imagePullPolicy: Always
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 8080
scheme: HTTP
initialDelaySeconds: 3
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 1
name: argocd-image-updater
ports:
- containerPort: 8080
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 8080
scheme: HTTP
initialDelaySeconds: 3
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 1
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /app/config
name: registries-conf
- mountPath: /app/scripts
name: ecr-login
- mountPath: /shared
name: shared
dnsPolicy: ClusterFirst
initContainers:
- args:
- -c
- mkdir -p /shared/bin && cp /usr/local/bin/* /shared/bin
command:
- sh
image: ...-2.amazonaws.com/vendor/argoprojlabs/argocd-image-updater:release-06-15-2021
imagePullPolicy: Always
name: argocd-image-updater-installer
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /shared
name: shared
restartPolicy: Always
schedulerName: default-scheduler
securityContext:
fsGroup: 1000
serviceAccount: argocd-service-image-updater
serviceAccountName: argocd-service-image-updater
terminationGracePeriodSeconds: 30
volumes:
- configMap:
defaultMode: 420
items:
- key: registries.conf
path: registries.conf
name: argocd-service-image-updater-config
optional: true
name: registries-conf
- configMap:
defaultMode: 493
items:
- key: ecr-login.sh
path: ecr-login.sh
name: argocd-service-image-updater-config
optional: true
name: ecr-login
- emptyDir: {}
name: shared
updateStrategy:
rollingUpdate:
partition: 0
type: RollingUpdatefrom argocd-image-updater.
fabioaraujopt
commented on May 29, 2024
5
I wanted to point out that most of these steps are now simplified by the helm chart. e.g: registries config can be configured as follow:
config: registries: - name: Docker Hub api_url: https://registry-1.docker.io prefix: docker.io - name: ECR api_url: https://xxx.dkr.ecr.us-west-1.amazonaws.com prefix: xxx.dkr.ecr.us-west-1.amazonaws.com # before v0.12 this needed to be set empty, prefix: "" default: true # not supported before v0.12 ping: yes insecure: no credentials: ext:/scripts/ecr-login.sh #script name should match here and in authScripts credsexpire: 11hand configure ECR authentication script as follow:
authScripts: enabled: true scripts: ecr-login.sh: | # notice script name matches above #!/bin/sh aws ecr --region $AWS_REGION get-authorization-token --output text --query 'authorizationData[].authorizationToken' | base64 -dIn my case,
$AWS_REGIONis set as environment variable.extraEnv: - name: AWS_REGION value: "us-west-1"This setup will mount the login script as
/scripts/ecr-login.shand will run every 11 hours.I'm able to run image-updater on EKS with IRSA configured. Again using the current helm version, you will need to enable service account for image-updater and assign a role with appropriate IAM permissions, e.g:
serviceAccount: create: true annotations: eks.amazonaws.com/role-arn: arn:aws:iam::<Account-ID>:role/<role-name> name: "argocd-image-updater" # I think this is the defaultFor IAM permissions you will at least need AmazonEC2ContainerRegistryReadOnly.
I hope this helps others get started with image-updater on AWS. @jannfis if you think this is worth adding to the docs, im happy to create a PR.
I'm having this error:
Could not set registry endpoint credentials: error executing /scripts/ecr-login.sh: fork/exec /scripts/ecr-login.sh: no such file or directory"
I'm using the following config:
config:
registries:
- name: ECR
api_url: https://XXX.dkr.ecr.eu-west-1.amazonaws.com
prefix: XXX.dkr.ecr.eu-west-1.amazonaws.com
ping: yes
insecure: no
credentials: ext:/scripts/ecr-login.sh
credsexpire: 6h
authScripts:
enabled: true
scripts:
ecr-login.sh: |
#!/bin/sh
aws ecr get-authorization-token --region eu-west-1 --registry-ids XXXX --output text --query 'authorizationData[].authorizationToken'
from argocd-image-updater.
nielstenboom
commented on May 29, 2024
3
Just for anyone who finds this and is wondering what the TLDR is ... this seems to work:
registries.conf:
registries: - name: ECR api_url: https://xxx.dkr.ecr.us-west-2.amazonaws.com prefix: xxx.dkr.ecr.us-west-2.amazonaws.com ping: yes insecure: no tagsortmode: latest-first credentials: ext:/path/to/ecr.sh credsexpire: 10hecr.sh
#!/bin/sh aws ecr --region us-west-2 get-authorization-token --output text --query 'authorizationData[].authorizationToken' | base64 -d$ ./dist/argocd-image-updater test xxx.dkr.ecr.us-west-2.amazonaws.com/dev/xyz-batch-serving --registries-conf ./registries.conf INFO[0000] getting image image_name=dev/xxx-batch-serving registry=xxx.dkr.ecr.us-west-2.amazonaws.com DEBU[0000] rate limit for https://xxx.dkr.ecr.us-west-2.amazonaws.com is 2147483647 INFO[0000] Loaded 1 registry configurations from ./registries.conf INFO[0000] git/argocd-image-updater/ecr.sh dir= execID=c6FS4 INFO[0000] Fetching available tags and metadata from registry image_name=dev/xyz-batch-serving INFO[0001] Found 288 tags in registry image_name=dev/xxx-batch-serving DEBU[0001] could not parse input tag abc-xyz as semver: Invalid Semantic Version ...
Would like to add that for us the tagsortmode: latest-first setting resulted in some unexpected behavior (same as here #228), not specifying that setting in the registry list solved the problem.
from argocd-image-updater.
mrobinson-wavehq
commented on May 29, 2024
3
IMO, there are too many additional steps to make this work. @jannfis I think this should be reopened, and have the image-updater support ECR (and other major registries).
I'd like to +1 this. My org is building out a container platform in AWS involving EKS with heavy use of Argo projects. As mentioned in other comments, supporting IRSA would be ideal to allow least privilege access; it's our de-facto method for pods to interact with the AWS API and has worked well for us.
We're far enough out from going to production that we could contribute testing as needed.
from argocd-image-updater.
jannfis
commented on May 29, 2024
2
A feature implementing my above proposal has been merged with #121 and will be part of v0.8 release.
from argocd-image-updater.
jannfis
commented on May 29, 2024
2
I have released v0.8.0 today. To simplify testing, it introduced a new command test to the argocd-image-updater CLI. This command can also be used to test authentication to registries, without having to run it inside Kubernetes (and therefore possibly build a new image) and without the need to trial&error annotate your Argo CD applications.
You can simply test an authentication script as follows:
argocd-image-updater test <your_image_on_ecr> --credentials ext:/path/to/your/script --registries-conf /path/to/your/registries.confIt can also do more to help you check image updater's behaviour for your specific images, and is rudimentary documented here
The binary (only linux-amd64 so far) can be downloaded from the release page
from argocd-image-updater.
joebowbeer
commented on May 29, 2024
2
@vikas027 wrote:
there are few people who have successfully got the updater working with ECR
Please interpret my comments as an RFE for ECR integration via IRSA and an AWS-aware credentials helper.
from argocd-image-updater.
joebowbeer
commented on May 29, 2024
1
IRSA is the most robust way to provide this permission, right? And there's nothing currently preventing using IRSA?
from argocd-image-updater.
rraj-gautam
commented on May 29, 2024
1
ConfigMap for ECR authentication
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/name: argocd-image-updater-config
app.kubernetes.io/part-of: argocd-image-updater
name: argocd-image-updater-config
namespace: argocd
data:
registries.conf: |
registries:
- name: AWS ECR
prefix: <aws_account_id>.dkr.ecr.eu-west-2.amazonaws.com
api_url: https://<aws_account_id>.dkr.ecr.eu-west-2.amazonaws.com
credentials: secret:argocd/ecr-secrets#creds
default: true
insecure: yes
credsexpire: 12h
for authenticating to ecr, use the cronjob to generate credentials on every schedule.
from argocd-image-updater.
boris-infinit
commented on May 29, 2024
1
@mubarak-j
Thank You this is really working example with Helm Chart
from argocd-image-updater.
bradenwright
commented on May 29, 2024
1
Fwiw I followed this article and it worked for me, https://medium.com/@tomas94depi/argo-image-updater-with-aws-ecr-ddb661abb332
from argocd-image-updater.
hobbsh
commented on May 29, 2024
For additional context, this is the logged error I get when trying to use ECR:
time="2020-10-23T01:53:29Z" level=error msg="Could not get tags from registry: Get \"https://ACCOUNT_ID.dkr.ecr.us-west-2.amazonaws.com/v2/dev/my-image/tags/list\": http: non-successful response (status=401 body=\"Not Authorized\\n\")" alias=backend application=my-application image_name=dev/my-image image_tag=304dbc93e21898e95272d7cb81b61a671a8b7365 registry=ACCOUNT_ID.dkr.ecr.us-west-2.amazonaws.com
from argocd-image-updater.
hobbsh
commented on May 29, 2024
We can use aws ecr get-authorization-token --output text --query 'authorizationData[].authorizationToken' and jam it into a k8s secret (it yields a base64 encoded username:password string) however the token is only valid for 12 hours so there would need to be a cronjob that updates this secret every 12 hours.
from argocd-image-updater.
jannfis
commented on May 29, 2024
We currently have three methods for getting credentials right now - secret, pullsecret and env. Would a fourth option, that calls a script and re-uses its output as credentials, be sufficient for this use case?
For example we could introduce a new method ext:/path/to/script.sh, and you could either build your own image from the image updater's docker file or use an init container to copy the script to some location into the image updater's container.
from argocd-image-updater.
jannfis
commented on May 29, 2024
I have no means to test against a real ECR instance, but would a script require some kind of parametrization in order to be able to retrieve credentials for the correct registry?
from argocd-image-updater.
vistrcm
commented on May 29, 2024
Hello,
I can try to help with testing. ECR support is crucial for me too.
One question before I can test: do credentials cached somehow? I mean, does argocd-image-updater read credentials from the secret, env variable or execute the script every time or only once and then use these results?
It looks like function SetEndpointCredentials sets credentials for RegistryEndpoint and never update that
argocd-image-updater/pkg/registry/registry.go
Line 168 in 6723a25
Sorry, I had no chance to look deeper.
If credentials are cached script will not help with ECR. By default, ECR tokens rotated every 12 hours.
from argocd-image-updater.
jannfis
commented on May 29, 2024
@vistrcm Thank you for your input! So I see the problem with the cached credentials.
I think an expiry time for the credentials might help in case of the credentials being cached on registry level, something like a new toggle credentials_expire: <duration> for the registry configuration. If credentials are older than <duration>, they'll be regenerated from its source (i.e. secret read again, or script executed again)
I'm planning to release v0.8 this weekend hopefully, so such a change (if helpful) could make it in there, I believe.
from argocd-image-updater.
hobbsh
commented on May 29, 2024
I use the same solution currently to update ECR creds and it would be great if the image-updater could handle this itself.
from argocd-image-updater.
vistrcm
commented on May 29, 2024
I think an expiry time for the credentials might help in case of the credentials being cached on registry level, something like a new toggle
credentials_expire: <duration>for the registry configuration. If credentials are older than<duration>, they'll be regenerated from its source (i.e. secret read again, or script executed again)I'm planning to release v0.8 this weekend hopefully, so such a change (if helpful) could make it in there, I believe.
that would be great! thank you
from argocd-image-updater.
jannfis
commented on May 29, 2024
So with #124 merged, you can now specify an expiration time for your credentials, when configured at the registry level (i.e. in registries.conf). So now you can use something like the following:
credentials: ext:/some/where/eks-creds.sh
credexpire: 11h59mThe script at /some/where/eks-creds.sh should be a wrapper to call the aws CLI with all required parametrization, and output the resulting credentials as single line on stdout in the format <username>:<token>. As long as credentials are not expired (or image-updater is restarted), script will not be called and credentials are cached in-memory. After expiration time, the script will be called again to generate a new token.
This is also documented at https://argocd-image-updater.readthedocs.io/en/latest/configuration/registries/
Of course you would have to create an init container that copies required tools into the image updater's container.
Is this something you'll be able to use? I'll not be able to provide native ECR/AWS support, because I don't use AWS.
from argocd-image-updater.
hobbsh
commented on May 29, 2024
I'll try to test that in the next week or two. There's a typo in the docs, you mention EKS instead of ECR 😉
from argocd-image-updater.
jannfis
commented on May 29, 2024
I will close this issue now, since I think the feature works now. Feel free to reopen it when you think there should be more work done to support ECR auth.
from argocd-image-updater.
jeroenmaas
commented on May 29, 2024
Thanks for sharing your config. It worked well, though one small note. I had to change tagsortmode: latest-first to none since our ECR repo doesn't return the tags in order causing latest to not work when the value is specified.
from argocd-image-updater.
diranged
commented on May 29, 2024
Thanks for sharing your config. It worked well, though one small note. I had to change tagsortmode: latest-first to none since our ECR repo doesn't return the tags in order causing latest to not work when the value is specified.
@jeroenmaas Can you share logs or more of your config showing that tagsortmode: none works for you? I just opened up #216 because it turns out that I am seeing that fail on our side making the API calls to AWS.
from argocd-image-updater.
diranged
commented on May 29, 2024
Just following up - the actual issue was a permissions issue. See #216 (comment).
from argocd-image-updater.
jvanson
commented on May 29, 2024
registries:
- name: ECR
api_url: https://xxx.dkr.ecr.us-west-2.amazonaws.com
prefix: xxx.dkr.ecr.us-west-2.amazonaws.com
ping: yes
insecure: no
tagsortmode: latest-first
credentials: ext:/path/to/ecr.sh
credsexpire: 10h
@diranged How do you install the script ecr.sh? How did you make it so that the argo-cd-image-updater pod can access the script? Thanks!
from argocd-image-updater.
AndresJulia
commented on May 29, 2024
Just for anyone who finds this and is wondering what the TLDR is ... this seems to work:
registries.conf:
registries: - name: ECR api_url: https://xxx.dkr.ecr.us-west-2.amazonaws.com prefix: xxx.dkr.ecr.us-west-2.amazonaws.com ping: yes insecure: no tagsortmode: latest-first credentials: ext:/path/to/ecr.sh credsexpire: 10hecr.sh
#!/bin/sh aws ecr --region us-west-2 get-authorization-token --output text --query 'authorizationData[].authorizationToken' | base64 -d$ ./dist/argocd-image-updater test xxx.dkr.ecr.us-west-2.amazonaws.com/dev/xyz-batch-serving --registries-conf ./registries.conf INFO[0000] getting image image_name=dev/xxx-batch-serving registry=xxx.dkr.ecr.us-west-2.amazonaws.com DEBU[0000] rate limit for https://xxx.dkr.ecr.us-west-2.amazonaws.com is 2147483647 INFO[0000] Loaded 1 registry configurations from ./registries.conf INFO[0000] git/argocd-image-updater/ecr.sh dir= execID=c6FS4 INFO[0000] Fetching available tags and metadata from registry image_name=dev/xyz-batch-serving INFO[0001] Found 288 tags in registry image_name=dev/xxx-batch-serving DEBU[0001] could not parse input tag abc-xyz as semver: Invalid Semantic Version ...
But how do you get awscli inside the container?
from argocd-image-updater.
hobbsh
commented on May 29, 2024
@diranged How do you install the script ecr.sh? How did you make it so that the argo-cd-image-updater pod can access the script? Thanks!
You will have to mount it from a configmap
from argocd-image-updater.
hobbsh
commented on May 29, 2024
But how do you get awscli inside the container?
@AndresJulia I have not tried this but I am assuming people using this are extending the argocd-image-updater image to install awscli. Not ideal but that would work.
from argocd-image-updater.
sgavrylenko
commented on May 29, 2024
But how do you get awscli inside the container?
@AndresJulia At this moment, awscli is present in the image
from argocd-image-updater.
jannfis
commented on May 29, 2024
The aws CLI is part of the image updater's container image since a while, so setting up authentication against ECR should be quite simple. As I'm not an aws user myself, there's not really much I can (or want) to do here. I'll happily accept contributions from the community to make this easier, but I'll not be able to support those (for the previously mentioned reasons).
from argocd-image-updater.
paul-benetis
commented on May 29, 2024
@mubarak-j While this setup will work with image-updater to update images for already existing applications, will this work for authenticating argocd itself for the initial deploy of the application?
from argocd-image-updater.
joebowbeer
commented on May 29, 2024
I've been using keel.sh partly because of its excellent ECR integration via IRSA and an AWS-aware credentials helper:
https://github.com/keel-hq/keel/tree/master/extension/credentialshelper/aws
But it would be nice to have another option.
from argocd-image-updater.
vikas027
commented on May 29, 2024
I've been using keel.sh partly because of its excellent ECR integration via IRSA and an AWS-aware credentials helper:
Keel hasn't updated for a while, looks like the project has been abandoned :(
from argocd-image-updater.
joebowbeer
commented on May 29, 2024
Keel hasn't updated for a while, looks like the project has been abandoned :(
I can't disagree but it still functions. keel is my only option at the moment, and if it breaks then someone may need to fork it and fix it. It would be nice to have another option..
from argocd-image-updater.
vikas027
commented on May 29, 2024
keel is my only option at the moment
I have not tried Image Updater yet but there are few people who have successfully got the updater working with ECR. Did you try that?
from argocd-image-updater.
thuandt
commented on May 29, 2024
@fabioaraujopt Please ensure ecr-login.sh script exist in argocd-image-updater container (mount as ConfigMap in my case)
from argocd-image-updater.
zrice57
commented on May 29, 2024
@fabioaraujopt I was having the same issue. I believe the version of the chart which I was installing, 0.8.1, by default uses the same image version and that image version does not contain any sh or bash executables. It is probably the lack of those files resulting in no such file or directory.
I was able to get it working by specifying the latest image version in my values file:
image:
tag: "v0.12.1"
I'm not sure how other people were getting this to work, perhaps we are using different versions of the helm chart? 0.8.1 appears to be the latest version.
from argocd-image-updater.
zhaque44
commented on May 29, 2024
ConfigMap for ECR authentication
apiVersion: v1 kind: ConfigMap metadata: labels: app.kubernetes.io/name: argocd-image-updater-config app.kubernetes.io/part-of: argocd-image-updater name: argocd-image-updater-config namespace: argocd data: registries.conf: | registries: - name: AWS ECR prefix: <aws_account_id>.dkr.ecr.eu-west-2.amazonaws.com api_url: https://<aws_account_id>.dkr.ecr.eu-west-2.amazonaws.com credentials: secret:argocd/ecr-secrets#creds default: true insecure: yes credsexpire: 12hfor authenticating to ecr, use the cronjob to generate credentials on every schedule.
do you have an example repo for this?
from argocd-image-updater.
mccullya
commented on May 29, 2024
The scripts above i.e.
aws ecr get-authorization-token --region eu-west-1 --registry-ids XXXX --output text --query 'authorizationData[].authorizationToken'
were not working for me. It was erroring saying that it wants a username:password. I used this instead, and it works :)
authScripts:
enabled: true
scripts:
ecr-login.sh: |
#!/bin/sh
# Retrieve the authorization token from AWS ECR
auth_token=$(aws ecr get-authorization-token --region eu-west-1 --output text --query 'authorizationData[].authorizationToken')
# Decode the authorization token
decoded_token=$(echo $auth_token | base64 -d)
# Extract username and password
username=$(echo $decoded_token | cut -d: -f1)
password=$(echo $decoded_token | cut -d: -f2)
# Output username and password
echo "$username:$password"
from argocd-image-updater.
Related Issues (20)
- Image Updater never updates images - it identifies there needs to be an update HOT 1
- bug: write back to another branch failed by rejected git push
- Argo CD Image Updater Not Retaining Full Registry Path in kustomization.yaml Updates
- Only second image in list is getting updated HOT 3
- starts getting timeout errors with ECR registeries until pod is restarted HOT 1
- Request for "latest pushed tag" update strategy HOT 1
- Cache hit
- Could not update application spec: could not get creds for repo '': credentials for '' are not configured in Argo CD settings HOT 1
- Image updating firing every 10 minutes instead of default 2 minutes
- Provide more details about error if connection to argocd fails.
- After successfully updating the image, the Helm values passed in the application are reset HOT 3
- Git Write-Back Target annotation doesn't seems commits to the kustomization file back to source path
- Error fetching metadata from Docker Hub
- {{ .OldTag }} does not match actual old tag being replaced
- Update strategy: newest-build not working HOT 2
- image updater post-sync hook
- could not get tags: Get "https://myharbor.domain/v2/": tls: failed to verify certificate: x509: certificate signed by unknown authority
- the image updater wants to connect to 52.219.169.162 (s3-r-w.eu-central-1.amazonaws.com) HOT 2
- Issue with Authentication in ArgoCD Image Updater for Docker Hub
- golangci-lint context loading failed: no go files to analyze
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from argocd-image-updater.