Open2
argocd-image-updaterをWorkload Identityで使う
avs- Helmでargocd-image-updaterを入れる
- GCPのservice accountを作る。
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: argocd-image-updater
namespace: argocd
spec:
project: default
source:
repoURL: 'https://argoproj.github.io/argo-helm'
targetRevision: 0.9.6
helm:
values: |
config:
logLevel: "info"
registries:
- name: Google Container Registry Asia
api_url: https://asia.gcr.io
prefix: asia.gcr.io
credentials: ext:/auth/auth.sh
credsexpire: 30m
volumes:
- name: auth
configMap:
defaultMode: 0755
name: auth-cm
volumeMounts:
- name: auth
mountPath: /auth
chart: argocd-image-updater
destination:
server: 'https://kubernetes.default.svc'
namespace: argocd
syncPolicy:
automated: { }
---
apiVersion: v1
kind: ConfigMap
metadata:
name: auth-cm
namespace: argocd
data:
auth.sh: |
#!/bin/sh
ACCESS_TOKEN=$(wget --header 'Metadata-Flavor: Google' http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token -q -O - | grep -Eo '"access_token":.*?[^\\]",' | cut -d '"' -f 4)
echo "oauth2accesstoken:$ACCESS_TOKEN"
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: argocd-image-updater
namespace: argocd
annotations:
iam.gke.io/gcp-service-account: argocd-image-updater@ <GCP Project ID>
SAをbindingする
gcloud iam service-accounts add-iam-policy-binding \
--role="roles/iam.workloadIdentityUser" \
--member="serviceAccount:<GCP Project ID >.svc.id.goog[argocd/argocd-image-updater]" \
pod-default@<GCP Project ID >.iam.gserviceaccount.com --project <GCP Project ID >
argocd-image-updaterはWI対応がまだ出来ていないので、 credentials: ext:/auth/auth.sh で対応する
data:
auth.sh: |
#!/bin/sh
ACCESS_TOKEN=$(wget --header 'Metadata-Flavor: Google' http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token -q -O - | grep -Eo '"access_token":.*?[^\\]",' | cut -d '"' -f 4)
echo "oauth2accesstoken:$ACCESS_TOKEN"
参考: https://github.com/argoproj-labs/argocd-image-updater/issues/319
avsApplicationで複数のイメージを扱う場合は以下のようにカンマで設定する
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: app
namespace: argocd
annotations:
argocd-image-updater.argoproj.io/write-back-method: git
argocd-image-updater.argoproj.io/image-list: |
service-a=asia.gcr.io/{{PROJECT_NAME}}/service-a,service-b=asia.gcr.io/{{PROJECT_NAME}}/service-b,service-c=asia.gcr.io/{{PROJECT_NAME}}/service-c
# --- service-a update-strategy, allow-tags, ignore-tags
argocd-image-updater.argoproj.io/service-a.update-strategy: latest
argocd-image-updater.argoproj.io/service-a.allow-tags: 'regexp:^[0-9a-f]{5,40}$'
argocd-image-updater.argoproj.io/service-a.ignore-tags: latest
# --- service-b update-strategy, allow-tags, ignore-tags
argocd-image-updater.argoproj.io/service-b.update-strategy: latest
argocd-image-updater.argoproj.io/service-b.allow-tags: 'regexp:^[0-9a-f]{5,40}$'
argocd-image-updater.argoproj.io/service-b.ignore-tags: latest
# --- service-c update-strategy, allow-tags, ignore-tags
argocd-image-updater.argoproj.io/service-c.update-strategy: latest
argocd-image-updater.argoproj.io/service-c.allow-tags: 'regexp:^[0-9a-f]{5,40}$'
argocd-image-updater.argoproj.io/service-c.ignore-tags: latest