From b2303220e39f286302e35598be3e55d78d6515f1 Mon Sep 17 00:00:00 2001 From: svcAPLBot <174728082+svcAPLBot@users.noreply.github.com> Date: Sat, 23 May 2026 01:19:14 +0000 Subject: [PATCH] chore(chart-deps): update argocd-image-updater to version 1.2.2 --- chart/chart-index/Chart.yaml | 2 +- charts/argocd-image-updater/Chart.yaml | 8 +- charts/argocd-image-updater/README.md | 17 ++ .../crds/crd-imageupdaters.yaml | 170 +++++++++++++----- .../templates/deployment.yaml | 48 +++++ .../argocd-image-updater/templates/rbac.yaml | 29 ++- .../templates/secret.yaml | 22 +++ charts/argocd-image-updater/values.yaml | 15 ++ 8 files changed, 258 insertions(+), 53 deletions(-) create mode 100644 charts/argocd-image-updater/templates/secret.yaml diff --git a/chart/chart-index/Chart.yaml b/chart/chart-index/Chart.yaml index 083d7e06a0..95fea47c98 100644 --- a/chart/chart-index/Chart.yaml +++ b/chart/chart-index/Chart.yaml @@ -9,7 +9,7 @@ dependencies: version: 9.5.14 repository: https://argoproj.github.io/argo-helm - name: argocd-image-updater - version: 1.1.5 + version: 1.2.2 repository: oci://ghcr.io/argoproj/argo-helm/argocd-image-updater - name: cert-manager version: v1.20.2 diff --git a/charts/argocd-image-updater/Chart.yaml b/charts/argocd-image-updater/Chart.yaml index 9e9a3266e4..d2f4d690dd 100644 --- a/charts/argocd-image-updater/Chart.yaml +++ b/charts/argocd-image-updater/Chart.yaml @@ -1,12 +1,12 @@ annotations: artifacthub.io/changes: | - - kind: fixed - description: Remove duplicate nodePort key from Service template when service.type is NodePort + - kind: changed + description: Bump argocd-image-updater to v1.2.1 artifacthub.io/signKey: | fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252 url: https://argoproj.github.io/argo-helm/pgp_keys.asc apiVersion: v2 -appVersion: v1.1.1 +appVersion: v1.2.1 description: A Helm chart for Argo CD Image Updater, a tool to automatically update the container images of Kubernetes workloads which are managed by Argo CD home: https://github.com/argoproj-labs/argocd-image-updater @@ -20,4 +20,4 @@ maintainers: url: https://argoproj.github.io/ name: argocd-image-updater type: application -version: 1.1.5 +version: 1.2.2 diff --git a/charts/argocd-image-updater/README.md b/charts/argocd-image-updater/README.md index 9f1a363f1e..6705e39392 100644 --- a/charts/argocd-image-updater/README.md +++ b/charts/argocd-image-updater/README.md @@ -48,6 +48,18 @@ For full list of changes please check ArtifactHub [changelog]. Highlighted versions provide information about additional steps that should be performed by user when upgrading to newer version. +### 1.2.0 (app version 1.2.0) + +Starting with this release, the webhook server runs with **TLS enabled by default**. If you previously relied on plain HTTP, you must explicitly opt out by setting the `--disable-tls` flag or the `DISABLE_TLS` environment variable like below. + +```yaml +extraEnv: + - name: DISABLE_TLS + value: "false" +``` + +For details, see [TLS Configuration](https://argocd-image-updater.readthedocs.io/en/stable/configuration/webhook/#tls-configuration). + ### 1.0.3 (app version 1.0.2) The upstream project changed the recommended installation namespace from `argocd-image-updater-system` to the same @@ -82,6 +94,11 @@ The `config.registries` value can be used exactly as it looks in the documentati | authScripts.enabled | bool | `false` | Whether to mount the defined scripts that can be used to authenticate with a registry, the scripts will be mounted at `/scripts` | | authScripts.name | string | `"argocd-image-updater-authscripts"` | Name of the authentication scripts ConfigMap | | authScripts.scripts | object | `{}` | Map of key-value pairs where the key consists of the name of the script and the value the contents. | +| certificateSecret.annotations | object | `{}` | Annotations to be added to argocd-repo-server-tls secret | +| certificateSecret.crt | string | `""` | Certificate data. Must contain SANs of Repo service (ie: argocd-repo-server, argocd-repo-server.argo-cd.svc) | +| certificateSecret.enabled | bool | `false` | Create argocd-repo-server-tls secret | +| certificateSecret.key | string | `""` | Certificate private key | +| certificateSecret.labels | object | `{}` | Labels to be added to argocd-repo-server-tls secret | | config."git.commit-message-template" | string | `""` | Changing the Git commit message | | config."git.commit-sign-off" | bool | `false` | Enables sign off on commits | | config."git.commit-signing-key" | string | `""` | Path to public SSH key mounted in container, or GPG key ID used to sign commits | diff --git a/charts/argocd-image-updater/crds/crd-imageupdaters.yaml b/charts/argocd-image-updater/crds/crd-imageupdaters.yaml index 7ebbd18231..8478ebb1b9 100644 --- a/charts/argocd-image-updater/crds/crd-imageupdaters.yaml +++ b/charts/argocd-image-updater/crds/crd-imageupdaters.yaml @@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.1 + controller-gen.kubebuilder.io/version: v0.19.0 "helm.sh/resource-policy": keep name: imageupdaters.argocd-image-updater.argoproj.io spec: @@ -16,7 +16,20 @@ spec: singular: imageupdater scope: Namespaced versions: - - name: v1alpha1 + - additionalPrinterColumns: + - jsonPath: .status.applicationsMatched + name: Apps + type: integer + - jsonPath: .status.imagesManaged + name: Images + type: integer + - jsonPath: .status.lastCheckedAt + name: Last Checked + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + name: v1alpha1 schema: openAPIV3Schema: description: ImageUpdater is the Schema for the imageupdaters API @@ -308,6 +321,25 @@ spec: Branch to commit updates to. Required if write-back method is Git and this is not specified at the spec level. type: string + pullRequest: + description: |- + PullRequest configures creation of pull requests when writing back image updates to Git. + When set, the controller opens a PR instead of pushing to the branch. + If not specified write back config method is `git`. + properties: + github: + description: GitHub configures PR creation via the + GitHub API. + type: object + gitlab: + description: GitLab configures MR creation via the + GitLab API. + type: object + type: object + x-kubernetes-validations: + - message: Exactly one of github or gitlab must be set + rule: '(has(self.github) ? 1 : 0) + (has(self.gitlab) + ? 1 : 0) == 1' repository: description: |- Repository URL to commit changes to. @@ -318,7 +350,7 @@ spec: description: |- WriteBackTarget defines the path and type of file to update in the Git repository. Examples: "helmvalues:./helm/values.yaml", "kustomization:./kustomize/overlays/production". - For ApplicationSet usage, `"{{ .app.path.path }}"` should be resolved by ApplicationSet + For ApplicationSet usage, `{{ .app.path.path }}` should be resolved by ApplicationSet before this CR is generated, resulting in a concrete path here. Required if write-back method is Git and this is not specified at the spec level. type: string @@ -392,14 +424,6 @@ spec: This acts as the default if not overridden at a more specific level. type: string type: object - namespace: - description: |- - Namespace indicates the target namespace of the applications. - - Deprecated: This field is deprecated and will be removed in a future release. - The controller now uses the ImageUpdater CR's namespace (metadata.namespace) - to determine which namespace to search for applications. This field is ignored. - type: string writeBackConfig: description: |- WriteBackConfig provides global default settings for how and where to write back image updates. @@ -415,6 +439,25 @@ spec: Branch to commit updates to. Required if write-back method is Git and this is not specified at the spec level. type: string + pullRequest: + description: |- + PullRequest configures creation of pull requests when writing back image updates to Git. + When set, the controller opens a PR instead of pushing to the branch. + If not specified write back config method is `git`. + properties: + github: + description: GitHub configures PR creation via the GitHub + API. + type: object + gitlab: + description: GitLab configures MR creation via the GitLab + API. + type: object + type: object + x-kubernetes-validations: + - message: Exactly one of github or gitlab must be set + rule: '(has(self.github) ? 1 : 0) + (has(self.gitlab) ? + 1 : 0) == 1' repository: description: |- Repository URL to commit changes to. @@ -425,7 +468,7 @@ spec: description: |- WriteBackTarget defines the path and type of file to update in the Git repository. Examples: "helmvalues:./helm/values.yaml", "kustomization:./kustomize/overlays/production". - For ApplicationSet usage, `"{{ .app.path.path }}"` should be resolved by ApplicationSet + For ApplicationSet usage, `{{ .app.path.path }}` should be resolved by ApplicationSet before this CR is generated, resulting in a concrete path here. Required if write-back method is Git and this is not specified at the spec level. type: string @@ -446,7 +489,15 @@ spec: status: description: ImageUpdaterStatus defines the observed state of ImageUpdater properties: + applicationsMatched: + description: ApplicationsMatched is the number of Argo CD applications + matched by this CR's selectors. + format: int32 + minimum: 0 + type: integer conditions: + description: Conditions represent the latest available observations + of the resource's state. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -502,48 +553,73 @@ spec: - type type: object type: array - imageStatus: - description: ImageStatus indicates the detailed status for the list - of managed images + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + imagesManaged: + description: ImagesManaged is the number of images that were eligible + for update checking. + format: int32 + minimum: 0 + type: integer + lastCheckedAt: + description: LastCheckedAt indicates when the controller last checked + for image updates. + format: date-time + type: string + lastUpdatedAt: + description: LastUpdatedAt indicates when the controller last performed + an image update. + format: date-time + type: string + observedGeneration: + description: ObservedGeneration is the most recent generation observed + by the controller. + format: int64 + minimum: 0 + type: integer + recentUpdates: + description: RecentUpdates contains the list of image updates performed + during the last update cycle. items: - description: ImageStatus contains information for an image:version - and its update status in hosting applications + description: RecentUpdate records a single image update performed + during the last update. properties: - applications: - description: Applications contains a list of applications and - when the image was last updated therein - items: - description: ImageApplicationLastUpdated contains information - for an application and when the image was last updated therein - properties: - appName: - description: AppName indicates and namespace and the application - name - type: string - lastUpdatedAt: - description: LastUpdatedAt indicates when the image in - this application was last updated - format: date-time - type: string - required: - - appName - type: object - type: array - name: - description: Name indicates the image name + alias: + description: Alias is the alias of the image configuration that + was updated. type: string - version: - description: Version indicates the image version + applicationsUpdated: + description: ApplicationsUpdated is the number of applications + in which this image was updated. + format: int32 + minimum: 0 + type: integer + image: + description: Image is the full image reference. + type: string + message: + description: Message provides a human-readable description of + the update action. + type: string + newVersion: + description: NewVersion is the new tag or digest the image was + updated to. + type: string + updatedAt: + description: UpdatedAt is the timestamp when the update was + applied. + format: date-time type: string required: - - name - - version + - alias + - applicationsUpdated + - image + - newVersion + - updatedAt type: object type: array - reconciledAt: - description: LastUpdatedAt indicates when the image updater last ran - format: date-time - type: string + x-kubernetes-list-type: atomic type: object type: object served: true diff --git a/charts/argocd-image-updater/templates/deployment.yaml b/charts/argocd-image-updater/templates/deployment.yaml index 4e01f57324..08ee48e75d 100644 --- a/charts/argocd-image-updater/templates/deployment.yaml +++ b/charts/argocd-image-updater/templates/deployment.yaml @@ -47,6 +47,12 @@ spec: key: argocd.namespace name: {{ .Values.config.name }} optional: true + - name: IMAGE_UPDATER_WATCH_NAMESPACES + valueFrom: + configMapKeyRef: + name: {{ .Values.config.name }} + key: watch.namespaces + optional: true - name: IMAGE_UPDATER_INTERVAL valueFrom: configMapKeyRef: @@ -149,12 +155,42 @@ spec: name: argocd-image-updater-secret key: webhook.harbor-secret optional: true + - name: ALIYUN_ACR_WEBHOOK_SECRET + valueFrom: + secretKeyRef: + name: argocd-image-updater-secret + key: webhook.aliyun-acr-secret + optional: true - name: WEBHOOK_RATELIMIT_ALLOWED valueFrom: configMapKeyRef: name: {{ .Values.config.name }} key: webhook.ratelimit-allowed optional: true + - name: DISABLE_TLS + valueFrom: + configMapKeyRef: + name: {{ .Values.config.name }} + key: disable-tls + optional: true + - name: TLS_MIN_VERSION + valueFrom: + configMapKeyRef: + name: {{ .Values.config.name }} + key: tls.min-version + optional: true + - name: TLS_MAX_VERSION + valueFrom: + configMapKeyRef: + name: {{ .Values.config.name }} + key: tls.max-version + optional: true + - name: TLS_CIPHERS + valueFrom: + configMapKeyRef: + name: {{ .Values.config.name }} + key: tls.ciphers + optional: true {{- with .Values.extraEnv }} {{- toYaml . | nindent 10 }} {{- end }} @@ -205,6 +241,9 @@ spec: mountPath: /app/ssh-keys/id_rsa readOnly: true subPath: sshPrivateKey + - name: argocd-image-updater-tls + mountPath: /app/config/tls + readOnly: true {{- if .Values.authScripts.enabled }} - mountPath: /scripts name: authscripts @@ -241,6 +280,15 @@ spec: secret: secretName: ssh-git-creds optional: true + - name: argocd-image-updater-tls + secret: + secretName: argocd-image-updater-tls + optional: true + items: + - key: tls.crt + path: tls.crt + - key: tls.key + path: tls.key - emptyDir: {} name: tmp {{- with .Values.volumes }} diff --git a/charts/argocd-image-updater/templates/rbac.yaml b/charts/argocd-image-updater/templates/rbac.yaml index ebd11323d9..bbe1c3ea83 100644 --- a/charts/argocd-image-updater/templates/rbac.yaml +++ b/charts/argocd-image-updater/templates/rbac.yaml @@ -24,6 +24,32 @@ rules: - events verbs: - create + - apiGroups: + - argocd-image-updater.argoproj.io + resources: + - imageupdaters + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - argocd-image-updater.argoproj.io + resources: + - imageupdaters/finalizers + verbs: + - update + - apiGroups: + - argocd-image-updater.argoproj.io + resources: + - imageupdaters/status + verbs: + - get + - patch + - update - apiGroups: - argoproj.io resources: @@ -31,8 +57,9 @@ rules: verbs: - get - list - - update - patch + - update + - watch {{- end }} --- apiVersion: rbac.authorization.k8s.io/v1 diff --git a/charts/argocd-image-updater/templates/secret.yaml b/charts/argocd-image-updater/templates/secret.yaml new file mode 100644 index 0000000000..1c0d994714 --- /dev/null +++ b/charts/argocd-image-updater/templates/secret.yaml @@ -0,0 +1,22 @@ +{{- if .Values.certificateSecret.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "argocd-image-updater.fullname" . }}-tls + namespace: {{ include "argocd-image-updater.namespace" . | quote }} + labels: + {{- include "argocd-image-updater.labels" . | nindent 4 }} + {{- with .Values.certificateSecret.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.certificateSecret.annotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} +type: kubernetes.io/tls +data: + tls.crt: {{ .Values.certificateSecret.crt | b64enc | quote }} + tls.key: {{ .Values.certificateSecret.key | b64enc | quote }} +{{- end }} diff --git a/charts/argocd-image-updater/values.yaml b/charts/argocd-image-updater/values.yaml index 50ba66bffb..b89fcf6aaa 100644 --- a/charts/argocd-image-updater/values.yaml +++ b/charts/argocd-image-updater/values.yaml @@ -395,3 +395,18 @@ dualStack: ipFamilyPolicy: "" # -- IP families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6. ipFamilies: [] + +# TLS certificate configuration via Secret for Webhook +## Ref: https://argocd-image-updater.readthedocs.io/en/stable/configuration/webhook/#tls-configuration +## Note: Issuing certificates via cert-manager in not supported right now because it's not possible to restart repo server automatically without extra controllers. +certificateSecret: + # -- Create argocd-repo-server-tls secret + enabled: false + # -- Annotations to be added to argocd-repo-server-tls secret + annotations: {} + # -- Labels to be added to argocd-repo-server-tls secret + labels: {} + # -- Certificate private key + key: "" + # -- Certificate data. Must contain SANs of Repo service (ie: argocd-repo-server, argocd-repo-server.argo-cd.svc) + crt: ""