Created
February 3, 2023 09:51
-
-
Save srihas619/2edee2c61c666dae3ffc5e959ba9ac94 to your computer and use it in GitHub Desktop.
ArgoCD image updater with ECR
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Role having the TrustPolicy as below, Annotate the service account in values below with this role | |
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Effect": "Allow", | |
"Principal": { | |
"Federated": "arn:aws:iam::<AWS_ACCOUNT>:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/<OIDC_ID>" | |
}, | |
"Action": "sts:AssumeRoleWithWebIdentity", | |
"Condition": { | |
"StringEquals": { | |
"oidc.eks.us-west-2.amazonaws.com/id/<OIDC_ID>:aud": "sts.amazonaws.com", | |
"oidc.eks.us-west-2.amazonaws.com/id/<OIDC_ID>:sub": "system:serviceaccount:argocd:argocd-image-updater" | |
} | |
} | |
} | |
] | |
} | |
# Helm values | |
--- | |
config: | |
registries: | |
- name: ECR | |
api_url: https://<AWS_ACCOUNT>.dkr.ecr.us-west-2.amazonaws.com | |
prefix: <AWS_ACCOUNT>.dkr.ecr.us-west-2.amazonaws.com | |
default: true | |
ping: yes | |
insecure: no | |
credentials: ext:/scripts/ecr-login.sh | |
credsexpire: 11h | |
authScripts: | |
enabled: true | |
scripts: | |
ecr-login.sh: | | |
#!/bin/sh | |
aws ecr --region us-west-2 get-authorization-token --output text --query 'authorizationData[].authorizationToken' | base64 -d | |
serviceAccount: | |
create: true | |
annotations: | |
eks.amazonaws.com/role-arn: arn:aws:iam::<AWS_ACCOUNT>:role/argocd-image-updater-test | |
name: "argocd-image-updater" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment