-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Natively support cloud provider Authentication mechanisms for Helm Chart OCI registries #8952
Comments
Is there any workaround for now ? |
@jeremydescamps workaround is to use https://mike7515.github.io/argocd-ecr-updater/ |
What about this ? https://github.com/argoproj/argo-helm/blob/aa418962922d5967aaebe7a7fb362fa21d1104e2/charts/argocd-image-updater/values.yaml#L89-L95 Did you try ? |
We don't use argocd-image-updater at the moment, so no experience with that. |
Another workaround is described in another issue coming from the same problem. |
@jeremydescamps I have tested argocd-image-updater. I could not get a solution to work. The updater is primarly used to update docker image and tags. I could not find any sign that helm registries are detected https://github.com/argoproj-labs/argocd-image-updater/blob/master/pkg/argocd/argocd.go although at the least the registry config is picked up.
|
We’re also using the cronjob approach as a workaround. Having it supported by the system would be much nicer, yes. |
Looks like it's related to #10218. Another way this could be done in the near future is with external-secrets, a PR got recently merged which could be relevant for this use case: external-secrets/external-secrets#1539. |
The existing helm chart for the workaround was not fit enough for our security compliance. I have built an own solution without cronjob. You can check https://github.com/karlderkaefer/argocd-ecr-updater |
This is also an option: https://external-secrets.io/v0.7.2/guides/generator/ |
@blakepettersson - i wish i saw your post earlier. Would have saved me some time Thought it was fun figuring out from first principles. Thanks for the template. Saves me lots of trouble |
Closing this issue in favour of #10218 |
Summary
Currently the ECR token expires every 12 hours if we use the
username
andpassword
mechanism to authenticate with ECR. Either we have to use a custom script to update it or update it manuallyMotivation
When we host the Helm Charts in a cloud provider registries like ECR. We need a mechnisms to authenticate natively to pull the charts from the private registries
Proposal
This can implemented in proper way by having a AWS IAM integration IRSA (Instance Role for Service Account) with ArgoCD as an optional add-on.
It helps the users to use the ECR as the Helm Chart registry without generating tokens and updating it via scripts or manually in an insecure way.
The text was updated successfully, but these errors were encountered: