From b8bb2dc38ed8cc8a3bea4e973ea7b7c819818850 Mon Sep 17 00:00:00 2001 From: Christopher Coco Date: Fri, 1 Aug 2025 10:11:44 -0400 Subject: [PATCH 1/3] manifests(webhook): add ingress and service for webhook feature and alter deployment env spec to add new cil flags Signed-off-by: Christopher Coco remove flags for health and metrics in webhook server Signed-off-by: Christopher Coco --- cmd/webhook.go | 4 +- .../argocd-image-updater-deployment.yaml | 36 +++++++++ manifests/base/kustomization.yaml | 1 + .../argocd-image-updater-ingress.yaml | 23 ++++++ .../argocd-image-updater-service.yaml | 13 ++++ manifests/base/networking/kustomization.yaml | 6 ++ manifests/install.yaml | 74 +++++++++++++++++++ 7 files changed, 154 insertions(+), 3 deletions(-) create mode 100644 manifests/base/networking/argocd-image-updater-ingress.yaml create mode 100644 manifests/base/networking/argocd-image-updater-service.yaml create mode 100644 manifests/base/networking/kustomization.yaml diff --git a/cmd/webhook.go b/cmd/webhook.go index dd6317c4..35c09865 100644 --- a/cmd/webhook.go +++ b/cmd/webhook.go @@ -173,8 +173,6 @@ Supported registries: webhookCmd.Flags().DurationVar(&cfg.CheckInterval, "interval", env.GetDurationVal("IMAGE_UPDATER_INTERVAL", 2*time.Minute), "interval for how often to check for updates") webhookCmd.Flags().StringVar(&cfg.LogLevel, "loglevel", env.GetStringVal("IMAGE_UPDATER_LOGLEVEL", "info"), "set the loglevel to one of trace|debug|info|warn|error") webhookCmd.Flags().StringVar(&kubeConfig, "kubeconfig", "", "full path to kubernetes client configuration, i.e. ~/.kube/config") - webhookCmd.Flags().IntVar(&cfg.HealthPort, "health-port", 8080, "port to start the health server on, 0 to disable") - webhookCmd.Flags().IntVar(&cfg.MetricsPort, "metrics-port", 8081, "port to start the metrics server on, 0 to disable") webhookCmd.Flags().StringVar(&cfg.RegistriesConf, "registries-conf-path", defaultRegistriesConfPath, "path to registries configuration file") webhookCmd.Flags().BoolVar(&disableKubernetes, "disable-kubernetes", false, "do not create and use a Kubernetes client") webhookCmd.Flags().IntVar(&cfg.MaxConcurrency, "max-concurrency", 10, "maximum number of update threads to run concurrently") @@ -190,7 +188,7 @@ Supported registries: webhookCmd.Flags().StringVar(&commitMessagePath, "git-commit-message-path", defaultCommitTemplatePath, "Path to a template to use for Git commit messages") webhookCmd.Flags().BoolVar(&cfg.DisableKubeEvents, "disable-kube-events", env.GetBoolVal("IMAGE_UPDATER_KUBE_EVENTS", false), "Disable kubernetes events") - webhookCmd.Flags().IntVar(&webhookCfg.Port, "webhook-port", env.ParseNumFromEnv("WEBHOOK_PORT", 8082, 0, 65535), "Port to listen on for webhook events") + webhookCmd.Flags().IntVar(&webhookCfg.Port, "webhook-port", env.ParseNumFromEnv("WEBHOOK_PORT", 8080, 0, 65535), "Port to listen on for webhook events") webhookCmd.Flags().StringVar(&webhookCfg.DockerSecret, "docker-webhook-secret", env.GetStringVal("DOCKER_WEBHOOK_SECRET", ""), "Secret for validating Docker Hub webhooks") webhookCmd.Flags().StringVar(&webhookCfg.GHCRSecret, "ghcr-webhook-secret", env.GetStringVal("GHCR_WEBHOOK_SECRET", ""), "Secret for validating GitHub Container Registry webhooks") webhookCmd.Flags().StringVar(&webhookCfg.QuaySecret, "quay-webhook-secret", env.GetStringVal("QUAY_WEBHOOK_SECRET", ""), "Secret for validating Quay webhooks") diff --git a/manifests/base/deployment/argocd-image-updater-deployment.yaml b/manifests/base/deployment/argocd-image-updater-deployment.yaml index 851795fe..259769b2 100644 --- a/manifests/base/deployment/argocd-image-updater-deployment.yaml +++ b/manifests/base/deployment/argocd-image-updater-deployment.yaml @@ -113,6 +113,42 @@ spec: name: argocd-image-updater-config key: log.level optional: true + - name: ENABLE_WEBHOOK + valueFrom: + configMapKeyRef: + name: argocd-image-updater-config + key: webhook.enable + optional: true + - name: WEBHOOK_PORT + valueFrom: + configMapKeyRef: + name: argocd-image-updater-config + key: webhook.port + optional: true + - name: QUAY_WEBHOOK_SECRET + valueFrom: + configMapKeyRef: + name: argocd-image-updater-config + key: webhook.quay-secret + optional: true + - name: DOCKER_WEBHOOK_SECRET + valueFrom: + secretKeyRef: + name: argocd-image-updater-config + key: webhook.docker-secret + optional: true + - name: GHCR_WEBHOOK_SECRET + valueFrom: + secretKeyRef: + name: argocd-image-updater-config + key: webhook.ghcr-secret + optional: true + - name: HARBOR_WEBHOOK_SECRET + valueFrom: + secretKeyRef: + name: argocd-image-updater-config + key: webhook.harbor-secret + optional: true livenessProbe: httpGet: path: /healthz diff --git a/manifests/base/kustomization.yaml b/manifests/base/kustomization.yaml index e362df01..456f3808 100644 --- a/manifests/base/kustomization.yaml +++ b/manifests/base/kustomization.yaml @@ -8,4 +8,5 @@ images: resources: - ./config - ./deployment +- ./networking - ./rbac diff --git a/manifests/base/networking/argocd-image-updater-ingress.yaml b/manifests/base/networking/argocd-image-updater-ingress.yaml new file mode 100644 index 00000000..9bfc1636 --- /dev/null +++ b/manifests/base/networking/argocd-image-updater-ingress.yaml @@ -0,0 +1,23 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: argocd-image-updater-ingress +spec: + rules: + - host: cluster.host + http: + paths: + - path: /webhook + pathType: Prefix + backend: + service: + name: argocd-image-updater-service + port: + number: 8080 + - path: /healthz + pathType: Prefix + backend: + service: + name: argocd-image-updater-service + port: + number: 8080 diff --git a/manifests/base/networking/argocd-image-updater-service.yaml b/manifests/base/networking/argocd-image-updater-service.yaml new file mode 100644 index 00000000..c89844d7 --- /dev/null +++ b/manifests/base/networking/argocd-image-updater-service.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: argocd-image-updater-service +spec: + selector: + app.kubernetes.io/name: argocd-image-updater + type: NodePort + ports: + - name: server-port + protocol: TCP + port: 8080 + targetPort: 8080 diff --git a/manifests/base/networking/kustomization.yaml b/manifests/base/networking/kustomization.yaml new file mode 100644 index 00000000..7c550ba5 --- /dev/null +++ b/manifests/base/networking/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- argocd-image-updater-ingress.yaml +- argocd-image-updater-service.yaml diff --git a/manifests/install.yaml b/manifests/install.yaml index 170d153a..624fba84 100644 --- a/manifests/install.yaml +++ b/manifests/install.yaml @@ -108,6 +108,20 @@ metadata: app.kubernetes.io/part-of: argocd-image-updater name: argocd-image-updater-secret --- +apiVersion: v1 +kind: Service +metadata: + name: argocd-image-updater-service +spec: + ports: + - name: server-port + port: 8080 + protocol: TCP + targetPort: 8080 + selector: + app.kubernetes.io/name: argocd-image-updater + type: NodePort +--- apiVersion: apps/v1 kind: Deployment metadata: @@ -221,6 +235,42 @@ spec: key: log.level name: argocd-image-updater-config optional: true + - name: ENABLE_WEBHOOK + valueFrom: + configMapKeyRef: + key: webhook.enable + name: argocd-image-updater-config + optional: true + - name: WEBHOOK_PORT + valueFrom: + configMapKeyRef: + key: webhook.port + name: argocd-image-updater-config + optional: true + - name: QUAY_WEBHOOK_SECRET + valueFrom: + configMapKeyRef: + key: webhook.quay-secret + name: argocd-image-updater-config + optional: true + - name: DOCKER_WEBHOOK_SECRET + valueFrom: + secretKeyRef: + key: webhook.docker-secret + name: argocd-image-updater-config + optional: true + - name: GHCR_WEBHOOK_SECRET + valueFrom: + secretKeyRef: + key: webhook.ghcr-secret + name: argocd-image-updater-config + optional: true + - name: HARBOR_WEBHOOK_SECRET + valueFrom: + secretKeyRef: + key: webhook.harbor-secret + name: argocd-image-updater-config + optional: true image: quay.io/argoprojlabs/argocd-image-updater:latest imagePullPolicy: Always livenessProbe: @@ -285,3 +335,27 @@ spec: secretName: ssh-git-creds - emptyDir: {} name: tmp +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: argocd-image-updater-ingress +spec: + rules: + - host: cluster.host + http: + paths: + - backend: + service: + name: argocd-image-updater-service + port: + number: 8080 + path: /webhook + pathType: Prefix + - backend: + service: + name: argocd-image-updater-service + port: + number: 8080 + path: /healthz + pathType: Prefix From f4d20ed8b87969a39a2d0e3711c7ccf56f12a152 Mon Sep 17 00:00:00 2001 From: Christopher Coco Date: Fri, 1 Aug 2025 15:04:17 -0400 Subject: [PATCH 2/3] manifests(webhook): fix env variables for webhook secrets to use argocd-image-updater-secret Signed-off-by: Christopher Coco make manifests Signed-off-by: Christopher Coco --- .../base/deployment/argocd-image-updater-deployment.yaml | 8 ++++---- manifests/install.yaml | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/manifests/base/deployment/argocd-image-updater-deployment.yaml b/manifests/base/deployment/argocd-image-updater-deployment.yaml index 259769b2..c139a25c 100644 --- a/manifests/base/deployment/argocd-image-updater-deployment.yaml +++ b/manifests/base/deployment/argocd-image-updater-deployment.yaml @@ -128,25 +128,25 @@ spec: - name: QUAY_WEBHOOK_SECRET valueFrom: configMapKeyRef: - name: argocd-image-updater-config + name: argocd-image-updater-secret key: webhook.quay-secret optional: true - name: DOCKER_WEBHOOK_SECRET valueFrom: secretKeyRef: - name: argocd-image-updater-config + name: argocd-image-updater-secret key: webhook.docker-secret optional: true - name: GHCR_WEBHOOK_SECRET valueFrom: secretKeyRef: - name: argocd-image-updater-config + name: argocd-image-updater-secret key: webhook.ghcr-secret optional: true - name: HARBOR_WEBHOOK_SECRET valueFrom: secretKeyRef: - name: argocd-image-updater-config + name: argocd-image-updater-secret key: webhook.harbor-secret optional: true livenessProbe: diff --git a/manifests/install.yaml b/manifests/install.yaml index 624fba84..68e89e0f 100644 --- a/manifests/install.yaml +++ b/manifests/install.yaml @@ -251,25 +251,25 @@ spec: valueFrom: configMapKeyRef: key: webhook.quay-secret - name: argocd-image-updater-config + name: argocd-image-updater-secret optional: true - name: DOCKER_WEBHOOK_SECRET valueFrom: secretKeyRef: key: webhook.docker-secret - name: argocd-image-updater-config + name: argocd-image-updater-secret optional: true - name: GHCR_WEBHOOK_SECRET valueFrom: secretKeyRef: key: webhook.ghcr-secret - name: argocd-image-updater-config + name: argocd-image-updater-secret optional: true - name: HARBOR_WEBHOOK_SECRET valueFrom: secretKeyRef: key: webhook.harbor-secret - name: argocd-image-updater-config + name: argocd-image-updater-secret optional: true image: quay.io/argoprojlabs/argocd-image-updater:latest imagePullPolicy: Always From e900e01b848639de45bc66a1761d61aaf28b2b24 Mon Sep 17 00:00:00 2001 From: Christopher Coco Date: Fri, 1 Aug 2025 15:53:05 -0400 Subject: [PATCH 3/3] manifests(webhook): remove networking stuff from the install Signed-off-by: Christopher Coco --- manifests/base/kustomization.yaml | 1 - manifests/install.yaml | 38 ------------------------------- 2 files changed, 39 deletions(-) diff --git a/manifests/base/kustomization.yaml b/manifests/base/kustomization.yaml index 456f3808..e362df01 100644 --- a/manifests/base/kustomization.yaml +++ b/manifests/base/kustomization.yaml @@ -8,5 +8,4 @@ images: resources: - ./config - ./deployment -- ./networking - ./rbac diff --git a/manifests/install.yaml b/manifests/install.yaml index 68e89e0f..de8fc475 100644 --- a/manifests/install.yaml +++ b/manifests/install.yaml @@ -108,20 +108,6 @@ metadata: app.kubernetes.io/part-of: argocd-image-updater name: argocd-image-updater-secret --- -apiVersion: v1 -kind: Service -metadata: - name: argocd-image-updater-service -spec: - ports: - - name: server-port - port: 8080 - protocol: TCP - targetPort: 8080 - selector: - app.kubernetes.io/name: argocd-image-updater - type: NodePort ---- apiVersion: apps/v1 kind: Deployment metadata: @@ -335,27 +321,3 @@ spec: secretName: ssh-git-creds - emptyDir: {} name: tmp ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: argocd-image-updater-ingress -spec: - rules: - - host: cluster.host - http: - paths: - - backend: - service: - name: argocd-image-updater-service - port: - number: 8080 - path: /webhook - pathType: Prefix - - backend: - service: - name: argocd-image-updater-service - port: - number: 8080 - path: /healthz - pathType: Prefix