Added Argo CD Image Updater with Helm

Signed-off-by: Aryan Shah <[email protected]>

Author: ARYANSHAH1567

content/challenges/11111111-1111-1111-1111-111111111111/configure-argo-cd-image-updater-challenge/content/_index.md

@@ -0,0 +1,9 @@
+---
+title: "Configuring Argo CD Image Updater with Helm"
+description: "This challenge provides a walkthrough on automating Kubernetes deployments by integrating Argo CD Image Updater with Helm."
+weight: 3
+id: "9136f21d-c87f-478a-8f8b-6687597a2841"
+banner: "kubernetes-icon.svg"
+categories: "kubernetes"
+---
+

content/challenges/11111111-1111-1111-1111-111111111111/configure-argo-cd-image-updater-challenge/content/argo-cd-image-updater-binary/_index.md

@@ -0,0 +1,27 @@
+---
+id: "argo-cd-image-updater-binary"
+title: 'Argo CD Image Updater Binary'
+description: ""
+weight: 7
+---
+
+The **argocd-image-updater** binary and specifically the **test** subcommand provides a variety of test options, including testing registry access, multi-arch images, semver constrains, update strategies, and credentials before configuring annotations on your Argo CD applications. It is available in the **argocd-image-updater** pod or you can install it locally. Here are the **argocd-image-updater** test command options:
+
+
+```
+Flags:
+
+--allow-tags string             only consider tags in registry that satisfy the match function
+--credentials string            the credentials definition for the test (overrides registry config)
+--disable-kubernetes            whether to disable the Kubernetes client
+--disable-kubernetes-events     Disable kubernetes events
+-h, --help                      help for test
+--ignore-tags stringArray       ignore tags in registry that match given glob pattern
+--kubeconfig string             path to your Kubernetes client configuration
+--loglevel string               log level to use (one of trace, debug, info, warn, error) (default "debug")
+--platforms strings             limit images to given platforms (default [linux/amd64])
+--rate-limit int                specify registry rate limit (overrides registry.conf) (default 20)
+--registries-conf-path string   path to registries configuration
+--semver-constraint string      only consider tags matching semantic version constraint
+--update-strategy string        update strategy to use, one of: semver, latest (default "semver")
+```

content/challenges/11111111-1111-1111-1111-111111111111/configure-argo-cd-image-updater-challenge/content/conclusions/_index.md

@@ -0,0 +1,10 @@
+---
+id: "conclusions"
+title: 'Conclusions'
+description: ""
+weight: 10
+---
+
+The Argo CD Image Updater is a powerful tool that enhances the continuous delivery process in Kubernetes environments. Automating the process of updating container images not only streamlines deployments but also reduces the risk of human error associated with manual updates.
+
+Moreover, its flexibility allows developers to tailor the update policies to suit their specific workflows, ensuring that only the necessary updates are applied. This ultimately leads to improved application reliability and performance.

content/challenges/11111111-1111-1111-1111-111111111111/configure-argo-cd-image-updater-challenge/content/configuration-and-setup/_index.md

@@ -0,0 +1,37 @@
+---
+id: "configuration-and-setup"
+title: 'Configuration and Setup'
+description: ""
+weight: 3
+---
+
+In this example implementation, we are using the official [argocd-image-updater](https://github.com/argoproj/argo-helm/tree/main/charts/argocd-image-updater) Helm chart. It is deployed as an **argocd** application in the same cluster and namespace as Argo CD:
+
+```yaml
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: argocd-image-updater
+  namespace: argocd
+spec:
+  destination:
+    namespace: argocd
+    server: https://kubernetes.default.svc(opens in a new tab)
+  project: 'applications'
+  source:
+    helm:
+      valueFiles:
+      - ../argocd-image-updater/values.yaml
+    path: helm/argocd-image-updater
+    repoURL: https://gitlab.org.com/demo.git
+    targetRevision: HEAD
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+    syncOptions:
+  revisionHistoryLimit: 3
+```
+
+Let’s review the **values** file, where we will explore some of the essential configuration options required. These options are critical to ensuring proper functionality and deployment of the service.

content/challenges/11111111-1111-1111-1111-111111111111/configure-argo-cd-image-updater-challenge/content/enabling-service-account/_index.md

@@ -0,0 +1,35 @@
+---
+id: "enabling-service-account-and-RBAC-creation"
+title: 'Enabling the Service Account and RBAC Creation'
+description: ""
+weight: 5
+---
+
+```yaml
+rbac:
+  # -- Enable RBAC creation
+  enabled: true
+
+serviceAccount:
+  # -- Specifies whether a service account should be created
+  create: true
+  # -- Annotations to add to the service account
+  annotations: {}
+  # -- Labels to add to the service account
+  labels: {}
+  # -- The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+```
+
+---
+
+- **ServiceAccount** provides the necessary identity for ArgoCD Image Updater to authenticate and interact with the Kubernetes API to perform updates on deployment manifests or Helm charts (e.g., changing container image tags).
+
+- **rbac** ensures that ArgoCD Image Updater is granted only the permissions it needs, helping to secure your cluster by restricting its access and reducing the attack surface.
+
+---
+
+Without enabling both, the ArgoCD Image Updater would either lack the permissions to modify Kubernetes resources (failing to update your applications) or could have overly broad permissions, which could be a security risk.
+
+In the default installation scenario, i.e., Argo CD Image Updater installed to the `argocd` namespace, no further configuration is needed for Argo CD Image Updater to access the Kubernetes API. If your Argo CD installation is in a different namespace than `argocd`, you must adapt the **RoleBinding** to bind to the **ServiceAccount** in the correct namespace.

content/challenges/11111111-1111-1111-1111-111111111111/configure-argo-cd-image-updater-challenge/content/kubernetes-icon.svg

@@ -0,0 +1,14 @@
+---
+id: "log-level"
+title: 'Log Level'
+description: ""
+weight: 6
+---
+
+```yaml
+# -- Argo CD Image Update log level
+logLevel: "debug"
+```
+
+Changing the log level from `"info"` to `"debug"` in the Argo CD Image Updater `values` file can be beneficial in certain scenarios where you need deeper insights into the system’s behavior.
+

content/challenges/11111111-1111-1111-1111-111111111111/configure-argo-cd-image-updater-challenge/content/log-level/_index.md

@@ -0,0 +1,16 @@
+---
+id: "Overview"
+title: 'Overview'
+description: ""
+weight: 1
+---
+
+This challenge provides a walkthrough on automating Kubernetes deployments by integrating Argo CD Image Updater with Helm. It details the setup process, including configuring container registries like Amazon ECR and GitHub Container Registry, and emphasizes the importance of proper authentication and role-based access control (RBAC) to ensure secure and efficient operations. It also explores various update strategies—such as semantic versioning (semver), latest, digest, and name—demonstrating how to annotate Argo CD applications to enable these strategies effectively.
+
+### Understanding Argo CD Image Updater
+
+In modern Kubernetes environments, managing container images and ensuring that applications are always running the latest, most secure versions can be daunting. Argo CD Image Updater simplifies this process by automatically checking for new container image versions and updating your applications accordingly. Integrating seamlessly with Argo CD enables fully automated updates to Kubernetes workloads.
+
+The beauty of Argo CD Image Updater lies in its simplicity and flexibility. The Image Updater takes over the heavy lifting by annotating your Argo CD application resources with a list of images and defining version constraints. It regularly polls for new image versions from your container registry, checks if they meet the specified constraints, and updates your applications automatically. 
+
+Argo CD Image Updater also offers a range of advanced features, such as support for Helm and Kustomize-based applications, various update strategies (like semver, latest, name, and digest), and seamless integration with private container registries. Additionally, it allows parallel updates and supports filtering tags with custom matchers, making it highly customizable and suitable for both small and large-scale Kubernetes environments.

content/challenges/11111111-1111-1111-1111-111111111111/configure-argo-cd-image-updater-challenge/content/overview/_index.md

@@ -0,0 +1,92 @@
+---
+id: "registries"
+title: 'Registries'
+description: ""
+weight: 4
+---
+
+Let's configure the container registries that we are using. Argo CD Image Updater supports the majority of container registries (public and private), that implement Docker registry v2 API and has been tested against registries such as Docker Hub, Docker Registry v2 reference implementation (on-premise), Red Had Quay, Jfrog Artifactory, Github Container Registry, GitHub Packages Registry, GitLab Container Registry, and Google Container Registry.
+
+In the following examples, we will configure two of the most widely used container registries – Amazon Elastic Container Registry (ECR) and GitHub Container Registry (GHCR). In our case, we are working with private registries to ensure secure storage and access control for container images.
+
+
+### Amazon Elastic Container Registry (ECR) configuration
+
+```yaml
+registries:
+  - name: ECR
+    api_url: https://000000000000.dkr.ecr.eu-west-1.amazonaws.com
+    prefix: 000000000000.dkr.ecr.eu-west-1.amazonaws.com
+    ping: yes
+    insecure: false
+    credentials: ext:/scripts/login.sh
+    credsexpire: 10h
+```
+
+For Amazon Elastic Container Registry, authentication is possible through a script that executes an API call to retrieve the necessary credentials. In the values file, we can include this script in the **authScripts** section:
+
+```yaml
+authScripts:
+  # -- Whether to mount the defined scripts that can be used to authenticate with a registry, the scripts will be mounted at `/scripts`
+  enabled: true
+  # -- Map of key-value pairs where the key consists of the name of the script and the value the contents
+  scripts:
+    login.sh: |
+      #!/bin/sh
+      aws ecr --region "eu-west-1" get-authorization-token --output text --query 'authorizationData[].authorizationToken' | base64 -d
+```
+
+The script is executed by the pod and is responsible for obtaining the ECR authorization token. We use a role attached to our EKS node group, which includes the AWS-managed policy **AmazonEC2ContainerRegistryReadOnly**. This policy permits the **GetAuthorizationToken** API call:
+
+
+```
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ecr:GetAuthorizationToken",
+                "ecr:BatchCheckLayerAvailability",
+                "ecr:GetDownloadUrlForLayer",
+                "ecr:GetRepositoryPolicy",
+                "ecr:DescribeRepositories",
+                "ecr:ListImages",
+                "ecr:DescribeImages",
+                "ecr:BatchGetImage",
+                "ecr:GetLifecyclePolicy",
+                "ecr:GetLifecyclePolicyPreview",
+                "ecr:ListTagsForResource",
+                "ecr:DescribeImageScanFindings"
+            ],
+            "Resource": "*"
+        }
+```
+
+### Github Container Registry configuration
+
+```yaml
+registries:
+  - name: GitHub Container Registry
+    api_url: https://ghcr.io
+
+    prefix: ghcr.io
+
+    ping: yes
+
+    credentials: secret:argocd/ghcr-secret#token
+```
+
+For registry authentication, in the credentials section, we are using a Kubernetes secret. The **#token** part refers to the specific key (usually containing a personal access token or authentication token) inside the secret. The token must have at least **read:packages** permissions. Here is a manifest of the Kubernetes secret which has to be applied in the **argocd** namespace:
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ghcr-secret3
+  namespace: argocd
+
+stringData:
+  token: user_name:access_token
+```
+

content/challenges/11111111-1111-1111-1111-111111111111/configure-argo-cd-image-updater-challenge/content/registires/_index.md

@@ -0,0 +1,19 @@
+---
+id: "update-methods"
+title: 'Update Methods'
+description: ""
+weight: 8
+---
+
+Argo CD Image Updater supports two write-back methods for propagating new image versions to Argo CD.
+
+- **argocd**: 
+Directly modifies the Argo CD application resource via Kubernetes or the Argo CD API, depending on the configuration.
+
+- **git**: Creates a Git commit in the application’s repository with the updated image information.
+
+The write-back method and its configuration are set per application, with further configuration options available depending on the method used.
+
+
+
+> In this microcourse, the examples are applied using the **argocd update** method, which is the default update method and does not need further configuration. For **production environments**, it is recommended to use the **git update** method to persist the changes made by **Argo CD Image Updater** in your git repository.