Argo CD instance

Red Hat OpenShift GitOps 1.21

Installing and deploying Argo CD instances, enabling notifications with an Argo CD instance, and configuring the NotificationsConfiguration CR

Red Hat OpenShift Documentation Team

Abstract

This document provides instructions for installing and deploying Argo CD instances to manage cluster configurations or deploy applications. It also discusses about how to enable notifications for an Argo CD instance and configure the NotificationsConfiguration custom resource (CR).

Chapter 1. Setting up an Argo CD instance
Copy link

By default, Red Hat OpenShift GitOps installs an instance of Argo CD in the openshift-gitops namespace with additional permissions for managing certain cluster-scoped resources. This default Argo CD instance is also called as the default cluster-scoped instance.

To prevent the default Argo CD instance from starting in the openshift-gitops namespace, you can use the openshift-gitops-operator subscription and configure the DISABLE_DEFAULT_ARGOCD_INSTANCE environment variable in it by setting the string value to "true".

Note

For GitOps version 1.13 and later:

The default Route TLS termination mode is reencrypt for both default and user-defined Argo CD instances. TLS connections to Argo CD instances now use the default ingress certificate configured in OpenShift Container Platform instead of the self-signed Argo CD certificate. To change the route TLS termination policy, configure the .spec.server.route.tls field in the Argo CD CR.
Restricted pod security admission (PSA) labels are applied to the openshift-gitops namespace to ensure compliance with OpenShift Container Platform standards. If you are running additional workloads in this namespace, such as monitoring or logging, ensure that they comply with the restricted PSA requirements. If compliance is not feasible, consider using a user-defined, cluster-scoped Argo CD instance, where PSA labels are not applied or controlled by the GitOps Operator.

To manage cluster configurations or deploy applications, you can install and deploy a new user-defined Argo CD instance. By default, any new user-defined instance has permissions to manage resources only in the namespace where it is deployed.

Warning

A Kubernetes user with access to the Argo CD namespace is an Argo CD administrator and can bypass any role-based access control (RBAC) restrictions configured in Argo CD. Never grant non-administrator users any read or write access to the Argo CD namespace.
If non-administrator users create applications, do not allow them to bind to the default AppProject custom resource (CR) because it has no restrictions. Otherwise, the Kubernetes permissions of the Argo CD instance and the default AppProject CR can allow deployment of anything to any location. To avoid this risk, lock down the default AppProject CR so no one can use it by mistake, even if the Argo CD RBAC is misconfigured.

You can create a user-defined Argo CD instance in any namespace, other than the openshift-gitops namespace.

Important

If you want to create a user-defined Argo CD instance within the openshift-gitops namespace, set the DISABLE_DEFAULT_ARGOCD_INSTANCE flag value in the openshift-gitops-operator subscription to "true" and do not name the instance as openshift-gitops.

1.1. Installing a user-defined Argo CD instance
Copy link

To manage cluster configurations or deploy applications, you can install and deploy a new user-defined Argo CD instance.

Prerequisites

You have access to the cluster with cluster-admin privileges.
You have installed the Red Hat OpenShift GitOps Operator on your OpenShift Container Platform cluster.

Procedure

Log in to the OpenShift Container Platform web console.
In the Administrator perspective of the web console, click Operators → Installed Operators.
Create or select the project where you want to install the user-defined Argo CD instance from the Project list.
Select Red Hat OpenShift GitOps from the installed Operators list and click the Argo CD tab.
Click Create ArgoCD to configure the parameters:
1. Enter the Name of the instance. By default, the Name is set to example.
2. Create an external operating system Route to access Argo CD server. Click Server → Route and check Enabled.
  Tip
  You can alternatively configure YAML to create an external OS Route as shown in the following example:
  Example Argo CD with external OS route created:
  
  apiVersion: argoproj.io/v1beta1 kind: ArgoCD metadata: name: example namespace: openshift-gitops spec: server: route: enabled: true
3. Optional: Change the route TLS termination policy by configuring the .spec.server.route.tls field of the Argo CD CR.
  Note
  When configuring custom TLS certificates for Argo CD Server route, avoid using the .spec.server.route.tls.key and .spec.server.route.tls.certificate fields. Use the .spec.server.route.tls.externalCertificate field instead. For more information about configuring a route for custom TLS certificate, see examples in Custom TLS certificates for Routes.
Click Create.
Go to Networking → Routes → <instance_name>-server in the project where the user-defined Argo CD instance is installed.
On the Details tab, click the Argo CD web UI link under Route details → Location. The Argo CD web UI opens in a separate browser window.
Optional: To log in with your OpenShift Container Platform credentials, ensure you are a user of the cluster-admins group and then select the LOG IN VIA OPENSHIFT option in the Argo CD user interface.
Note
To be a user of the cluster-admins group, use the oc adm groups new cluster-admins <user> command, where <user> is the default cluster role that you can bind to users and groups cluster-wide or locally.
Obtain the password for the user-defined Argo CD instance:
1. Use the navigation panel to go to the Workloads → Secrets page.
2. Use the Project list and select the namespace where the user-defined Argo CD instance is created.
3. Select the <argo_CD_instance_name>-cluster instance to display the password.
4. On the Details tab, copy the password under Data → admin.password.
Use admin as the Username and the copied password as the Password to log in to the Argo CD UI in the new window.

1.2. Configuring common cluster roles by specifying user-defined cluster roles for namespace-scoped instances
Copy link

As a cluster administrator, when you give an Argo CD access to a namespace by using the argocd.argoproj.io/managed-by label, the Argo CD assumes namespace-admin privileges. The Red Hat OpenShift GitOps Operator then automatically creates role bindings for all managed namespaces of the following GitOps control plane components:

Argo CD Application Controller
Argo CD server
Argo CD ApplicationSet Controller

When you give namespaces to non-administrator users, for example, development teams, they can use the namespace-admin privileges to modify objects such as network policies. Installing an Argo CD instance in these namespaces gives the development teams admin privileges and indirectly elevates their assigned privileges. These roles are highly privileged and can delete all resources. To reduce this risk, configure common cluster roles with limited permissions in the role bindings that the Operator creates for the Argo CD Application Controller and Argo CD server.

To configure common cluster roles for all managed namespaces, you can specify user-defined cluster roles for the CONTROLLER_CLUSTER_ROLE and SERVER_CLUSTER_ROLE environment variables in the Operator’s Subscription object YAML file. As a result, instead of creating the default admin role, the Operator uses the existing user-defined cluster roles and creates role bindings for all managed namespaces.

Prerequisites

You have logged in to the OpenShift Container Platform cluster as an administrator.
You have installed the Red Hat OpenShift GitOps Operator on your OpenShift Container Platform cluster.

Procedure

In the Administrator perspective, navigate to Administration → CustomResourceDefinitions.
Find the Subscription custom resource definition (CRD) and click to open it.
Select the Instances tab and click the openshift-gitops-operator subscription.
Select the YAML tab and make your customization:
- Specify the user-defined cluster roles for the CONTROLLER_CLUSTER_ROLE and SERVER_CLUSTER_ROLE environment variables:
  Example Subscription:
  apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: name: openshift-gitops-operator namespace: openshift-gitops-operator spec: config: env: - name: CONTROLLER_CLUSTER_ROLE value: gitops-controller-role - name: SERVER_CLUSTER_ROLE value: gitops-server-role
  where:
  metadata.name
  Specifies the name of the Subscription resource.
  metadata.namespace
  Specifies the namespace where the Subscription resource is created.
  spec.config.env
  Specifies environment variables that are passed to the Operator.
  spec.config.env[].name
  Specifies the name of the environment variable.
  spec.config.env[].value
  Specifies the value assigned to the environment variable.
  Tip
  You can also inject the preceding environment variables directly into the Operator’s Deployment object YAML file.

1.3. Enabling replicas for Argo CD server and repo server
Copy link

Argo CD-server and Argo CD-repo-server workloads are stateless. To better distribute your workloads among pods, you can increase the number of Argo CD-server and Argo CD-repo-server replicas. However, if a horizontal autoscaler is enabled on the Argo CD-server, it overrides the number of replicas you set.

Procedure

Set the replicas parameters for the repo and server spec to the number of replicas you want to run:

Example Argo CD custom resource:

apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
  name: example-argocd
  labels:
    example: repo
spec:
  repo:
    replicas: <number_of_replicas>
  server:
    replicas: <number_of_replicas>
    route:
      enabled: true
      path: /
      tls:
        insecureEdgeTerminationPolicy: Redirect
        termination: passthrough
      wildcardPolicy: None

1.4. Deploying resources to a different namespace
Copy link

To allow Argo CD to manage resources in other namespaces apart from where it is installed, configure the target namespace with a argocd.argoproj.io/managed-by label.

Procedure

Configure the target namespace by running the following command:
```
$ oc label namespace <target_namespace> \
argocd.argoproj.io/managed-by=<argocd_namespace>
```
where:
<target_namespace>
Specifies the name of the namespace you want Argo CD to manage.
<argocd_namespace>
Specifies the name of the namespace where Argo CD is installed.

1.5. Customizing the Argo CD console link
Copy link

In a multitenant cluster, users might have to deal with many instances of Argo CD. After installing an Argo CD instance in your namespace, the Argo CD console link in the Console Application Launcher might open another Argo CD instance.

You can customize the Argo CD console link by setting the DISABLE_DEFAULT_ARGOCD_CONSOLELINK environment variable:

When you set DISABLE_DEFAULT_ARGOCD_CONSOLELINK to true, the Argo CD console link is permanently deleted.
When you set DISABLE_DEFAULT_ARGOCD_CONSOLELINK to false or use the default value, the Argo CD console link is temporarily deleted and visible again when the Argo CD route is reconciled.

Prerequisites

You have logged in to the OpenShift Container Platform cluster as an administrator.
You have installed the Red Hat OpenShift GitOps Operator.

Procedure

In the Administrator perspective, navigate to Administration → CustomResourceDefinitions.
Find the Subscription CRD and click to open it.
Select the Instances tab and click the openshift-gitops-operator subscription.

Select the YAML tab and make your customization:

To enable or disable the Argo CD console link, edit the value of DISABLE_DEFAULT_ARGOCD_CONSOLELINK as needed:

apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: openshift-gitops-operator
spec:
  config:
    env:
    - name: DISABLE_DEFAULT_ARGOCD_CONSOLELINK
      value: 'true'

1.6. Configuring ImagePullPolicy
Copy link

The GitOps Operator lets administrators configure imagePullPolicy at multiple levels to control how Argo CD components pull container images.

The imagePullPolicy configuration follows a hierarchical precedence system, where the most specific configuration takes priority:

Instance-level policy - Defined in the Argo CD CR by using the spec.imagePullPolicy field.
Global-level policy - Defined through the IMAGE_PULL_POLICY environment variable in the GitOps Operators Subscription.
Default policy - IfNotPresent is used when neither of the earlier configurations are specified.

Expand

Value	Description
`Always`	Always pull the image.
`IfNotPresent`	Pull the image only if it is not present locally.
`Never`	Never pull the image.

You can define a global image pull policy for all Argo CD instances managed by the Operator by setting the IMAGE_PULL_POLICY environment variable in the Operator’s Subscription. For example:

apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: openshift-gitops-operator
spec:
  config:
    env:
      - name: IMAGE_PULL_POLICY
        value: "Always"

An instance-level configuration overrides the Operator-level policy and applies the configuration only to the specific instance defined in the CR.

The following example shows how to configure imagePullPolicy for all the components in an Argo CD instance.

apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
  name: argocd
  namespace: argocd
spec:
  imagePullPolicy: IfNotPresent

The following example shows how to define imagePullPolicy for all the components in a GitOpsService instance.

apiVersion: pipelines.openshift.io/v1alpha1
kind: GitOpsService
metadata:
  name: gitops-service
  namespace: openshift-gitops
spec:
  imagePullPolicy: Always

The following example shows how to set imagePullPolicy for all the components in a RolloutsManager instance.

apiVersion: argoproj.io/v1alpha1
kind: RolloutManager
metadata:
  name: argo-rollout
  labels:
    example: basic
spec:
  imagePullPolicy: Always

By configuring the imagePullPolicy at an appropriate level, you can control how often container images are updated for your GitOps components.

Chapter 2. Argo CD custom resource and component properties
Copy link

The Argo CD custom resource is a Kubernetes Custom Resource (CRD) that describes the desired state for a given Argo CD cluster and allows you to configure the components which make up an Argo CD cluster.

2.1. Argo CD custom resource properties
Copy link

The Argo CD Custom Resource consists of the following properties:

Expand

Name	Description	Default	Properties
`aggregatedClusterRoles`	Use aggregated cluster roles for the Argo CD Application Controller component of a cluster-scoped instance.	`false`
`applicationInstanceLabelKey`	The `metadata.label` key name where Argo CD injects the app name as a tracking label.	`app.kubernetes.io/instance`
`applicationSet`	The ApplicationSet Controller configuration options.	object	`annotations` - List of custom annotations to add to pods deployed by the Operator. This field is optional. `enabled` - The flag to use to enable the ApplicationSet Controller during the Argo CD installation. `env` - Specify the environment for ApplicationSet Controller pods. `extraCommandArgs` - List of additional arguments added to the existing arguments set by the Operator for the `ApplicationSet` workload. `image` - The container image for the ApplicationSet Controller. This property overrides the `ARGOCD_APPLICATIONSET_IMAGE` environment variable. `labels` - List of custom labels to add to pods deployed by the Operator. This field is optional. `logLevel` - The log level used by the Argo CD Application Controller component. Valid options are `debug`, `info`, `error`, and `warn`. `logFormat` - The log format used by the Argo CD Application Controller component. Valid options are `text` and `json`. `parallelismLimit` - The kubectl parallelism limit to set for the controller (the `--kubectl-parallelism-limit` flag). `resources` - The container compute resources. `scmProviders` - The URLs of the allowed Source Code Manager (SCM) providers. `scmRootCAConfigMap` - The name of the config map that stores the Gitlab SCM Provider’s TLS certificate that will be mounted on the Application Set Controller at the "/app/tls/scm/cert" path. `sourceNamespaces` - The list of non-control plane namespaces for creating and managing Argo CD `ApplicationSet` resources in target namespaces. `version` - The tag to use with the `applicationSet` container image. `volumes` - List of addition volumes configured for the Argo CD `ApplicationSet` Controller component. This field is optional. `volumeMounts` - List of addition volume mounts configured for the Argo CD `ApplicationSet` Controller component. This field is optional. `webhookServer` - Defines the available options for the ApplicationSet webhook server.
`banner`	Adds a UI banner message.	object	`banner.content` - The banner message content. This content is required if a banner is displayed. `banner.url` - An optional banner message link URL.
`configManagementPlugins`	Adds a configuration management plugin.	empty
`controller`	Argo CD Application Controller options.	object	`annotations` - List of custom annotations to add to pods deployed by the Operator. This field is optional. `appSync` - AppSync is used to control the sync frequency of Argo CD applications. `env` - Environment to set for the application controller workloads. `extraCommandArgs` - List of arguments added to the existing arguments set by the Operator. `initContainers` - List of `init` containers for the ArgoCD Application Controller component. This field is optional. `labels` - List of custom labels to add to pods deployed by the Operator. This field is optional. `logLevel` - The log level used by the Argo CD Application Controller component. Valid options are `debug`, `info`, `error`, and `warn`. `processors.operation` - The number of operation processors. `processors.status` - The number of status processors. `resources` - The container compute resources. `sidecarContainers` - List of `sidecar` containers for the ArgoCD Application Controller component. This field is optional. `sharding.enabled` - Enable sharding on the Argo CD Application Controller component. Use this property to manage a large number of clusters and relieve memory pressure on the controller component. `sharding.replicas` - The number of replicas that are used to support sharding of the Argo CD Application Controller. `sharding.dynamicScalingEnabled` - Enables the dynamic scaling of the Argo CD Application Controller component. Use this property if you want the Operator to scale the number of replicas based on the number of clusters the controller component is managing. If you set this property to `true`, it overrides the configuration of the `sharding.enabled` and `sharding.replicas` properties. `sharding.minShards` - The minimum number of Argo CD Application Controller replicas. `sharding.maxShards` - The maximum number of Argo CD Application Controller replicas. `sharding.clustersPerShard` - The number of clusters that need to be managed by each shard. When the replica count reaches the `maxShards`, the shards manage more than one cluster. `volumes` - List of addition volumes configured for the Argo CD Application Controller component. This field is optional. `volumeMounts` - List of addition volume mounts configured for the Argo CD Application Controller component. This field is optional.
`disableAdmin`	Disables the built-in admin user.	`false`
`defaultClusterScopedRoleDisabled`	Disables the creation of default cluster roles for a cluster-scoped instance.	`false`
`extraConfig`	Add any supplementary Argo CD settings to the `argocd-cm` config map that cannot be configured directly within the Argo CD custom resource.	empty
`gaTrackingID`	Use a Google Analytics tracking ID.	empty
`gaAnonymizeUsers`	Enable hashed usernames sent to Google Analytics.	`false`
`ha`	High-availability options.	object	`enabled` - Toggle high-availability support globally for Argo CD. `redisProxyImage` - The Redis HAProxy container image. This property overrides the `ARGOCD_REDIS_HA_PROXY_IMAGE` environment variable. `redisProxyVersion` - The tag to use for the Redis HAProxy container image.
`helpChatURL`	URL for getting chat help (this is typically your Slack channel for support).	`https://mycorp.slack.com/argo-cd`
`helpChatText`	The text that appears in a text box for getting chat help.	`Chat now!`
`image`	The container image for all Argo CD components. This overrides the `ARGOCD_IMAGE` environment variable.	`registry.redhat.io`
`import`	Import configuration options for Argo CD.	object	`name` - The name of an `ArgoCDExport` resource from which data can be imported. `namespace` - The namespace for the `ArgoCDExport` resource referenced by `name` field. If this field is not set, the namespace of `ArgoCDExport` resource is set to the same namespace as Argo CD by default.
`ingress`	Ingress configuration options.	object
`initialSSHKnownHosts`	Defines the initial SSH Known Hosts data for Argo CD to use at cluster creation to connect to Git repositories through SSH.	`default_Argo_CD_Known_Hosts`	`excludedefaulthosts` - Indicates whether you want to add the default list of SSH Known Hosts provided by Argo CD. `keys` - Describes a custom set of SSH Known Hosts that you want to incorporate into your Argo CD server.
`kustomizeBuildOptions`	The build options and parameters to use with `kustomize build`.	empty
`kustomizeVersions`	Defines a list of `Kustomize` versions that are configured in the Argo CD repo server container image.	empty	`path` - The path of the `Kustomize` version in the file system of the Argo CD repo server container image. `version` - The `Kustomize` version in the `vX.Y.Z` format configured in the Argo CD repo server container image.
`monitoring`	Defines the workload status monitoring configuration for your instance.	object	`disableMetrics` - Configure this field to enable or disable the collection of metrics for your instance. `enabled` - Indicates whether the workload status monitoring is enabled for your instance.
`notifications`	Notifications Controller configuration options.	object	`enabled` - The toggle to start the Notifications Controller. `env` - The environment to set for the Notifications Controller workloads. `image` - The container image for all Argo CD components. This property overrides the `ARGOCD_IMAGE` environment variable. `logLevel` - The log level used by the Argo CD Application Controller component. Valid options are `debug`, `info`, `error`, and `warn`. `replicas` - The number of replicas to be run for the Notifications Controller. `resources` - The container compute resources. `version` - The tag to use with the Notifications container image.
`nodePlacement`	Defines `NodeSelectors` and `Tolerations` for Argo CD workloads.	empty	`nodeSelector` - A map of key-value pairs for node selection. `tolerations` - Tolerations allow pods to create a schedule for nodes with matching taints.
`oidcConfig`	The OIDC configuration as an alternative to Dex.	empty
`prometheus`	Prometheus configuration options.	object	`enabled` - Toggle Prometheus support globally for Argo CD. `host` - The hostname to use for `Ingress` or `Route` resources. `ingress` - Toggles ingress for Prometheus. `route` - Route configuration options. `size` - The replica count for the Prometheus `StatefulSet`.
`rbac`	RBAC configuration options.	object	`defaultPolicy` - The `policy.default` property in the `argocd-rbac-cm` config map. The name of the default role that Argo CD falls back to when authorizing API requests. `policy` - The `policy.csv` property in the `argocd-rbac-cm` config map. This property includes CSV data about user-defined RBAC policies and role definitions. `policyMatcher` - The `policy.matchMode` property in the `argocd-rbac-cm` config map. This property has two options: 'glob' for glob matcher and 'regex' for regex matcher. `scopes` - The scopes property in the `argocd-rbac-cm` config map. Controls which OIDC scopes to examine during RBAC enforcement, in addition to sub scope.
`redis`	Redis configuration options.	object	`autotls` - Use the provider to create the Redis server’s TLS certificate. Only the `openshift` value is currently available. `disableTLSVerification` - Defines whether the Redis server should be accessed using strict TLS validation. `image` - The container image for Redis. This overrides the `ARGOCD_REDIS_IMAGE` environment variable. `resources` - The container compute resources. `version` - The tag to use with the Redis container image.
`resourceActions`	Customize resource action behavior.	empty
`resourceExclusions`	Completely ignore entire classes of resource group.	empty
`resourceInclusions`	The configuration to identify which resource group/kinds are applied.	empty
`resourceHealthChecks`	Customize resource health check behavior.	empty
`resourceIgnoreDifferences`	Customize resource ignore difference behavior.	empty
`resourceTrackingMethod`	The field used by Argo CD to monitor its managed resources.	`label`
`server`	Argo CD Server configuration options.	object	`annotations` - List of custom annotations to add to pods deployed by the Operator. This field is optional. `autoscale` - Server autoscale configuration options. `env` - Environment to set for the server workloads. `enabled` - The flag to enable Argo CD server during the Argo CD installation. `enableRolloutsUI` - When the parameter is set to `true`, the parameter enables the Argo Rollouts UI extension in Argo CD. The default value is set to `false`. `extraCommandArgs` - List of arguments added to the existing arguments set by the Operator. `grpc` - gRPC configuration options. `host` - The hostname used for `Ingress` or `Route` resources. `initContainers` - List of `init` containers for the Argo CD Application Controller component. This field is optional. `ingress` - Ingress configuration for the Argo CD server component. `insecure` - Toggles the insecure flag for Argo CD server. `labels` - List of custom labels to add to pods deployed by the Operator. This field is optional. `logLevel` - The log level to be used by the Argo CD server component. Valid options are `debug`, `info`, `error`, and `warn`. `logFormat` - The log format used by the Argo CD server component. Valid options are `text` and `json`. `resources` - The container compute resources. `replicas` - The number of replicas for the Argo CD server. Must be greater than or equal to `0`. If `autoscale` is enabled, `replicas` is ignored. `route` - Route configuration options. `service.Type` - The `serviceType` used for the service resource. `sidecarContainers` - List of `sidecar` containers for the Argo CD Application Controller component. This field is optional. `volumes` - List of addition volumes configured for the Argo CD Application Controller component. This field is optional. `volumeMounts` - List of addition volume mounts configured for the Argo CD Application Controller component. This field is optional.
`sourceNamespaces`	Specifies the namespaces within which you can create application resources.	`string`
`sso`	Single Sign-on options.	object	`dex` - Configuration options for Dex SSO provider. `provider` - The name of the provider used to configure Single Sign-on. Currently, the supported option is Dex.
`statusBadgeEnabled`	Enable application status badge.	`true`
`tls`	TLS configuration options.	object	`ca.configMapName` - The name of the `ConfigMap` which contains the CA certificate. `ca.secretName` - The name of the secret which contains the CA certificate and key. `initialCerts` - Initial set of certificates in the `argocd-tls-certs-cm` config map for connecting Git repositories through HTTPS.
`usersAnonymousEnabled`	Enables anonymous user access.	`true`
`version`	The tag to use with the container image for all Argo CD components.		Latest GitOps Version

2.2. Repo server properties
Copy link

The following properties are available for configuring the repo server component:

Expand

Name	Default	Description
`annotations`	empty	List of custom annotations to add to pods deployed by the Operator. This field is optional.
`autotls`	`""`	Provider to use to set up TLS for the repo-server’s gRPC TLS certificate. Currently, only the `openshift` value is acceptable.
`env`	empty	The environment to set for the Repo server workloads.
`enabled`	empty	Flag that enables the Repo server during Argo CD installation.
`execTimeout`	`180`	Execution timeout in seconds for rendering tools, for example, Helm or Kustomize.
`extraRepoCommandArgs`	`empty`	Passes command-line arguments to the Repo server workload. The command-line arguments are added to the list of arguments set by the Operator.
`initContainers`	`empty`	The number of `init` containers in the Argo CD Application Controller component. This field is optional.
`image`	`registry.redhat.io`	The container image for Argo CD Repo server. This property overrides the `ARGOCD_REPOSERVER_IMAGE` environment variable.
`labels`	`empty`	List of custom labels to add to pods deployed by the Operator. This field is optional.
`logLevel`	`info`	The log level used by the Argo CD Repo server. Valid options are `debug`, `info`, `error`, and `warn`.
`logFormat`	`text`	The log format to be used by the Argo CD repo server. Valid options are `text` and `json`.
`mountsatoken`	`false`	Defines whether the `serviceaccount` token should be mounted to the repo-server pod.
`remote`	empty	Specifies the remote URL of the Repo server container.
`replicas`	empty	The number of replicas for the Argo CD Repo server. Must be greater than or equal to `0`.
`resources`	empty	The container compute resources.
`serviceaccount`	`""`	The name of the `serviceaccount` to use with the repo-server pod.
`sidecarContainers`	empty	The number of `sidecar` containers in the Argo CD Application Controller component. This field is optional.
`systemCAtrust`	`empty`	Enables the use of custom CA certificates so that the repo server and its plugins can trust external source hosting sites.
`verifytls`	`false`	Defines whether to enforce strict TLS checking on all components when communicating with repo server.
`version`	same as `.spec.Version`	The tag to use with the Argo CD Repo server.
`volumes`	empty	Configures additional volumes used for the Repo server deployment. This field is optional.
`volumeMounts`	empty	Configures additional volume mounts used for the Repo server deployment. This field is optional.

2.2.1. Configure TLS trust for the repo server
Copy link

You can configure the repo server to trust additional certificate authorities (CAs) by injecting custom TLS certificates into the repo server container and its Config Management Plugin sidecar containers.

The certificates can be provided through Kubernetes secrets and config maps.

The following example shows how to configure additional trusted certificates in the Argo CD custom resource.

apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
  name: example-argocd
  labels:
    example: repo
spec:
  repo:
    systemCATrust:
      secrets:
        - name: my-local-cert-secret
          items:
            - key: key-name-in-the-secret-object
              path: desired-file-name-of-the-certificate.crt
      configMaps:
        - name: my-local-cert-cm
          items: []

where:

spec.repo:: Configures settings for the Argo CD repo server component.
spec.repo.systemCATrust:: Defines additional certificate authorities that the repo server trusts.
spec.repo.systemCATrust.secrets:: Specifies kubernetes secrets that contain custom CA certificates.
spec.repo.systemCATrust.configMaps:: References config maps containing CA certificates to trust.

Consider the following behavior and configuration details when using this feature:

Certificates are not pinned to individual hosts, allowing the use of CA or wildcard certificates.
The injected certificates are configured directly inside the container, enabling more advanced plugin workflows. For example:
- Kustomize can invoke Helm charts hosted on different repositories.
- Kustomize can retrieve resources from other repositories or sources over HTTPS.
- Config Management Plugins can invoke TLS-enabled tools available in the container image with TLS verification enabled.

Certificates from secrets or config maps must exist in the same namespace as the Argo CD instance. You can either map specific keys using the items field or include all keys by omitting the items field.

You can mark a trust source as optional. If a required source is missing, the deployment fails.

Unless spec.repo.systemCATrust.dropImageCertificates is set to true, the certificates provided by the user are merged with the certificates already included in the container image.

2.3. Enabling notifications with an Argo CD instance
Copy link

Argo CD notifications allow you to send notifications to external services when events occur in your Argo CD instance. For example, you can send notifications to Slack or email when a sync operation fails. By default, notifications are disabled in Argo CD instances.

Prerequisites

You have access to an OpenShift Container Platform cluster with cluster-admin privileges and are logged in to the web console.
You have installed the Red Hat OpenShift GitOps Operator on your cluster.

Procedure

To enable notifications for an Argo CD instance using the OpenShift Container Platform web console, complete the following steps:

Navigate to the Operators → Installed Operators page.
From the list of Installed Operators, select the Red Hat OpenShift GitOps Operator, and then click on the ArgoCD tab.
Select the Argo CD instance name you want to enable notifications. For example, openshift-gitops.

Click on the YAML tab, and then edit and set the spec.notifications.enabled parameter to true:

Example:

apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
  name: openshift-gitops
spec:
  notifications:
    enabled: true
#....

Click Save.

Tip

Alternatively, you can enable notifications by using the oc patch command in the OpenShift CLI. For example:

oc patch argocd openshift-gitops -n openshift-gitops --type merge --patch '{"spec": {"notifications": {"enabled": true}}}'

2.4. Enabling Config Management Plugins in an Argo CD CR
Copy link

Argo CD provides support for Helm, Jsonnet, and Kustomize as built-in config management tools. To use a different config management tool, or to enable features not provided by the built-in config management tools, you can use the Config Management Plugin (CMP).

In Argo CD, the CMP is specified as a sidecar container for the Argo CD repo server container. For more information, see "Config Management Plugins".

In the Red Hat OpenShift GitOps Operator, you can configure the Config Management plugin as a sidecar container in the Argo CD custom resource (CR). When you configure the sidecar container, you either specify an off-the-shelf or a custom-built container image. If you do not specify an image, the system uses the same image as the repo server for the plugin.

To configure a sidecar container in the Red Hat OpenShift GitOps Operator, add the .spec.repo.sidecarContainers key in the Argo CD CR.

Example Config Management Plugin configuration:

apiVersion: argoproj.io/v1alpha1
kind: ArgoCD
metadata:
 name: <my_argocd>
spec:
 repo:
   sidecarContainers:
     - name: <my_cmp>
       command: [/var/run/argocd/argocd-cmp-server]
       image: <my_image>
       securityContext:
         runAsNonRoot: <true>
         runAsUser:


       volumeMounts:
         - mountPath: /var/run/argocd
           name: <var_files>
         - mountPath: /home/argocd/cmp-server/plugins
           name: plugins
         - mountPath: /tmp
           name: tmp
         - mountPath: /home/argocd/cmp-server/config/plugin.yaml
           subPath: <plugin.yaml>
           name: <cmp_plugin>

where:

metadata.name: Specifies the name of an Argo CD CR instance.
spec.repo.sidecarContainers.name: Specifies the name of a sidecar container used in the repo server.
spec.repo.sidecarContainers.volumeMounts: Specifies the name of volume mounts used in the repo server.

2.5. NotificationsConfiguration custom resource properties
Copy link

The NotificationsConfiguration resource is a Kubernetes custom resource (CR) that manages notifications in a Kubernetes cluster. In Red Hat OpenShift GitOps, you can add templates, triggers, services, and subscription resources to an Argo CD Notifications config map by using the NotificationsConfiguration CR.

When you create a cluster in Red Hat OpenShift GitOps with notifications enabled, a NotificationsConfiguration CR is created by default with the name default-notifications-configuration.

Any change made in the existing configuration of the NotificationsConfiguration CR is replicated in the Argo CD Notifications config map. For example, if the user adds trigger configuration in the NotificationsConfiguration resource, this configuration is read, processed, and updated in the Argo CD Notifications config map.

Important

Any configuration changes must be updated in the default-notifications-configuration CR. Custom resources created by the users for NotificationsConfiguration resource are not supported.

Any modification to the Argo CD argocd-notifications-cm config map is overridden by the changes made in the NotificationsConfiguration CR.

Expand

Table 2.1. NotificationsConfiguration custom resource properties
Properties	Default	Description
Templates	`<empty>`	Templates are used to generate the notification template message.
Triggers	`<empty>`	Triggers are used to define the condition when a notification is sent to the user and the list of templates required to generate the message.
Services	`<empty>`	Services are used to deliver a message.
Subscriptions	`<empty>`	Subscriptions contain centrally-managed global application subscriptions.

The following examples define how to add templates, triggers, services, and subscription resources to the Argo CD argocd-notification-cm config map by using the default-notifications-configuration custom resource.

Example for templates:

apiVersion: argoproj.io/v1alpha1
kind: NotificationsConfiguration
metadata:
 name: default-notifications-configuration
spec:
 templates:
  template.my-custom-template: |
    message: |
     Application details: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}.

where:

metadata.name: Specifies the default name of the NotificationsConfiguration CR in a cluster.
spec.template.my-custom-template: Specifies an example custom template configuration for the NotificationsConfiguration CR.

Example for triggers:

apiVersion: argoproj.io/v1alpha1
kind: NotificationsConfiguration
metadata:
 name: default-notifications-configuration
spec:
 triggers:
  trigger.on-sync-status-unknown: |
   - when: app.status.sync.status == 'Unknown'
   send: [my-custom-template]

where:

metadata.name: Specifies the default name of the NotificationsConfiguration CR in a cluster.
spec.trigger.on-sync-status-unknown: Specifies an example custom trigger configuration for the NotificationsConfiguration CR.

Example for services:

apiVersion: argoproj.io/v1alpha1
kind: NotificationsConfiguration
metadata:
 name: default-notifications-configuration
spec:
 services:
  service.slack: |
    token: $slack-token
    username: <override-username> # optional username
    icon: <override-icon> # optional icon for the message (supports both emoji and url notation)

where:

metadata.name: Specifies the default name of the NotificationsConfiguration CR in a cluster.
spec.service.slack: Specifies an example custom service configuration for the NotificationsConfiguration CR.

Example for subscriptions:

apiVersion: argoproj.io/v1alpha1
kind: NotificationsConfiguration
metadata:
 name: default-notifications-configuration
spec:
 subscriptions:
  subscriptions: |
    # subscription for on-sync-status-unknown trigger notifications
    - recipients:
      - slack:test2
      - email:test@gmail.com
      triggers:
      - on-sync-status-unknown
    # subscription restricted to applications with matching labels only
    - recipients:
      - slack:test3
      selector: test=true
      triggers:
      - on-sync-status-unknown

where:

metadata.name: Specifies the default name of the NotificationsConfiguration CR in a cluster.
spec.subscriptions: Specifies an example custom subscription configuration for the NotificationsConfiguration CR.

You can configure the NotificationsConfiguration CR by using the OpenShift Container Platform web console or the CLI (oc).

2.5.1. Configuring the NotificationsConfiguration CR by using the web console
Copy link

You can configure the NotificationsConfiguration custom resource (CR) by using the web console.

Prerequisites

You have access to an OpenShift Container Platform cluster with cluster-admin privileges and are logged in to the web console.
You have installed the Red Hat OpenShift GitOps Operator on your cluster.
You have enabled notifications for the Argo CD instance. For more information, see "Enabling notifications with an Argo CD instance".

Procedure

In the Administrator perspective of the OpenShift Container Platform web console, expand Operators → Installed Operators.
From the list of Installed Operators, select the Red Hat OpenShift GitOps Operator, and then click on the NotificationsConfiguration tab.
On the NotificationsConfigurations page, click default-notifications-configuration.
On the default-notifications-configuration page, click YAML and add the configuration for any supported resources such as templates, triggers, services, and subscriptions. For example, under templates in the code, add the following sample configuration:
Example template configuration:
```
  template.my-custom-template: |
    message: |
    Application details: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}.
```
Click Save.
Verify that the configuration changes made in the NotificationsConfiguration CR are reflected in the argocd-notifications-cm config map:
1. Go to Workloads → ConfigMaps.
2. Click argocd-notifications-cm and select the YAML tab.
3. Scroll through the page in the YAML tab to verify the sample configuration added for the supported resources.

2.5.2. Configuring the NotificationsConfiguration CR by using the CLI
Copy link

You can configure the NotificationsConfiguration custom resource (CR) by using the CLI (oc).

Prerequisites

You have access to an OpenShift Container Platform cluster with cluster-admin privileges.
You have installed the Red Hat OpenShift GitOps Operator on your cluster.
You have enabled notifications for the Argo CD instance. For more information, see "Enabling notifications with an Argo CD instance".

Procedure

Edit the default NotificationsConfiguration CR in the cluster by running the following command:
```
$ oc edit notificationsconfiguration default-notifications-configuration -n <namespace>
```
where:
default-notifications-configuration
Specifies the name of the default NotificationsConfiguration CR.
<namespace>
Specifies the name of the namespace.

Under the templates section of the CR, add a configuration similar to the following example:

Example template configuration:

  template.my-custom-template: |
    message: |
    Application details: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}.

Verify the contents of the argocd-notifications-cm config map by running the following command:
```
$ oc edit cm argocd-notifications-cm -n <namespace>
```
The changes made in the existing configuration of the NotificationsConfiguration CR are reflected in the argocd-notifications-cm config map.

2.6. Configuring notifications in any Namespace
Copy link

By default, Argo CD manages notification configuration only within the control plane namespace. With Red Hat OpenShift GitOps Operator, cluster administrators can enable teams to manage notification settings for their applications from additional namespaces.

To enable this functionality, configure the target namespaces in the Argo CD custom resource (CR). The Red Hat OpenShift GitOps Operator reconciles the corresponding notification resources only for namespaces that are explicitly defined in the ArgoCD CR.

Note

To enable notification configuration in a namespace, you must add the namespace to the following fields in the Argo CD CR:

.spec.sourceNamespaces: Enables the Apps in Any Namespace feature for the Application controller.
.spec.notifications.sourceNamespaces: Allows the Notifications controller to read configuration from that namespace.

If a namespace is not included in these fields, notification configuration for that namespace is not processed.

Procedure

List the ArgoCD CRs in the cluster:
```
$ oc get argocd -A
```

Edit the target ArgoCD CR:

$ oc edit argocd <cr_name> -n <namespace>

Under the spec section, add each target namespace to the sourceNamespaces and notifications.sourceNamespaces fields.
The following example enables the example-argocd instance to manage applications and notification configurations in the foo namespace:
```
apiVersion: argoproj.io/v1alpha1
kind: ArgoCD
metadata:
  name: example-argocd
spec:
  sourceNamespaces:
    - foo
  notifications:
    enabled: true
    sourceNamespaces:
      - foo
```

Verification

Verify that the Argo CD instance recognizes the updated sourceNamespaces configuration by checking the settings in the Argo CD CR.

2.6.1. Understanding configuration notifications behavior across namespaces
Copy link

When the Configuring notifications in any namespace feature is enabled, the Red Hat OpenShift GitOps Operator performs additional actions to support delegated notification configuration. For each delegated namespace, the Red Hat OpenShift GitOps Operator automatically creates a NotificationsConfiguration custom resource (CR) named default-notifications-configuration. Application teams can update this CR to define or modify their notification settings.

The Notifications controller determines which configuration to apply by using the following resolution behavior:

The controller first checks for the delegated NotificationsConfiguration CR or the corresponding config map (argocd-notifications-cm) and Secret (argocd-notification-secret) in the namespace of the application.
If no delegated configuration is found, the controller falls back to the central configuration resources (ConfigMap and Secret) defined in the control plane namespace.

To enable this model, the Red Hat OpenShift GitOps Operator creates a Role and a RoleBinding in each delegated namespace, granting the Notifications controller permission to read ConfigMaps and Secrets. The Red Hat OpenShift GitOps Operator also applies the argocd.argoproj.io/notifications-managed-by-cluster-argocd label to each delegated namespace.

2.7. Enabling annotation-based resource tracking in Argo CD
Copy link

Red Hat OpenShift GitOps Operator enhances multi-instance support by improving annotation-based resource tracking in Argo CD.Multiple Argo CD instances can use annotation-based tracking by assigning each instance a unique installationID, which enables them to correctly differentiate resources with identical application names, prevent conflicts, avoid infinite sync loops, and operate safely in parallel.

You can perform the following actions by using the OpenShift Container Platform web console:

Set up multiple Argo CD instances
Configure annotation-based tracking by associating them with namespaces
Verify deployments

Note

Each Argo CD instance must have a unique installationID to prevent resource tracking conflicts.
Ensure that namespaces are labeled accurately because it allows each Argo CD instance to manage only the intended resources.
If multiple instances have applications with the same name, set resource tracking to annotation+label.
If issues arise, check the Argo CD Application status and logs in the OpenShift Container Platform web console.

2.7.1. Configuring annotation-based tracking in multiple Argo CD instances
Copy link

You can configure annotation-based tracking in multiple Argo CD instances.

Note

This procedure uses the following example values:

repoURL: https://github.com/redhat-developer/gitops-operator
server: https://kubernetes.default.svc

When you follow these steps, replace the example values with the actual values.

Prerequisites

You have logged in to the OpenShift Container Platform cluster as an administrator.
You have installed the Red Hat OpenShift GitOps Operator on your OpenShift Container Platform cluster.

Procedure

Log in to the OpenShift Container Platform web console.
In the Administrator perspective of the web console, click Operators → Installed Operators.
- In the Project list, create or select the project where you want to install the user-defined Argo CD instance.
Select Red Hat OpenShift GitOps from the installed Operators list and click the Argo CD tab.
To create two Argo CD instances, click Create ArgoCD and create two YAML files similar to the following examples:
Example first Argo CD instance with an annotation label:
```
apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
  name: argocd-instance-demo-1
  namespace: argocd-test-demo-1
spec:
  installationID: "instance-demo-1"
  resourceTrackingMethod: "annotation+label"
```
where:
metadata.name
Specifies the name of the first Argo CD instance.
metadata.namespace
Specifies the namespace used for the first Argo CD instance.
spec.installationID
Specifies the name of the installationID object for the first Argo CD instance.
Example second Argo CD instance with an annotation label:
```
apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
  name: argocd-instance-demo-2
  namespace: argocd-test-demo-2
spec:
  installationID: "instance-demo-2"
  resourceTrackingMethod: "annotation+label"
```
where:
metadata.name
Specifies the name of the second Argo CD instance.
metadata.namespace
Specifies the namespace used for the second Argo CD instance.
spec.installationID
Specifies the name of the installationID object for the second Argo CD instance.
Configure and label target namespaces to associate namespaces with their Argo CD instances.
1. Navigate to Administration → Namespaces.
2. Create namespaces for application deployments, app-ns-1 and app-ns-2.
3. Associate each namespace with their respective Argo CD instance:
  1. Associate the app-ns-1 namespace with the argocd-test-demo-1 Argo CD instance by running the following command:
    Example command:
    
    $ oc label namespace app-ns-1 argocd.argoproj.io/managed-by=argocd-test-demo-1
  2. Associate the app-ns-2 namespace with the argocd-test-demo-2 Argo CD instance by running the following command:
    Example command:
    
    $ oc label namespace app-ns-2 argocd.argoproj.io/managed-by=argocd-test-demo-2

Create two applications in Argo CD.

In the OpenShift Container Platform web console, go to Operators → Installed Operators → OpenShift GitOps Operator.
Select Argo CD and navigate to the Applications tab.
Click Create Application.

Enter the following YAML snippet to create two applications in Argo CD.

Example first application using Argo CD:

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: sprint-petclinic
  namespace: argocd-test-demo-1
spec:
  project: default
  source:
    repoURL: https://github.com/redhat-developer/gitops-operator
    path: test/examples/nginx
    targetRevision: HEAD
  destination:
    server: https://kubernetes.default.svc
    namespace: app-ns-1
  syncPolicy:
    automated: {}

where:

metadata.name: Specifies the name of the first application.
metadata.namespace: Specifies the namespace used for the first application.

Example second application using Argo CD:

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: sprint-petclinic
  namespace: argocd-test-demo-2
spec:
  project: default
  source:
    repoURL: https://github.com/redhat-developer/gitops-operator
    path: test/examples/nginx
    targetRevision: HEAD
  destination:
    server: https://kubernetes.default.svc
    namespace: app-ns-2
  syncPolicy:
    automated: {}

where:

metadata.name: Specifies the name of the second application that is created with the same name as the first application.
metadata.namespace: Specifies the namespace used for the second application.

Verification

Navigate to Workloads → Pods in the OpenShift Container Platform web console.
Ensure that the pods for Argo CD instances argocd-instance-demo-1 and argocd-instance-demo-2 are running.
Check the application synchronization status in the Argo CD Applications YAML tab.
Navigate to the argocd-cm config map in argocd-test-demo-1 and argocd-test-demo-2 namespaces and verify that the installationID object is configured successfully.

Chapter 3. Configure webhook secrets for Git providers
Copy link

You can configure webhook secrets for Git providers declaratively by using the Argo CD custom resource (CR). This allows you to manage webhook credentials alongside your GitOps configuration instead of manually updating the argocd-secret secret.

3.1. Declarative webhook secrets for Git providers
Copy link

Argo CD uses webhook secrets to validate incoming webhook requests from Git providers. You can configure webhook secrets declaratively by using the spec.webhookSecrets field in the Argo CD custom resource (CR).

Using declarative webhook secrets provides the following benefits:

Manage webhook secrets together with Argo CD configuration
Integrate with Kubernetes secret management tools, such as Sealed Secrets or External Secrets Operator
Simplify operations by allowing the Red Hat OpenShift GitOps Operator to synchronize referenced secret values to the argocd-secret secret
Configure webhook secrets for multiple Git providers in a single ArgoCD CR

When you configure spec.webhookSecrets, the Red Hat OpenShift GitOps Operator automatically populates the required keys in the argocd-secret secret that Argo CD uses internally.

Important

The referenced Secret resource must exist in the same namespace as the Argo CD CR. Cross-namespace secret references are not supported.

The following Git providers are supported for declarative webhook secret configuration:

Expand

Provider	Field in `spec.webhookSecrets`	Required secret reference
GitHub	`github`	`webhookSecretRef`
GitLab	`gitlab`	`webhookSecretRef`
Bitbucket Cloud	`bitbucket`	`webhookUUIDSecretRef`
Bitbucket Server	`bitbucketServer`	`webhookSecretRef`
Gogs	`gogs`	`webhookSecretRef`
Azure DevOps	`azureDevOps`	`usernameSecretRef` and `passwordSecretRef`

Note

When spec.webhookSecrets is configured, the Red Hat OpenShift GitOps Operator synchronizes webhook secret values only for the declared providers. Webhook keys for providers that are not declared in spec.webhookSecrets might be removed from the argocd-secret secret.

Important

Do not store plain-text secrets in Git repositories. Use secret management solutions, such as sealed secrets or external secrets Operator, to manage sensitive data securely.

3.2. Create webhook secrets using the Argo CD CR
Copy link

You can configure webhook secrets for Git providers by creating a Kubernetes Secret resource and referencing it in the Argo CD custom resource (CR).

Prerequisites

You have installed the Red Hat OpenShift GitOps Operator.
You have created an ArgoCD instance.
You have configured a webhook in your Git provider.

Procedure

Create a Secret resource in the same namespace as the ArgoCD CR and configure the spec.webhookSecrets field in the ArgoCD CR.

The following example configures a webhook secret for GitHub:

apiVersion: v1
kind: Secret
metadata:
  name: github-webhook-credentials
  namespace: argocd
  labels:
    app.kubernetes.io/part-of: argocd
    app.kubernetes.io/component: webhook
type: Opaque
stringData:
  token: "your-github-webhook-secret"
---
apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
  name: example-argocd
  namespace: argocd
spec:
  webhookSecrets:
    github:
      webhookSecretRef:
        name: github-webhook-credentials
        key: token

Apply the configuration:
```
$ oc apply -f webhook-secret.yaml
```

3.3. Verify declarative webhook secret configuration
Copy link

After configuring declarative webhook secrets, verify that the Red Hat OpenShift GitOps Operator synchronized the webhook secret values to the argocd-secret secret.

Procedure

Run the following command to verify the configured GitHub webhook secret:
```
$ oc get secret argocd-secret -n <namespace> -o jsonpath='{.data.webhook\.github\.secret}' | base64 -d
```
where:
<namespace>
Specifies the namespace where your Argo CD instance is installed, such as openshift-gitops for the default instance.
Verify that the command output matches the value stored in the Secret referenced by spec.webhookSecrets.github.webhookSecretRef.

Note

After updating webhook secrets, the Argo CD server might need to restart to pick up the updated values.

Run the following command to restart the Argo CD server deployment:

$ oc rollout restart deployment/<argocd_cr_name>-server -n <namespace>

where:

<argocd_cr_name>: Specifies the name of your Argo CD custom resource.
<namespace>: Specifies the namespace where your Argo CD instance is installed.

Chapter 4. Using Argo CD Image Updater
Copy link

You can use the Argo CD Image Updater to automatically update container image versions for workloads managed by Argo CD. The Image Updater monitors container registries for new image versions and updates Argo CD applications when new versions are found that match user-defined constraints.

4.1. About Argo CD Image Updater
Copy link

Argo CD Image Updater automatically updates container image versions for workloads managed by Argo CD. It monitors container registries for new image tags that match configured version constraints and updates applications through Argo CD.

In the Red Hat OpenShift GitOps Operator, Argo CD Image Updater is provided as a productized controller that you enable through the Argo CD custom resource.

Note

Argo CD Image Updater was available as a Technology Preview in Red Hat OpenShift GitOps version 1.19.0 and is now generally available in Red Hat OpenShift GitOps 1.21.

The Argo CD Image Updater controller runs a reconciliation loop that continuously watches configured Argo CD applications and queries container registries for newer image versions. When a qualifying new version is discovered, the controller instructs Argo CD to update the application. You define which images to track and what version constraints to enforce by creating ImageUpdater custom resources.

Depending on the Argo CD application sync policy, updated images are either deployed automatically or marked as out of sync for manual approval.

The Image Updater provides the following capabilities:

Image selection and update behavior

Semantic version constraints, newest-build strategy, alphabetical sorting, and SHA256 digest tracking
Tag filtering using regular expressions and glob patterns

Application support

Helm and Kustomize applications

Persistence and Git workflows

Direct API write-back to Argo CD Application resources
Git commits to configuration repositories
Pull requests and merge requests for approval workflows

Registry integration

Docker Hub, Red Hat Quay, GitHub Container Registry, GitLab Container Registry, Google Container Registry, Azure Container Registry, JFrog Artifactory, and Docker Registry v2 API-compatible registries
Authentication using Kubernetes secrets, pull secrets, environment variables, and external scripts
Webhooks for immediate updates from Docker Hub, GitHub Container Registry, Quay, and Harbor

Observability

Status conditions (Ready, Reconciling, Error)
Matched application and image counts
Update history

Argo CD Image Updater has the following limitations:

Applications must be managed by Argo CD. Standalone Kubernetes workloads are not supported.
Only Kustomize-rendered and Helm-rendered manifests are supported. Helm charts must expose image tag parameters for the Argo CD Image Updater controller to modify.
Image pull secrets must exist in the same cluster where the Argo CD Image Updater controller runs.

4.2. Enabling Argo CD Image Updater
Copy link

You can enable the Argo CD Image Updater controller for an Argo CD instance by configuring the Argo CD custom resource (CR). The Argo CD Image Updater controller is namespace-scoped by default, watching only the namespace in which it is installed.

Prerequisites

You have access to an OpenShift Container Platform cluster with cluster-admin privileges and are logged in to the web console.
You have installed the Red Hat OpenShift GitOps Operator on your cluster.

Procedure

To enable the Argo CD Image Updater using the OpenShift Container Platform web console, complete the following steps:

Navigate to the Operators → Installed Operators page.
From the list of Installed Operators, select the Red Hat OpenShift GitOps Operator, and then click on the Argo CD tab.
Select the Argo CD instance name for which you want to enable Argo CD Image Updater. For example, openshift-gitops.

Click the YAML tab, and then edit and set the spec.imageUpdater.enabled parameter to true:

Example:

apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
  name: openshift-gitops
  namespace: openshift-gitops
spec:
  imageUpdater:
    enabled: true

Click Save.

Verification

Verify that the Image Updater controller pod is running:

$ oc get pods -n openshift-gitops | grep image-updater

Example output:

openshift-gitops-argocd-image-updater-7d9f8c5b6-xk2lm 1/1 Running 0 2m

Verify that the Image Updater controller has the necessary RBAC permissions:
```
$ oc get clusterrole argocd-image-updater
```

4.3. Configuring the Image Updater to watch multiple namespaces
Copy link

By default, the Argo CD Image Updater controller watches only the namespace in which it is installed. To configure the Argo CD Image Updater controller to watch additional namespaces, set the IMAGE_UPDATER_WATCH_NAMESPACES environment variable to a comma-separated list of namespaces.

Prerequisites

You have access to an OpenShift Container Platform cluster with cluster-admin privileges and are logged in to the web console.
You have enabled the Argo CD Image Updater feature.

Procedure

In the OpenShift Container Platform web console:
1. Click Operators → OperatorHub, if your version of OpenShift Container Platform is 4.19 or earlier.
2. Click Ecosystem → Software Catalog, if your version of OpenShift Container Platform is 4.20 or later.
3. Type openshift-gitops in the Filter by keyword box.
From the list of Installed Operators, select the Red Hat OpenShift GitOps Operator, and then click the Argo CD tab.
Select your Argo CD instance.
Click the YAML tab, and configure the IMAGE_UPDATER_WATCH_NAMESPACES environment variable:
Example:
```
apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
  name: openshift-gitops
  namespace: openshift-gitops
spec:
  imageUpdater:
    enabled: true
    env:
      - name: IMAGE_UPDATER_LOGLEVEL
        value: info
      - name: IMAGE_UPDATER_WATCH_NAMESPACES
        value: "openshift-gitops,team-a,team-b"
    resources:
      limits:
        cpu: 500m
        memory: 1024Mi
      requests:
        cpu: 250m
        memory: 512Mi
```
where:
spec.imageUpdater.enabled
Enables the Image Updater controller.
spec.imageUpdater.env
Defines environment variables for the Image Updater controller.
IMAGE_UPDATER_LOGLEVEL
Sets the log level for the Argo CD Image Updater controller. Valid values are debug, info, warn, and error.
IMAGE_UPDATER_WATCH_NAMESPACES
Specifies a comma-separated list of namespaces that the Argo CD Image Updater controller watches for ImageUpdater custom resources and Argo CD Applications.
spec.imageUpdater.resources
Defines resource requests and limits for the Image Updater controller.
Click Save.

4.4. Understanding the ImageUpdater custom resource
Copy link

To configure the Argo CD Image Updater to track and update images for an Argo CD application, you create an ImageUpdater custom resource (CR). The ImageUpdater CR specifies which Argo CD applications to monitor, which images to track, the update strategy to use, and how to write back image updates.

The ImageUpdater CR must reside in the same namespace as the Argo CD applications it references. The controller uses metadata.namespace to determine the namespace in which to search for matching applications.

The following example shows a basic ImageUpdater CR that matches applications whose names start with my-app- and tracks the nginx image with a version constraint of ~1.26, which restricts updates to patch versions within the 1.26 minor release (for example, 1.26.0, 1.26.1, 1.26.2):

Example basic ImageUpdater CR

apiVersion: argocd-image-updater.argoproj.io/v1alpha1
kind: ImageUpdater
metadata:
  name: my-image-updater
  namespace: openshift-gitops
spec:
  applicationRefs:
    - namePattern: "my-app-*"
      images:
        - alias: "nginx"
          imageName: "nginx:~1.26"

Important

Version constraints prevent Argo CD Image Updater from introducing breaking changes. Without a constraint, Argo CD Image Updater could update to any newer version, potentially causing compatibility issues.

Important

Multiple ImageUpdater CRs must not target the same application. If two or more CRs match the same application, they will continuously overwrite each other’s changes, causing the image version to thrash between updates. Ensure that each application is targeted by only one ImageUpdater CR.

4.5. Selecting applications for image updates
Copy link

The applicationRefs field in the ImageUpdater custom resource determines which Argo CD applications the Argo CD Image Updater controller monitors. Applications can be selected by name pattern, by label, or by a combination of both.

You can use glob patterns to match application names. The namePattern field supports glob-based selection. An exact name matches a single application, while wildcards match multiple applications.

Example: Using a name pattern with wildcards:

spec:
  applicationRefs:
    - namePattern: "frontend-*"
      images:
        - alias: "nginx"
          imageName: "nginx:~1.26"

You can select applications based on their Kubernetes labels. The labelSelectors field selects applications by their Kubernetes labels, supporting both matchLabels for key-value pairs and matchExpressions for operator-based conditions.

Example: Using label selectors:

spec:
  applicationRefs:
    - labelSelectors:
        matchLabels:
          tier: "frontend"
        matchExpressions:
          - key: env
            operator: In
            values:
              - staging
              - production
      images:
        - alias: "nginx"
          imageName: "nginx:~1.26"

You can combine name patterns and label selectors for more precise application selection. For example, to match only applications whose names start with web- and that have a tier: "frontend" label:

Example: Combining name pattern and label selectors:

spec:
  applicationRefs:
    - namePattern: "web-*"
      labelSelectors:
        matchLabels:
          tier: "frontend"
      images:
        - alias: "nginx"
          imageName: "nginx:~1.26"

Applications can provide image configuration through annotations as an alternative to CR-based configuration. When working with ApplicationSets that generate many Applications, each Application can provide its own image configuration through annotations instead of defining images in the ImageUpdater CR. Set useAnnotations: true on an applicationRef to enable this.

Example: Using annotations for image configuration:

spec:
  applicationRefs:
    - namePattern: "generated-app-*"
      useAnnotations: true

When useAnnotations is enabled, the controller reads image configuration from the argocd-image-updater.argoproj.io/image-list annotation on each matching Application resource.

For that applicationRef, any image configuration defined in the CR is ignored. Only the namePattern and labelSelectors fields remain effective.

Example: Using annotations for image configuration:

spec:
  applicationRefs:
    - namePattern: "*"
      labelSelectors:
        matchLabels:
          image-updater: my-image-updater
      useAnnotations: true

Note

Using useAnnotations: true with namePattern: "*" and no label selectors will attempt to process all Applications in the namespace, which may impact performance.

4.6. Update strategies
Copy link

The Argo CD Image Updater supports four strategies for determining which image version to update to. Configure the strategy using the commonUpdateSettings.updateStrategy field.

Expand

Table 4.1. Update strategies
Strategy	Description
`semver` (default)	Updates to the highest version matching a semantic version constraint. Use this strategy when images follow semantic versioning.
`newest-build`	Updates to the image tag with the most recent creation timestamp, regardless of version numbering.
`alphabetical`	Updates to the last tag when sorted alphabetically.
`digest`	Tracks a mutable tag (such as `latest`) by its SHA256 digest, updating when the digest changes.

Example: Using the newest-build strategy with a tag filter:

spec:
  applicationRefs:
    - namePattern: "my-app"
      images:
        - alias: "myimage"
          imageName: "myorg/myimage"
          commonUpdateSettings:
            updateStrategy: "newest-build"
            allowTags: "regexp:^v1\\.0\\.0-[0-9a-zA-Z]+$"

You can control which image tags are eligible for updates using the following parameters:

allowTags: Specifies a match function applied to every tag. Supports regexp:<expression> for regular expression matching and any (the default) to match all tags.
ignoreTags: Specifies a comma-separated list of glob patterns for tags to exclude from consideration.

Example: Tag filtering with allowTags and ignoreTags:

spec:
  applicationRefs:
    - namePattern: "my-app"
      images:
        - alias: "myimage"
          imageName: "myorg/myimage"
          commonUpdateSettings:
            allowTags: "regexp:^v[0-9]+\\.[0-9]+\\.[0-9]+$"
            ignoreTags: "*-rc*"

This example allows only tags matching a specific semantic version pattern and ignores release candidate tags.

4.7. Write-back methods
Copy link

The Argo CD Image Updater supports three methods for writing back image updates to your applications: Argo CD API method, Git method, and pull request or merge request method.

The Argo CD API method is the default write-back method and requires no additional configuration. It updates the Argo CD Application resource directly via the Kubernetes API. No additional configuration is required. This method is best suited for applications created imperatively through the Argo CD Web UI or CLI.

Note

If the Application is managed in Git, syncing from Git will overwrite the Argo CD Image Updater’s changes.

The Git method provides persistent storage by committing changes to the application’s Git repository. The Argo CD Image Updater controller fetches the remote repository, checks out the target branch, creates or updates a parameter override file, and commits and pushes the change.

Example: Git write-back method:

spec:
  applicationRefs:
    - namePattern: "my-app"
      images:
        - alias: "nginx"
          imageName: "nginx:~1.26"
  writeBackConfig:
    method: "git"
    gitConfig:
      repository: "https://github.com/myorg/my-app-config.git"
      branch: "main"

To use credentials other than the ones configured in Argo CD, reference a Kubernetes secret:

Example: Git write-back with custom credentials:

spec:
  writeBackConfig:
    method: "git:secret:openshift-gitops/git-creds"
    gitConfig:
      branch: "main"

The Git method supports multiple write-back targets. By default, it creates or updates an .argocd-source-<appName>.yaml file in the application path. For Kustomization applications, you can set the writeBackTarget to kustomization to commit changes as a kustomize edit set image operation. For Helm applications, you can specify a Helm values file path using writeBackTarget: "helmvalues:/helm/config/values.yaml" to update the values file directly.

Example: Kustomization write-back target:

spec:
  writeBackConfig:
    method: "git"
    gitConfig:
      branch: "main"
      writeBackTarget: "kustomization"

Example: Helm values file write-back target:

spec:
  writeBackConfig:
    method: "git"
    gitConfig:
      branch: "main"
      writeBackTarget: "helmvalues:/helm/config/values.yaml"

The pull request or merge request method creates PRs or MRs for review instead of directly committing to the target branch. The PR/MR method extends the Git method by pushing changes to an auto-generated branch and opening a pull request or merge request instead of pushing directly to the target branch. This method is ideal when the target branch is protected or when image updates should go through a review workflow.

The Image Updater pushes the commit to a branch named image-updater-<namespace>-<appName>-<sha256> and opens a pull or merge request from that branch into the configured base branch. If a PR already exists for the same branch pair, no duplicate is created.

Example: GitHub pull request:

spec:
  writeBackConfig:
    method: "git:secret:openshift-gitops/git-creds"
    gitConfig:
      repository: "https://github.com/example/example.git"
      branch: "main"
      pullRequest:
        github: {}

Example: GitLab merge request:

spec:
  writeBackConfig:
    method: "git:secret:openshift-gitops/gitlab-creds"
    gitConfig:
      repository: "https://gitlab.com/org/repo.git"
      branch: "main"
      pullRequest:
        gitlab: {}

Important

PR creation requires credentials with a bearer token, such as a personal access token (PAT) or GitHub App credentials. SSH keys cannot be used for PR creation because they do not provide the HTTP token needed to call the SCM API.

4.8. Configuring images for Helm applications
Copy link

For Helm charts that use non-standard parameter names for image references, configure the manifestTargets.helm field in the ImageUpdater custom resource to explicitly map the image parameters.

Procedure

Configure the name field to specify the Helm parameter for the image repository and the tag field to specify the Helm parameter for the image tag:

Example: Mapping Helm parameters for image repository and tag:

spec:
  applicationRefs:
    - namePattern: "my-app"
      images:
        - alias: "myimage"
          imageName: "myorg/myimage"
          manifestTargets:
            helm:
              name: "image.repository"
              tag: "image.tag"

If the Helm chart uses a single parameter for the full image reference (for example, image: myorg/myimage:v1.0.0), use the spec field to specify the Helm parameter.

Example: Mapping a single Helm parameter for full image reference:

spec:
  applicationRefs:
    - namePattern: "my-app"
      images:
        - alias: "myimage"
          imageName: "myorg/myimage"
          manifestTargets:
            helm:
              spec: "image.fullRef"

4.9. Configuring images for Kustomize applications
Copy link

When replacing one image with another, for example, switching registries, use the manifestTargets.kustomize.name field to identify the original image in the kustomization.

Procedure

Configure the manifestTargets.kustomize.name field to specify the original image name that should be replaced. The imageName field specifies the new image to use, and the name field under kustomize specifies the original image name to replace in the kustomization:

Example: Replacing an image for Kustomize applications:

spec:
  applicationRefs:
    - namePattern: "my-app"
      images:
        - alias: "argocd"
          imageName: "ghcr.io/argoproj/argocd:latest"
          manifestTargets:
            kustomize:
              name: "quay.io/argoproj/argocd"

4.10. Configuring container registries
Copy link

The Argo CD Image Updater works with most container registries that implement the Docker Registry v2 API out of the box. For custom or private registries, you can configure registry settings in the argocd-image-updater-config ConfigMap.

The Image Updater works with the following container registries out of the box:

Docker Hub (docker.io)
Red Hat Quay (quay.io)
GitHub Container Registry (ghcr.io)
GitLab Container Registry (registry.gitlab.com)
Google Container Registry (gcr.io)
Azure Container Registry (azurecr.io)
JFrog Artifactory

Prerequisites

You have access to an OpenShift Container Platform cluster with cluster-admin privileges.
You have installed the Red Hat OpenShift GitOps Operator on your cluster.
You have enabled the Argo CD Image Updater.

Procedure

Create or edit the argocd-image-updater-config config map in the namespace where your Argo CD instance is installed. Configure the registry with a descriptive name, the registry prefix that matches the beginning of image names, the API URL for the registry, credentials for authentication, and whether this registry should be used as the default for images without a registry prefix:
Example: Custom registry configuration
```
apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-image-updater-config
  namespace: openshift-gitops
data:
  registries.conf: |
    registries:
    - name: My Private Registry
      prefix: myregistry.example.com
      api_url: https://myregistry.example.com
      credentials: secret:openshift-gitops/registry-creds#creds
      default: false
```

Apply the config map:

$ oc apply -f argocd-image-updater-config.yaml

4.11. Configuring pull secrets for image registries
Copy link

Per-image pull secrets authenticate with private container registries. The pullSecret field supports the following formats:

Pull secret formats:

Expand

Format	Description
`secret:<namespace>/<secret_name>#<field>`	Reads credentials from a specific field in a Kubernetes secret. The value must be in `<username>:<password>` format.
`pullsecret:<namespace>/<secret_name>`	Uses a Docker-style pull secret (`.dockerconfigjson`).
`env:<variable_name>`	Reads credentials from an environment variable. The value must be in `<username>:<password>` format.
`ext:<path_to_script>`	Executes a script that outputs `<username>:<password>` to stdout.

Procedure

Configure the pullSecret field in your ImageUpdater custom resource to specify the authentication credentials:

Example: Using a pull secret

spec:
  applicationRefs:
    - namePattern: "my-app"
      images:
        - alias: "myimage"
          imageName: "myregistry.example.com/myorg/myimage:~1.0"
          pullSecret: "pullsecret:openshift-gitops/myregistry-pull-secret"

4.12. Configuring webhooks for immediate image updates
Copy link

By default, the Argo CD Image Updater discovers new image versions by periodically polling container registries. You can also configure webhooks so that registries push notifications to the Image Updater immediately when a new image is available, eliminating the delay between image publication and update.

Expand

Table 4.2. Supported webhook registries
Registry	`type` query parameter value
Docker Hub	`docker.io`
GitHub Container Registry (GHCR)	`ghcr.io`
Harbor	`harbor`
Quay	`quay.io`
Aliyun ACR	`aliyun-acr`
AWS ECR (via EventBridge CloudEvents)	`cloudevents`

Prerequisites

You have access to an OpenShift Container Platform cluster with cluster-admin privileges.
You have installed the Red Hat OpenShift GitOps Operator on your cluster.
You have enabled the Argo CD Image Updater.

Procedure

Configure the ENABLE_WEBHOOK and WEBHOOK_PORT environment variables in the Argo CD CR:

Example: Enabling the webhook server

apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
  name: openshift-gitops
  namespace: openshift-gitops
spec:
  imageUpdater:
    enabled: true
    env:
      - name: ENABLE_WEBHOOK
        value: "true"
      - name: WEBHOOK_PORT
        value: "8082"

Apply the changes:
```
$ oc apply -f argocd.yaml
```

The webhook server exposes two endpoints:

/webhook — receives and processes registry notifications
/healthz — health check endpoint for liveness probes

Registry webhook URLs include a type query parameter that identifies the registry. For example: https://image-updater.example.com/webhook?type=docker.io.

Verification

Verify the webhook server is running:

$ oc logs -n openshift-gitops deployment/openshift-gitops-argocd-image-updater | grep webhook

Example output:

INFO  Starting webhook server on port 8082
INFO  Webhook TLS enabled: true

4.12.1. Configuring webhook secrets
Copy link

Webhook secrets validate incoming notifications and prevent unauthorized triggers. Configure the secret for each registry using environment variables in the Argo CD CR, replacing <YOUR_SECRET> with your actual webhook secret.

Prerequisites

You have access to an OpenShift Container Platform cluster with cluster-admin privileges.
You have installed the Red Hat OpenShift GitOps Operator on your cluster.
You have enabled the Argo CD Image Updater.
You have configured webhooks for Argo CD Image Updater.

Procedure

Configure webhook secrets for your registries in the Argo CD CR:

Example: Configuring webhook secrets:

apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
  name: openshift-gitops
  namespace: openshift-gitops
spec:
  imageUpdater:
    enabled: true
    env:
      - name: ENABLE_WEBHOOK
        value: "true"
      - name: DOCKER_WEBHOOK_SECRET
        value: <YOUR_SECRET>
      - name: GHCR_WEBHOOK_SECRET
        value: <YOUR_SECRET>
      - name: HARBOR_WEBHOOK_SECRET
        value: <YOUR_SECRET>
      - name: QUAY_WEBHOOK_SECRET
        value: <YOUR_SECRET>

Apply the changes:
```
$ oc apply -f argocd.yaml
```
Note
GitHub Container Registry and Harbor have built-in secret validation. Configure the secret in the registry’s webhook settings as documented by those registries. For Docker Hub and Quay, append &secret=<YOUR_SECRET> to the webhook URL.

4.12.2. Configuring TLS for webhooks
Copy link

The webhook server uses TLS 1.3 by default for secure communication. It loads certificates from the argocd-image-updater-tls Secret, or generates a self-signed certificate if none is provided.

Prerequisites

You have access to an OpenShift Container Platform cluster with cluster-admin privileges.
You have installed the Red Hat OpenShift GitOps Operator on your cluster.
You have enabled the Argo CD Image Updater.
You have configured webhooks for Argo CD Image Updater.

Procedure

To disable TLS, set the DISABLE_TLS environment variable to true in the Argo CD CR:

Example: Disabling TLS for webhooks:

spec:
  imageUpdater:
    enabled: true
    env:
      - name: ENABLE_WEBHOOK
        value: "true"
      - name: DISABLE_TLS
        value: "true"

4.12.3. Configuring rate limiting for webhooks
Copy link

Rate limiting on the /webhook endpoint prevents resource overload from high-volume notifications. The WEBHOOK_RATELIMIT_ALLOWED environment variable controls the maximum requests allowed (default: 0 for disabled). When the limit is exceeded, requests are queued rather than rejected.

Prerequisites

You have access to an OpenShift Container Platform cluster with cluster-admin privileges.
You have installed the Red Hat OpenShift GitOps Operator on your cluster.
You have enabled the Argo CD Image Updater.
You have configured webhooks for Argo CD Image Updater.

Procedure

Set the WEBHOOK_RATELIMIT_ALLOWED environment variable in the Argo CD CR:

Example: Configuring webhook rate limiting:

spec:
  imageUpdater:
    enabled: true
    env:
      - name: ENABLE_WEBHOOK
        value: "true"
      - name: WEBHOOK_RATELIMIT_ALLOWED
        value: "100"

4.13. Monitoring Image Updater status
Copy link

The ImageUpdater custom resource exposes a status subresource with standard Kubernetes conditions that provide information about the operational state of the Argo CD Image Updater controller.

Prerequisites

You have created an ImageUpdater custom resource.

Procedure

To inspect the status of an ImageUpdater CR, run the following command:

$ oc get imageupdater my-image-updater -o yaml

Example output:

status:
  conditions:
  - lastTransitionTime: "2026-06-03T10:00:00Z"
    message: Image Updater is operating normally
    reason: ReconciliationSucceeded
    status: "True"
    type: Ready
  - lastTransitionTime: "2026-06-03T10:00:00Z"
    message: Actively processing updates
    reason: ProcessingUpdates
    status: "True"
    type: Reconciling
  matchedApplications: 3
  matchedImages: 5
  lastUpdateHistory:
  - timestamp: "2026-06-03T09:55:00Z"
    application: my-app-1
    image: nginx:1.26.1
    previousVersion: 1.26.0

The Argo CD Image Updater controller reports its operational state using standard Kubernetes conditions. The ImageUpdater CR status includes the following standard Kubernetes conditions:

Ready: Indicates that the Argo CD Image Updater controller is operating normally.
Reconciling: Indicates that the Argo CD Image Updater controller is actively processing updates.
Error: Indicates that an error has occurred during reconciliation. Check the condition message for details.

4.14. Complete ImageUpdater example
Copy link

The following example shows a complete ImageUpdater custom resource that tracks two images for a Helm-based application, uses semantic versioning constraints, and writes back updates as pull requests to a GitHub repository. This example demonstrates tracking a frontend image with patch version updates within 2.0, a backend image with minor and patch updates within 1.x using semantic versioning strategy, pull secret authentication, and Git write-back with GitHub pull request creation.

Example: Complete ImageUpdater CR:

apiVersion: argocd-image-updater.argoproj.io/v1alpha1
kind: ImageUpdater
metadata:
  name: my-app-updater
  namespace: openshift-gitops
spec:
  applicationRefs:
    - namePattern: "my-app"
      images:
        - alias: "frontend"
          imageName: "myorg/frontend:~2.0"
          manifestTargets:
            helm:
              name: "frontend.image.repository"
              tag: "frontend.image.tag"
        - alias: "backend"
          imageName: "myorg/backend:^1.5"
          commonUpdateSettings:
            updateStrategy: "semver"
            allowTags: "regexp:^v[0-9]+\\.[0-9]+\\.[0-9]+$"
          manifestTargets:
            helm:
              name: "backend.image.repository"
              tag: "backend.image.tag"
          pullSecret: "pullsecret:openshift-gitops/myregistry-pull-secret"
  writeBackConfig:
    method: "git:secret:openshift-gitops/git-creds"
    gitConfig:
      repository: "https://github.com/myorg/my-app-config.git"
      branch: "main"
      pullRequest:
        github: {}

Legal Notice
Copy link

Except as otherwise noted below, the text of and illustrations in this documentation are licensed by Red Hat under the Creative Commons Attribution–Share Alike 3.0 Unported license . If you distribute this document or an adaptation of it, you must provide the URL for the original version.

Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.

Red Hat, the Red Hat logo, JBoss, Hibernate, and RHCE are trademarks or registered trademarks of Red Hat, LLC. or its subsidiaries in the United States and other countries.

Linux® is the registered trademark of Linus Torvalds in the United States and other countries.

XFS is a trademark or registered trademark of Hewlett Packard Enterprise Development LP or its subsidiaries in the United States and other countries.

The OpenStack® Word Mark and OpenStack logo are trademarks or registered trademarks of the Linux Foundation, used under license.

All other trademarks are the property of their respective owners.

Argo CD instance

Installing and deploying Argo CD instances, enabling notifications with an Argo CD instance, and configuring the NotificationsConfiguration CR

Chapter 1. Setting up an Argo CD instanceCopy linkLink copied to clipboard!

1.1. Installing a user-defined Argo CD instanceCopy linkLink copied to clipboard!

1.2. Configuring common cluster roles by specifying user-defined cluster roles for namespace-scoped instancesCopy linkLink copied to clipboard!

1.3. Enabling replicas for Argo CD server and repo serverCopy linkLink copied to clipboard!

1.4. Deploying resources to a different namespaceCopy linkLink copied to clipboard!

1.5. Customizing the Argo CD console linkCopy linkLink copied to clipboard!

1.6. Configuring ImagePullPolicyCopy linkLink copied to clipboard!

Chapter 2. Argo CD custom resource and component propertiesCopy linkLink copied to clipboard!

2.1. Argo CD custom resource propertiesCopy linkLink copied to clipboard!

2.2. Repo server propertiesCopy linkLink copied to clipboard!

2.2.1. Configure TLS trust for the repo serverCopy linkLink copied to clipboard!

2.3. Enabling notifications with an Argo CD instanceCopy linkLink copied to clipboard!

2.4. Enabling Config Management Plugins in an Argo CD CRCopy linkLink copied to clipboard!

2.5. NotificationsConfiguration custom resource propertiesCopy linkLink copied to clipboard!

2.5.1. Configuring the NotificationsConfiguration CR by using the web consoleCopy linkLink copied to clipboard!

2.5.2. Configuring the NotificationsConfiguration CR by using the CLICopy linkLink copied to clipboard!

2.6. Configuring notifications in any NamespaceCopy linkLink copied to clipboard!

2.6.1. Understanding configuration notifications behavior across namespacesCopy linkLink copied to clipboard!

2.7. Enabling annotation-based resource tracking in Argo CDCopy linkLink copied to clipboard!

2.7.1. Configuring annotation-based tracking in multiple Argo CD instancesCopy linkLink copied to clipboard!

Chapter 3. Configure webhook secrets for Git providersCopy linkLink copied to clipboard!

3.1. Declarative webhook secrets for Git providersCopy linkLink copied to clipboard!

3.2. Create webhook secrets using the Argo CD CRCopy linkLink copied to clipboard!

3.3. Verify declarative webhook secret configurationCopy linkLink copied to clipboard!

Chapter 4. Using Argo CD Image UpdaterCopy linkLink copied to clipboard!

4.1. About Argo CD Image UpdaterCopy linkLink copied to clipboard!

4.2. Enabling Argo CD Image UpdaterCopy linkLink copied to clipboard!

4.3. Configuring the Image Updater to watch multiple namespacesCopy linkLink copied to clipboard!

4.4. Understanding the ImageUpdater custom resourceCopy linkLink copied to clipboard!

4.5. Selecting applications for image updatesCopy linkLink copied to clipboard!

4.6. Update strategiesCopy linkLink copied to clipboard!

4.7. Write-back methodsCopy linkLink copied to clipboard!

4.8. Configuring images for Helm applicationsCopy linkLink copied to clipboard!

4.9. Configuring images for Kustomize applicationsCopy linkLink copied to clipboard!

4.10. Configuring container registriesCopy linkLink copied to clipboard!

4.11. Configuring pull secrets for image registriesCopy linkLink copied to clipboard!

4.12. Configuring webhooks for immediate image updatesCopy linkLink copied to clipboard!

4.12.1. Configuring webhook secretsCopy linkLink copied to clipboard!

4.12.2. Configuring TLS for webhooksCopy linkLink copied to clipboard!

4.12.3. Configuring rate limiting for webhooksCopy linkLink copied to clipboard!

4.13. Monitoring Image Updater statusCopy linkLink copied to clipboard!

4.14. Complete ImageUpdater exampleCopy linkLink copied to clipboard!

Legal NoticeCopy linkLink copied to clipboard!

Learn

Try, buy, & sell

Communities

About Red Hat

Making open source more inclusive

About Red Hat Documentation

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

Chapter 1. Setting up an Argo CD instance
Copy link

1.1. Installing a user-defined Argo CD instance
Copy link

1.2. Configuring common cluster roles by specifying user-defined cluster roles for namespace-scoped instances
Copy link

1.3. Enabling replicas for Argo CD server and repo server
Copy link

1.4. Deploying resources to a different namespace
Copy link

1.5. Customizing the Argo CD console link
Copy link

1.6. Configuring ImagePullPolicy
Copy link

Chapter 2. Argo CD custom resource and component properties
Copy link

2.1. Argo CD custom resource properties
Copy link

2.2. Repo server properties
Copy link

2.2.1. Configure TLS trust for the repo server
Copy link

2.3. Enabling notifications with an Argo CD instance
Copy link

2.4. Enabling Config Management Plugins in an Argo CD CR
Copy link

2.5. NotificationsConfiguration custom resource properties
Copy link

2.5.1. Configuring the NotificationsConfiguration CR by using the web console
Copy link

2.5.2. Configuring the NotificationsConfiguration CR by using the CLI
Copy link

2.6. Configuring notifications in any Namespace
Copy link

2.6.1. Understanding configuration notifications behavior across namespaces
Copy link

2.7. Enabling annotation-based resource tracking in Argo CD
Copy link

2.7.1. Configuring annotation-based tracking in multiple Argo CD instances
Copy link

Chapter 3. Configure webhook secrets for Git providers
Copy link

3.1. Declarative webhook secrets for Git providers
Copy link

3.2. Create webhook secrets using the Argo CD CR
Copy link

3.3. Verify declarative webhook secret configuration
Copy link

Chapter 4. Using Argo CD Image Updater
Copy link

4.1. About Argo CD Image Updater
Copy link

4.2. Enabling Argo CD Image Updater
Copy link

4.3. Configuring the Image Updater to watch multiple namespaces
Copy link

4.4. Understanding the ImageUpdater custom resource
Copy link

4.5. Selecting applications for image updates
Copy link

4.6. Update strategies
Copy link

4.7. Write-back methods
Copy link

4.8. Configuring images for Helm applications
Copy link

4.9. Configuring images for Kustomize applications
Copy link

4.10. Configuring container registries
Copy link

4.11. Configuring pull secrets for image registries
Copy link

4.12. Configuring webhooks for immediate image updates
Copy link

4.12.1. Configuring webhook secrets
Copy link

4.12.2. Configuring TLS for webhooks
Copy link

4.12.3. Configuring rate limiting for webhooks
Copy link

4.13. Monitoring Image Updater status
Copy link

4.14. Complete ImageUpdater example
Copy link

Legal Notice
Copy link