DirectorySecurity AdvisoriesPricing
Sign in
Directory
argocd-image-updater logoHELM

argocd-image-updater

Helm chart
Last changed
Request a free trial

Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.

Overview
Chart versions
Default values
Chart metadata
Images

Tag:

1
## Custom resource configuration
2
crds:
3
# -- Install and upgrade CRDs
4
install: true
5
# -- Keep CRDs on chart uninstall
6
keep: true
7
# -- Annotations to be added to all CRDs
8
annotations: {}
9
# -- Additional labels to be added to all CRDs
10
additionalLabels: {}
11
# -- Replica count for the deployment. It is not advised to run more than one replica.
12
replicaCount: 1
13
image:
14
# -- Default image repository
15
repository: cgr.dev/chainguard-private/argocd-image-updater
16
# -- Default image pull policy
17
pullPolicy: Always
18
# -- Overrides the image tag whose default is the chart appVersion
19
tag: latest@sha256:eda2a6f0673ad6728507c92797c49ca9bad575a8881608e620dce8b96bb0a0b6
20
# -- The deployment strategy to use to replace existing pods with new ones
21
updateStrategy:
22
type: Recreate
23
# -- ImagePullSecrets for the image updater deployment
24
imagePullSecrets: []
25
# -- Global name (argocd-image-updater.name in _helpers.tpl) override
26
nameOverride: ""
27
# -- Global fullname (argocd-image-updater.fullname in _helpers.tpl) override
28
fullnameOverride: ""
29
# -- Global namespace (argocd-image-updater.namespace in _helpers.tpl) override
30
namespaceOverride: ""
31
# -- Create cluster roles for cluster-wide installation.
32
## Used when you manage applications in the same cluster where Argo CD Image Updater runs.
33
## If you want to use this, please set `.Values.rbac.enabled` true as well.
34
createClusterRoles: true
35
# -- Extra arguments for argocd-image-updater not defined in `config.argocd`.
36
# If a flag contains both key and value, they need to be split to a new entry.
37
extraArgs: []
38
# - --disable-kubernetes
39
# - --dry-run
40
# - --health-port
41
# - 8080
42
# - --interval
43
# - 2m
44
# - --kubeconfig
45
# - ~/.kube/config
46
# - --match-application-name
47
# - staging-*
48
# - --max-concurrency
49
# - 5
50
# - --once
51
# - --registries-conf-path
52
# - /app/config/registries.conf
53
54
# -- Extra environment variables for argocd-image-updater.
55
## These variables are also available to the authentication scripts mounted under /scripts, provided 'authScripts.enabled' is set to 'true'.
56
extraEnv: []
57
# - name: AWS_REGION
58
# value: "us-west-1"
59
# - name: ACR1_NAME
60
# value: "acr1.azurecr.io"
61
# - name: ACR1_CLIENT_ID
62
# value: "00000000-0000-0000-0000-000000000000"
63
64
# -- Extra envFrom to pass to argocd-image-updater
65
extraEnvFrom: []
66
# - configMapRef:
67
# name: config-map-name
68
# - secretRef:
69
# name: secret-name
70
71
# -- Extra K8s manifests to deploy for argocd-image-updater.
72
## Note: Supports use of custom Helm templates.
73
extraObjects: []
74
# - apiVersion: secrets-store.csi.x-k8s.io/v1
75
# kind: SecretProviderClass
76
# metadata:
77
# name: argocd-image-updater-secrets-store
78
# spec:
79
# provider: aws
80
# parameters:
81
# objects: |
82
# - objectName: "argocd-image-updater"
83
# objectType: "secretsmanager"
84
# jmesPath:
85
# - path: "client_id"
86
# objectAlias: "client_id"
87
# - path: "client_secret"
88
# objectAlias: "client_secret"
89
# secretObjects:
90
# - data:
91
# - key: client_id
92
# objectName: client_id
93
# - key: client_secret
94
# objectName: client_secret
95
# secretName: argocd-image-updater-secrets-store
96
# type: Opaque
97
# labels:
98
# app.kubernetes.io/part-of: argocd
99
100
# -- Init containers to add to the image updater pod
101
initContainers: []
102
# - name: download-tools
103
# image: alpine:3.8
104
# command: [sh, -c]
105
# args:
106
# - wget -qO- https://get.helm.sh/helm-v2.16.1-linux-amd64.tar.gz | tar -xvzf - &&
107
# mv linux-amd64/helm /custom-tools/
108
# volumeMounts:
109
# - mountPath: /custom-tools
110
# name: custom-tools
111
112
# -- Priority class for the deployment
113
# @default -- `""`
114
priorityClassName: ""
115
# -- Additional volumeMounts to the image updater main container
116
volumeMounts: []
117
# -- Additional volumes to the image updater pod
118
volumes: []
119
## Use init containers to configure custom tooling
120
## https://argo-cd.readthedocs.io/en/stable/operator-manual/custom_tools/
121
## When using the volumes & volumeMounts section bellow, please comment out those above.
122
# - name: custom-tools
123
# emptyDir: {}
124
125
config:
126
# -- Name of the ConfigMap
127
name: argocd-image-updater-config
128
# -- Disable kubernetes events
129
kube.events: false
130
# -- Username to use for Git commits
131
git.user: ""
132
# -- E-Mail address to use for Git commits
133
git.email: ""
134
# -- Changing the Git commit message
135
git.commit-message-template: ""
136
# -- Path to public SSH key mounted in container, or GPG key ID used to sign commits
137
git.commit-signing-key: ""
138
# -- Enables sign off on commits
139
git.commit-sign-off: false
140
# -- Method used to sign Git commits. `openpgp` or `ssh`
141
git.commit-signing-method: ""
142
# -- Argo CD Image Update log level
143
log.level: "info"
144
# -- Argo CD Image Updater registries list configuration. More information [here](https://argocd-image-updater.readthedocs.io/en/stable/configuration/registries/).
145
registries: []
146
# - name: Docker Hub
147
# api_url: https://registry-1.docker.io
148
# ping: yes
149
# credentials: secret:foo/bar#creds
150
# defaultns: library
151
# - name: Google Container Registry
152
# api_url: https://gcr.io
153
# prefix: gcr.io
154
# ping: no
155
# credentials: pullsecret:foo/bar
156
# - name: RedHat Quay
157
# api_url: https://quay.io
158
# ping: no
159
# prefix: quay.io
160
# credentials: env:REGISTRY_SECRET
161
# - name: ECR
162
# api_url: https://123456789.dkr.ecr.eu-west-1.amazonaws.com
163
# prefix: 123456789.dkr.ecr.eu-west-1.amazonaws.com
164
# ping: yes
165
# insecure: no
166
# credentials: ext:/scripts/auth1.sh
167
# credsexpire: 10h
168
# - name: Azure Container Registry
169
# api_url: https://acr1.azurecr.io
170
# prefix: acr1.azurecr.io
171
# ping: yes
172
# credentials: ext:/scripts/azure-workload-identity.sh
173
# credsexpire: 1h
174
175
sshConfig:
176
# -- Name of the sshConfig ConfigMap
177
name: argocd-image-updater-ssh-config
178
# -- Argo CD Image Updater ssh client parameter configuration
179
config: ""
180
# config: |
181
# Host *
182
# PubkeyAcceptedAlgorithms +ssh-rsa
183
# HostkeyAlgorithms +ssh-rsa
184
# whether to mount authentication scripts, if enabled, the authentication scripts will be mounted on /scripts that can be used to authenticate with registries (Azure, ECR)
185
# refer to https://argocd-image-updater.readthedocs.io/en/stable/configuration/registries/#specifying-credentials-for-accessing-container-registries for more info
186
authScripts:
187
# -- Whether to mount the defined scripts that can be used to authenticate with a registry, the scripts will be mounted at `/scripts`
188
enabled: false
189
# -- Name of the authentication scripts ConfigMap
190
name: argocd-image-updater-authscripts
191
# -- Map of key-value pairs where the key consists of the name of the script and the value the contents.
192
## Expect the script to output Docker credentials in the form: <username>:<password>
193
## Authentication scripts can be used for various cloud providers like ECR or Azure Workload Identity.
194
## For Azure Workload Identity, you can place your authentication script here to handle token acquisition.
195
scripts: {}
196
# auth1.sh: |
197
# #!/bin/sh
198
# echo "auth script 1 here"
199
# auth2.sh: |
200
# #!/bin/sh
201
# echo "auth script 2 here"
202
# azure-workload-identity.sh: |
203
# #!/bin/sh
204
# # Example script for Azure Workload Identity.
205
# # This script would typically use environment variables set by the workload identity
206
# # to acquire an Azure AD token and authenticate with Azure Container Registry (ACR).
207
# # It should output the Docker username and password on stdout, e.g., '00000000-0000-0000-0000-000000000000:<token>'
208
serviceAccount:
209
# -- Specifies whether a service account should be created
210
create: true
211
# -- Annotations to add to the service account
212
annotations: {}
213
# Example for Azure Workload Identity:
214
# azure.workload.identity/client-id: "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
215
# -- Labels to add to the service account
216
labels: {}
217
# Example for Azure Workload Identity:
218
# azure.workload.identity/use: "true"
219
# -- The name of the service account to use.
220
# If not set and create is true, a name is generated using the fullname template.
221
name: ""
222
# -- Pod Annotations for the deployment
223
podAnnotations: {}
224
# -- Pod Labels for the deployment
225
podLabels: {}
226
# azure.workload.identity/use: "true"
227
228
# -- Pod security context settings for the deployment
229
# @default -- See [values.yaml]
230
podSecurityContext:
231
runAsNonRoot: true
232
# -- Security context settings for the deployment
233
# @default -- See [values.yaml]
234
securityContext:
235
allowPrivilegeEscalation: false
236
capabilities:
237
drop:
238
- ALL
239
readOnlyRootFilesystem: true
240
runAsNonRoot: true
241
seccompProfile:
242
type: RuntimeDefault
243
rbac:
244
# -- Enable RBAC creation
245
enabled: true
246
# -- Pod memory and cpu resource settings for the deployment
247
resources: {}
248
# -- Kubernetes nodeSelector settings for the deployment
249
nodeSelector: {}
250
# -- Kubernetes toleration settings for the deployment
251
tolerations: []
252
# -- Kubernetes affinity settings for the deployment
253
affinity: {}
254
# Metrics configuration
255
metrics:
256
# -- Deploy metrics service
257
enabled: false
258
service:
259
# -- Metrics service annotations
260
annotations: {}
261
# -- Metrics service labels
262
labels: {}
263
# -- Metrics service port
264
servicePort: 8443
265
serviceMonitor:
266
# -- Enable a prometheus ServiceMonitor
267
enabled: false
268
# -- Prometheus ServiceMonitor interval
269
interval: 30s
270
# -- Prometheus [RelabelConfigs] to apply to samples before scraping
271
relabelings: []
272
# -- Prometheus [MetricRelabelConfigs] to apply to samples before ingestion
273
metricRelabelings: []
274
# -- Prometheus ServiceMonitor selector
275
selector: {}
276
# promtheus: kube-prometheus
277
278
# -- Prometheus ServiceMonitor scheme
279
scheme: https
280
# -- Prometheus ServiceMonitor tlsConfig
281
tlsConfig:
282
insecureSkipVerify: true
283
# -- Prometheus ServiceMonitor authorization
284
authorization: {}
285
# type: Bearer
286
# credentials:
287
# name: argocd-image-updater-metrics-token
288
# key: token
289
# -- Prometheus ServiceMonitor namespace
290
namespace: ""
291
# -- Prometheus ServiceMonitor labels
292
additionalLabels: {}
293
containerPorts:
294
# -- Port for the webhook events
295
webhook: 8082
296
# -- Port for the probe endpoint
297
health: 8081
298
# -- Port for the metrics
299
metrics: 8443
300
## Service configuration
301
service:
302
# -- Enable a Service for the webhook endpoint. A Service is created when this is set to true or when `ingress.enabled` is true
303
enabled: false
304
# -- Service annotations
305
annotations: {}
306
# -- Service labels
307
labels: {}
308
# -- Service type
309
type: ClusterIP
310
# -- Service http port for NodePort service type (only if `service.type` is set to "NodePort")
311
nodePortHttp: 30080
312
# -- Service http port
313
port: 8080
314
# -- Service http port name, can be used to route traffic via istio
315
servicePortHttpName: server-port
316
# -- The class of the load balancer implementation
317
loadBalancerClass: ""
318
# -- LoadBalancer will get created with the IP specified in this field
319
loadBalancerIP: ""
320
# -- Source IP ranges to allow access to service from
321
## EKS Ref: https://repost.aws/knowledge-center/eks-cidr-ip-address-loadbalancer
322
## GKE Ref: https://cloud.google.com/kubernetes-engine/docs/concepts/network-overview#limit-connectivity-ext-lb
323
loadBalancerSourceRanges: []
324
# -- Service external IPs
325
externalIPs: []
326
# -- Denotes if this Service desires to route external traffic to node-local or cluster-wide endpoints
327
## Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
328
externalTrafficPolicy: Cluster
329
# -- Used to maintain session affinity. Supports `ClientIP` and `None`
330
## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
331
sessionAffinity: None
332
# Ingress for the deployment
333
ingress:
334
# -- Enable an ingress resource for the deployment
335
enabled: false
336
# -- Additional ingress labels
337
labels: {}
338
# -- Additional ingress annotations
339
annotations: {}
340
# -- Defines which ingress controller will implement the resource
341
ingressClassName: ""
342
# -- deployment hostname
343
# @default -- `""` (defaults to global.domain)
344
hostname: ""
345
# -- The path to deployment
346
path: /webhook
347
# -- Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific`
348
pathType: Prefix
349
# -- The list of additional hostnames to be covered by ingress record
350
# @default -- `[]` (See [values.yaml])
351
extraHosts: []
352
# - name: argocd.example.com
353
# path: /
354
355
# -- Additional ingress paths
356
# @default -- `[]` (See [values.yaml])
357
## Note: Supports use of custom Helm templates
358
extraPaths: []
359
# - path: /*
360
# pathType: Prefix
361
# backend:
362
# service:
363
# name: ssl-redirect
364
# port:
365
# name: use-annotation
366
367
# -- Ingress TLS configuration
368
tls: []
369
# - secretName: argoworkflows-example-tls
370
# hosts:
371
# - argoworkflows.example.com
372
# Configure dual-stack
373
dualStack:
374
# -- IP family policy to configure dual-stack see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services)
375
ipFamilyPolicy: ""
376
# -- IP families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6.
377
ipFamilies: []
378
# TLS certificate configuration via Secret for Webhook
379
## Ref: https://argocd-image-updater.readthedocs.io/en/stable/configuration/webhook/#tls-configuration
380
## Note: Issuing certificates via cert-manager in not supported right now because it's not possible to restart repo server automatically without extra controllers.
381
certificateSecret:
382
# -- Create argocd-repo-server-tls secret
383
enabled: false
384
# -- Annotations to be added to argocd-repo-server-tls secret
385
annotations: {}
386
# -- Labels to be added to argocd-repo-server-tls secret
387
labels: {}
388
# -- Certificate private key
389
key: ""
390
# -- Certificate data. Must contain SANs of Repo service (ie: argocd-repo-server, argocd-repo-server.argo-cd.svc)
391
crt: ""
392

The trusted source for open source

Talk to an expert
PrivacyTerms

Product

Chainguard ContainersChainguard LibrariesChainguard VMsChainguard OS PackagesChainguard ActionsChainguard Agent SkillsIntegrationsPricing
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.