Chainguard Container for argocd-fips

Chainguard Containers are regularly-updated, secure-by-default container images.

Download this Container Image

For those with access, this container image is available on cgr.dev:

docker pull cgr.dev/ORGANIZATION/argocd-fips:latest

Be sure to replace the ORGANIZATION placeholder with the name used for your organization's private repository within the Chainguard Registry.

Usage

There are two recommended methods for installing Argo CD: using helm and raw manifests. Chainguard's Argo CD Image is designed to be a drop-in replacement for either method.

To use this Image, replace the appropriate image: value with the Chainguard Argo CD Image. The following is an example how such a value might appear within a Helm chart:

global:
  image:
    repository: cgr.dev/chainguard/argocd-fips

Based on these values, you would install Argo CD using the following helm commands. First, add the Argo Helm repository:

helm repo add argo https://argoproj.github.io/argo-helm

Then you can install Argo CD:

helm install argocd argo/argo-cd \
	--namespace argocd \
	--create-namespace \
	--set global.image.repository="cgr.dev/chainguard/argocd-fips" \
	--set global.image.tag="latest" \
	--set repoServer.image.repository="cgr.dev/chainguard/argocd-repo-server-fips" \
	--set repoServer.image.tag="latest"

Note that this example uses multiple container images, namely argocd-fips and argocd-repo-server-fips. Refer to the following components section for more information.

NOTE: Setting the tag to latest is not recommended, and only shown for illustrative purposes.

Optionally, you can use other Chainguard Images to replace Argo CD dependencies:

redis:
  image:
    repository: cgr.dev/chainguard/redis-fips
    tag: latest

dex:
  image:
    repository: cgr.dev/chainguard/dex-fips
    tag: latest

Argo CD Components

Argo CD is comprised of multiple components that all share the same container image.

Keeping in line with the philosophy of minimal dependencies in Chainguard Images, we chose to split this up to keep the number of packages in each respective component to a minimum. This means the overall number of images increases, but the size and complexity of each image is reduced down to the minimum needed to function.

Argo CD Repo Server, GPG and FIPS

Argo CD Repo Server has ability to use GnuPG signature verification, see upstream documentation. Chainguard does not currently have FIPS CVMP certification for gpg. The cgr.dev/chainguard/argocd-repo-server-fips image has environment variable ARGOCD_GPG_ENABLED=false set, which should also be used for FIPS deployments.

What are Chainguard Containers?

Chainguard Containers are minimal container images that are secure by default.

In many cases, the Chainguard Containers tagged as :latest contain only an open-source application and its runtime dependencies. These minimal container images typically do not contain a shell or package manager. Chainguard Containers are built with Wolfi, our Linux undistro designed to produce container images that meet the requirements of a more secure software supply chain.

The main features of Chainguard Containers include:

• Minimal design, without unnecessary software bloat
• Daily builds to ensure container images are up-to-date with available security patches
• High quality build-time SBOMs attesting to the provenance of all artifacts within the image
• Verifiable signatures provided by Sigstore
• Reproducible builds with Cosign and apko (read more about reproducibility)

For cases where you need container images with shells and package managers to build or debug, most Chainguard Containers come paired with a -dev variant.

Although the -dev container image variants have similar security features as their more minimal versions, they feature additional software that is typically not necessary in production environments. We recommend using multi-stage builds to leverage the -dev variants, copying application artifacts into a final minimal container that offers a reduced attack surface that won’t allow package installations or logins.

Learn More

To better understand how to work with Chainguard Containers, please visit Chainguard Academy and Chainguard Courses.

In addition to Containers, Chainguard offers VMs and Libraries. Contact Chainguard to access additional products.

Trademarks

This software listing is packaged by Chainguard. The trademarks set forth in this offering are owned by their respective companies, and use of them does not imply any affiliation, sponsorship, or endorsement by such companies.