argocd-image-updater
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
## Custom resource configuration
2
crds:
3
# -- Install and upgrade CRDs
4
install: true
5
# -- Keep CRDs on chart uninstall
6
keep: true
7
# -- Annotations to be added to all CRDs
8
annotations: {}
9
# -- Additional labels to be added to all CRDs
10
additionalLabels: {}
11
# -- Replica count for the deployment. It is not advised to run more than one replica.
12
replicaCount: 1
13
image:
14
# -- Default image repository
15
repository: cgr.dev/chainguard-private/argocd-image-updater
16
# -- Default image pull policy
17
pullPolicy: Always
18
# -- Overrides the image tag whose default is the chart appVersion
19
tag: latest@sha256:8e816fd2fc6e87dae6f6214b1cf0284b4aebeca833867a4ff2a0b1e01ec8cb5c
20
# -- The deployment strategy to use to replace existing pods with new ones
21
updateStrategy:
22
type: Recreate
23
# -- ImagePullSecrets for the image updater deployment
24
imagePullSecrets: []
25
# -- Global name (argocd-image-updater.name in _helpers.tpl) override
26
nameOverride: ""
27
# -- Global fullname (argocd-image-updater.fullname in _helpers.tpl) override
28
fullnameOverride: ""
29
# -- Global namespace (argocd-image-updater.namespace in _helpers.tpl) override
30
namespaceOverride: ""
31
# -- Create cluster roles for cluster-wide installation.
32
## Used when you manage applications in the same cluster where Argo CD Image Updater runs.
33
## If you want to use this, please set `.Values.rbac.enabled` true as well.
34
createClusterRoles: true
35
# -- Extra arguments for argocd-image-updater not defined in `config.argocd`.
36
# If a flag contains both key and value, they need to be split to a new entry.
37
extraArgs: []
38
# - --disable-kubernetes
39
# - --dry-run
40
# - --health-port
41
# - 8080
42
# - --interval
43
# - 2m
44
# - --kubeconfig
45
# - ~/.kube/config
46
# - --match-application-name
47
# - staging-*
48
# - --max-concurrency
49
# - 5
50
# - --once
51
# - --registries-conf-path
52
# - /app/config/registries.conf
53
54
# -- Extra environment variables for argocd-image-updater.
55
## These variables are also available to the authentication scripts mounted under /scripts, provided 'authScripts.enabled' is set to 'true'.
56
extraEnv: []
57
# - name: AWS_REGION
58
# value: "us-west-1"
59
# - name: ACR1_NAME
60
# value: "acr1.azurecr.io"
61
# - name: ACR1_CLIENT_ID
62
# value: "00000000-0000-0000-0000-000000000000"
63
64
# -- Extra envFrom to pass to argocd-image-updater
65
extraEnvFrom: []
66
# - configMapRef:
67
# name: config-map-name
68
# - secretRef:
69
# name: secret-name
70
71
# -- Extra K8s manifests to deploy for argocd-image-updater.
72
## Note: Supports use of custom Helm templates.
73
extraObjects: []
74
# - apiVersion: secrets-store.csi.x-k8s.io/v1
75
# kind: SecretProviderClass
76
# metadata:
77
# name: argocd-image-updater-secrets-store
78
# spec:
79
# provider: aws
80
# parameters:
81
# objects: |
82
# - objectName: "argocd-image-updater"
83
# objectType: "secretsmanager"
84
# jmesPath:
85
# - path: "client_id"
86
# objectAlias: "client_id"
87
# - path: "client_secret"
88
# objectAlias: "client_secret"
89
# secretObjects:
90
# - data:
91
# - key: client_id
92
# objectName: client_id
93
# - key: client_secret
94
# objectName: client_secret
95
# secretName: argocd-image-updater-secrets-store
96
# type: Opaque
97
# labels:
98
# app.kubernetes.io/part-of: argocd
99
100
# -- Init containers to add to the image updater pod
101
initContainers: []
102
# - name: download-tools
103
# image: alpine:3.8
104
# command: [sh, -c]
105
# args:
106
# - wget -qO- https://get.helm.sh/helm-v2.16.1-linux-amd64.tar.gz | tar -xvzf - &&
107
# mv linux-amd64/helm /custom-tools/
108
# volumeMounts:
109
# - mountPath: /custom-tools
110
# name: custom-tools
111
112
# -- Priority class for the deployment
113
# @default -- `""`
114
priorityClassName: ""
115
# -- Additional volumeMounts to the image updater main container
116
volumeMounts: []
117
# -- Additional volumes to the image updater pod
118
volumes: []
119
## Use init containers to configure custom tooling
120
## https://argo-cd.readthedocs.io/en/stable/operator-manual/custom_tools/
121
## When using the volumes & volumeMounts section bellow, please comment out those above.
122
# - name: custom-tools
123
# emptyDir: {}
124
125
config:
126
# -- Name of the ConfigMap
127
name: argocd-image-updater-config
128
# -- Disable kubernetes events
129
kube.events: false
130
# -- Username to use for Git commits
131
git.user: ""
132
# -- E-Mail address to use for Git commits
133
git.email: ""
134
# -- Changing the Git commit message
135
git.commit-message-template: ""
136
# -- Path to public SSH key mounted in container, or GPG key ID used to sign commits
137
git.commit-signing-key: ""
138
# -- Enables sign off on commits
139
git.commit-sign-off: false
140
# -- Method used to sign Git commits. `openpgp` or `ssh`
141
git.commit-signing-method: ""
142
# -- Argo CD Image Update log level
143
log.level: "info"
144
# -- Argo CD Image Updater registries list configuration. More information [here](https://argocd-image-updater.readthedocs.io/en/stable/configuration/registries/).
145
registries: []
146
# - name: Docker Hub
147
# api_url: https://registry-1.docker.io
148
# ping: yes
149
# credentials: secret:foo/bar#creds
150
# defaultns: library
151
# - name: Google Container Registry
152
# api_url: https://gcr.io
153
# prefix: gcr.io
154
# ping: no
155
# credentials: pullsecret:foo/bar
156
# - name: RedHat Quay
157
# api_url: https://quay.io
158
# ping: no
159
# prefix: quay.io
160
# credentials: env:REGISTRY_SECRET
161
# - name: ECR
162
# api_url: https://123456789.dkr.ecr.eu-west-1.amazonaws.com
163
# prefix: 123456789.dkr.ecr.eu-west-1.amazonaws.com
164
# ping: yes
165
# insecure: no
166
# credentials: ext:/scripts/auth1.sh
167
# credsexpire: 10h
168
# - name: Azure Container Registry
169
# api_url: https://acr1.azurecr.io
170
# prefix: acr1.azurecr.io
171
# ping: yes
172
# credentials: ext:/scripts/azure-workload-identity.sh
173
# credsexpire: 1h
174
175
sshConfig:
176
# -- Name of the sshConfig ConfigMap
177
name: argocd-image-updater-ssh-config
178
# -- Argo CD Image Updater ssh client parameter configuration
179
config: ""
180
# config: |
181
# Host *
182
# PubkeyAcceptedAlgorithms +ssh-rsa
183
# HostkeyAlgorithms +ssh-rsa
184
# whether to mount authentication scripts, if enabled, the authentication scripts will be mounted on /scripts that can be used to authenticate with registries (Azure, ECR)
185
# refer to https://argocd-image-updater.readthedocs.io/en/stable/configuration/registries/#specifying-credentials-for-accessing-container-registries for more info
186
authScripts:
187
# -- Whether to mount the defined scripts that can be used to authenticate with a registry, the scripts will be mounted at `/scripts`
188
enabled: false
189
# -- Name of the authentication scripts ConfigMap
190
name: argocd-image-updater-authscripts
191
# -- Map of key-value pairs where the key consists of the name of the script and the value the contents.
192
## Expect the script to output Docker credentials in the form: <username>:<password>
193
## Authentication scripts can be used for various cloud providers like ECR or Azure Workload Identity.
194
## For Azure Workload Identity, you can place your authentication script here to handle token acquisition.
195
scripts: {}
196
# auth1.sh: |
197
# #!/bin/sh
198
# echo "auth script 1 here"
199
# auth2.sh: |
200
# #!/bin/sh
201
# echo "auth script 2 here"
202
# azure-workload-identity.sh: |
203
# #!/bin/sh
204
# # Example script for Azure Workload Identity.
205
# # This script would typically use environment variables set by the workload identity
206
# # to acquire an Azure AD token and authenticate with Azure Container Registry (ACR).
207
# # It should output the Docker username and password on stdout, e.g., '00000000-0000-0000-0000-000000000000:<token>'
208
serviceAccount:
209
# -- Specifies whether a service account should be created
210
create: true
211
# -- Annotations to add to the service account
212
annotations: {}
213
# Example for Azure Workload Identity:
214
# azure.workload.identity/client-id: "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
215
# -- Labels to add to the service account
216
labels: {}
217
# Example for Azure Workload Identity:
218
# azure.workload.identity/use: "true"
219
# -- The name of the service account to use.
220
# If not set and create is true, a name is generated using the fullname template.
221
name: ""
222
# -- Pod Annotations for the deployment
223
podAnnotations: {}
224
# -- Pod Labels for the deployment
225
podLabels: {}
226
# azure.workload.identity/use: "true"
227
228
# -- Pod security context settings for the deployment
229
# @default -- See [values.yaml]
230
podSecurityContext:
231
runAsNonRoot: true
232
# -- Security context settings for the deployment
233
# @default -- See [values.yaml]
234
securityContext:
235
allowPrivilegeEscalation: false
236
capabilities:
237
drop:
238
- ALL
239
readOnlyRootFilesystem: true
240
runAsNonRoot: true
241
seccompProfile:
242
type: RuntimeDefault
243
rbac:
244
# -- Enable RBAC creation
245
enabled: true
246
# -- Pod memory and cpu resource settings for the deployment
247
resources: {}
248
# -- Kubernetes nodeSelector settings for the deployment
249
nodeSelector: {}
250
# -- Kubernetes toleration settings for the deployment
251
tolerations: []
252
# -- Kubernetes affinity settings for the deployment
253
affinity: {}
254
# Metrics configuration
255
metrics:
256
# -- Deploy metrics service
257
enabled: false
258
service:
259
# -- Metrics service annotations
260
annotations: {}
261
# -- Metrics service labels
262
labels: {}
263
# -- Metrics service port
264
servicePort: 8443
265
serviceMonitor:
266
# -- Enable a prometheus ServiceMonitor
267
enabled: false
268
# -- Prometheus ServiceMonitor interval
269
interval: 30s
270
# -- Prometheus [RelabelConfigs] to apply to samples before scraping
271
relabelings: []
272
# -- Prometheus [MetricRelabelConfigs] to apply to samples before ingestion
273
metricRelabelings: []
274
# -- Prometheus ServiceMonitor selector
275
selector: {}
276
# promtheus: kube-prometheus
277
278
# -- Prometheus ServiceMonitor namespace
279
namespace: ""
280
# -- Prometheus ServiceMonitor labels
281
additionalLabels: {}
282
containerPorts:
283
# -- Port for the webhook events
284
webhook: 8082
285
# -- Port for the probe endpoint
286
health: 8081
287
# -- Port for the metrics
288
metrics: 8443
289
## Service configuration
290
service:
291
# -- Enable a Service for the webhook endpoint. A Service is created when this is set to true or when `ingress.enabled` is true
292
enabled: false
293
# -- Service annotations
294
annotations: {}
295
# -- Service labels
296
labels: {}
297
# -- Service type
298
type: ClusterIP
299
# -- Service http port for NodePort service type (only if `service.type` is set to "NodePort")
300
nodePortHttp: 30080
301
# -- Service http port
302
port: 8080
303
# -- Service http port name, can be used to route traffic via istio
304
servicePortHttpName: server-port
305
# -- The class of the load balancer implementation
306
loadBalancerClass: ""
307
# -- LoadBalancer will get created with the IP specified in this field
308
loadBalancerIP: ""
309
# -- Source IP ranges to allow access to service from
310
## EKS Ref: https://repost.aws/knowledge-center/eks-cidr-ip-address-loadbalancer
311
## GKE Ref: https://cloud.google.com/kubernetes-engine/docs/concepts/network-overview#limit-connectivity-ext-lb
312
loadBalancerSourceRanges: []
313
# -- Service external IPs
314
externalIPs: []
315
# -- Denotes if this Service desires to route external traffic to node-local or cluster-wide endpoints
316
## Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
317
externalTrafficPolicy: Cluster
318
# -- Used to maintain session affinity. Supports `ClientIP` and `None`
319
## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
320
sessionAffinity: None
321
# Ingress for the deployment
322
ingress:
323
# -- Enable an ingress resource for the deployment
324
enabled: false
325
# -- Additional ingress labels
326
labels: {}
327
# -- Additional ingress annotations
328
annotations: {}
329
# -- Defines which ingress controller will implement the resource
330
ingressClassName: ""
331
# -- deployment hostname
332
# @default -- `""` (defaults to global.domain)
333
hostname: ""
334
# -- The path to deployment
335
path: /webhook
336
# -- Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific`
337
pathType: Prefix
338
# -- The list of additional hostnames to be covered by ingress record
339
# @default -- `[]` (See [values.yaml])
340
extraHosts: []
341
# - name: argocd.example.com
342
# path: /
343
344
# -- Additional ingress paths
345
# @default -- `[]` (See [values.yaml])
346
## Note: Supports use of custom Helm templates
347
extraPaths: []
348
# - path: /*
349
# pathType: Prefix
350
# backend:
351
# service:
352
# name: ssl-redirect
353
# port:
354
# name: use-annotation
355
356
# -- Ingress TLS configuration
357
tls: []
358
# - secretName: argoworkflows-example-tls
359
# hosts:
360
# - argoworkflows.example.com
361
# Configure dual-stack
362
dualStack:
363
# -- IP family policy to configure dual-stack see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services)
364
ipFamilyPolicy: ""
365
# -- IP families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6.
366
ipFamilies: []
367
The trusted source for open source
Talk to an expertProduct
Customers
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.