-
Notifications
You must be signed in to change notification settings - Fork 226
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow reuse of Argo CD repo credentials #138
Comments
The main reason right now is, that Argo CD API does not return credentials with a repository request, for security reasons. So, there's no way for Image Updater to automatically fetch the credentials. Also, the default SA of image updater has no access to read K8s resources in the I guess one of the upcoming steps of integration is to move the image updater into the |
I also think that in #35, @hawksight suggested to have a globally configurable secret holding Git credentials, so that not each Application would require a dedicated annotation, but repos would need a shared deploy key configured. I'm pretty sure we won't change Argo CD API to also return secrets on repository data retrieval, and making argocd-image-updater deployment to be mandatory in argocd namespace is also more on the long term roadmap, would that be a trade-off you could live with? |
Or maybe, it'd be possible to create a Then,
Or, maybe it's even better to merge the two annotations into one, and then use something like: argocd-image-updater.argoproj.io/write-back-method: git:<credref> where
|
Using RBAC to grant image-updater |
I also like both proposals. Working on PR |
If we are going in that direction we might want to consider loading applications from the same namespace ( in addition to load the list using Argo CD API). Created proposal: #140 |
Per the latest docs argocd-image-updater won't reuse Argo CD repo credentials for Git write-back. Is there a technical reason for the limitation, a security concern, or other? It would be great if users who understand the security implications could configure reuse and avoid adding another annotation to each Application definition.
The text was updated successfully, but these errors were encountered: