Natively support cloud provider Authentication mechanisms for Helm Chart OCI registries

[zeagord]

Summary

Currently the ECR token expires every 12 hours if we use the username and password mechanism to authenticate with ECR. Either we have to use a custom script to update it or update it manually

Motivation

When we host the Helm Charts in a cloud provider registries like ECR. We need a mechnisms to authenticate natively to pull the charts from the private registries

Proposal

This can implemented in proper way by having a AWS IAM integration IRSA (Instance Role for Service Account) with ArgoCD as an optional add-on.

It helps the users to use the ECR as the Helm Chart registry without generating tokens and updating it via scripts or manually in an insecure way.

[jeremydescamps]

Is there any workaround for now ?

[tukak]

@jeremydescamps workaround is to use https://mike7515.github.io/argocd-ecr-updater/

[jeremydescamps]

@jeremydescamps workaround is to use https://mike7515.github.io/argocd-ecr-updater/

What about this ? https://github.com/argoproj/argo-helm/blob/aa418962922d5967aaebe7a7fb362fa21d1104e2/charts/argocd-image-updater/values.yaml#L89-L95

Did you try ?

[tukak]

We don't use argocd-image-updater at the moment, so no experience with that.

[prein]

Another workaround is described in another issue coming from the same problem.
The workaround works, however, having to run a daemon or a cronjob to refresh the token is sub-optimal. This should be supported natively.

[karlderkaefer]

@jeremydescamps I have tested argocd-image-updater. I could not get a solution to work. The updater is primarly used to update docker image and tags. I could not find any sign that helm registries are detected https://github.com/argoproj-labs/argocd-image-updater/blob/master/pkg/argocd/argocd.go although at the least the registry config is picked up.

time="2022-10-31T13:37:39Z" level=info msg="argocd-image-updater v0.12.0+aee153d starting
time="2022-10-31T13:37:39Z" level=info msg="Loaded 1 registry configurations from /app/config/registries.conf"
..
time="2022-10-31T13:37:39Z" level=info msg="Warming up image cache"
time="2022-10-31T13:37:39Z" level=info msg="Finished cache warm-up, pre-loaded 0 meta data entries from 2 registries"
time="2022-10-31T13:37:39Z" level=info msg="Starting image update cycle, considering 0 annotated application(s) for update"
time="2022-10-31T13:37:39Z" level=info msg="Processing results: applications=0 images_considered=0 images_skipped=0 images_updated=0 errors=0"

[alexef]

We’re also using the cronjob approach as a workaround. Having it supported by the system would be much nicer, yes.

[blakepettersson]

Looks like it's related to #10218.

Another way this could be done in the near future is with external-secrets, a PR got recently merged which could be relevant for this use case: external-secrets/external-secrets#1539.

[karlderkaefer]

The existing helm chart for the workaround was not fit enough for our security compliance. I have built an own solution without cronjob. You can check https://github.com/karlderkaefer/argocd-ecr-updater

[ahaw023]

This is also an option: https://external-secrets.io/v0.7.2/guides/generator/

[blakepettersson]

Indeed, check out my comment in #10218

[ahaw023]

@blakepettersson - i wish i saw your post earlier. Would have saved me some time

Thought it was fun figuring out from first principles.

Thanks for the template. Saves me lots of trouble

[blakepettersson]

Closing this issue in favour of #10218