ArgoCD declarative GitOps tool used for continuous delivery. It’s one of the finest tools in GitOps space. Helm 3 supports hosting charts in OCI format in the container registry.
Use Case
Allow ArgoCD to on GKE (Google Kubernetes Engine) to access Helm charts hosted in Google Cloud private container registry or google cloud artifacts service in OCI Format.
Tech
- Google Kubernetes Engine (GKE),
- ArgoCD Deployed on GKE with Helm chart,
- Helm Charts stored in artifact registry in OCI format
- Google Cloud Artifact registry (GCAR)
- Workload Identity used to authenticate ArgoCD with GCAR
Setup
1. Set up workload-identity to grant ArgoCD Kubernetes service account, to access GCAR. There is an option to use the service key, but workload-identity is preferred. We will use Terraform and the Terraform module for workload identity setup
module "my-app-workload-identity" {
source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
version = "27.0.0"
use_existing_gcp_sa = false
name = "${service_accont_name}"
project_id = "${gce_project_where_deploy}"
use_existing_k8s_sa = false
namespace = "${kubernetes_namespace}"
}
2. Grant access to the service account, to access GCAR
3. Deploy ArgoCD helm chart with additional values file, to generate temp tokens
global:
securityContext:
fsGroup: 999
runAsUser: 999
logging:
level: error
dex:
serviceAccount:
create: false
name: "${service_accont_name}"
controller:
serviceAccount:
create: false
name: "${service_accont_name}"
repoServer:
serviceAccount:
create: false
name: "${service_accont_name}"
initContainers:
- name: download-tools
image: alpine:3
command: [ sh, -c ]
args:
- |
cd /var/run/docker-credential-gcr
wget -qO - https://github.com/GoogleCloudPlatform/docker-credential-gcr/releases/download/v2.1.8/docker-credential-gcr_linux_amd64-2.1.8.tar.gz | tar xz
PATH=.:$PATH HOME=/var/run/config docker-credential-gcr configure-docker
chmod +r /var/run/config/.docker/config.json
volumeMounts:
- mountPath: /var/run/docker-credential-gcr
name: docker-credential-gcr
- mountPath: /var/run/config/.docker
name: docker-config
volumeMounts:
- mountPath: /usr/local/bin/docker-credential-gcr
name: docker-credential-gcr
subPath: docker-credential-gcr
readOnly: true
- mountPath: /home/argocd/.docker
name: docker-config
readOnly: true
volumes:
- emptyDir: {}
name: docker-credential-gcr
- emptyDir: {}
name: docker-config
If all good, then From ArgoCD you will be able to pull Helm charts from Google Cloud container registry