top of page
Search
Jānis Orlovs
Sep 17, 20232 min read

ArgoCD Storing Helm Charts OCI format in Private GCR

ArgoCD declarative GitOps tool used for continuous delivery. It’s one of the finest tools in GitOps space. Helm 3 supports hosting charts in OCI format in the container registry.



Use Case

Allow ArgoCD to on GKE (Google Kubernetes Engine) to access Helm charts hosted in Google Cloud private container registry or google cloud artifacts service in OCI Format.




Tech

- Google Kubernetes Engine (GKE),

- ArgoCD Deployed on GKE with Helm chart,

- Helm Charts stored in artifact registry in OCI format

- Google Cloud Artifact registry (GCAR)

- Workload Identity used to authenticate ArgoCD with GCAR


Setup

1. Set up workload-identity to grant ArgoCD Kubernetes service account, to access GCAR. There is an option to use the service key, but workload-identity is preferred. We will use Terraform and the Terraform module for workload identity setup


module "my-app-workload-identity" {
  source                          = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
  version                         = "27.0.0"
  use_existing_gcp_sa             = false
  name                            = "${service_accont_name}"
  project_id                      = "${gce_project_where_deploy}"
  use_existing_k8s_sa             = false
  namespace                       = "${kubernetes_namespace}"
}

2. Grant access to the service account, to access GCAR

3. Deploy ArgoCD helm chart with additional values file, to generate temp tokens


global:
  securityContext:
    fsGroup: 999
    runAsUser: 999
  logging:
    level: error
dex:
  serviceAccount:
    create: false
    name: "${service_accont_name}"
controller:
  serviceAccount:
    create: false
    name: "${service_accont_name}"
repoServer:
  serviceAccount:
    create: false
    name: "${service_accont_name}"
  initContainers:
    - name: download-tools
      image: alpine:3
      command: [ sh, -c ]
      args:
      - |
        cd /var/run/docker-credential-gcr
        wget -qO - https://github.com/GoogleCloudPlatform/docker-credential-gcr/releases/download/v2.1.8/docker-credential-gcr_linux_amd64-2.1.8.tar.gz | tar xz
        PATH=.:$PATH HOME=/var/run/config docker-credential-gcr configure-docker
        chmod +r /var/run/config/.docker/config.json
      volumeMounts:
      - mountPath: /var/run/docker-credential-gcr
        name: docker-credential-gcr
      - mountPath: /var/run/config/.docker
        name: docker-config
  volumeMounts:
    - mountPath: /usr/local/bin/docker-credential-gcr
      name: docker-credential-gcr
      subPath: docker-credential-gcr
      readOnly: true
    - mountPath: /home/argocd/.docker
      name: docker-config
      readOnly: true
  volumes:
    - emptyDir: {}
      name: docker-credential-gcr
    - emptyDir: {}
      name: docker-config

If all good, then From ArgoCD you will be able to pull Helm charts from Google Cloud container registry



Recent Posts

See All

Ansible: Variable Input Validation

We recently encountered a challenging issue with Ansible: throughout the process of automating our Oracle database setup, one of the...

bottom of page