+- DevOps Discussion Forum (https://forums.geekssolutions.io)
+-- Forum: Cloud Computing (https://forums.geekssolutions.io/forumdisplay.php?fid=10)
+--- Forum: DevOps (https://forums.geekssolutions.io/forumdisplay.php?fid=14)
+--- Thread: ArgoCD + Image Updater + GHCR Setup (/showthread.php?tid=19)
ArgoCD + Image Updater + GHCR Setup - Amey Bhargave - 04-07-2026
Thread Title: ArgoCD + GHCR + Image Updater Setup (Production Guide)
? ArgoCD + Image Updater + GHCR Setup (Production)
This guide covers:
- GHCR secret setup
- ArgoCD repo registration
- Application deployment
- Image updater configuration
- RBAC setup
⚠️ Important
Never expose real GitHub tokens in public threads.
Replace all tokens with placeholders before sharing.
? Step 1: Create GHCR Secret (App Namespace)
Code:
kubectl -n <APP_NAMESPACE> create secret docker-registry ghcr-regcred
--docker-server=ghcr.io
--docker-username='<GITHUB_USERNAME>'
--docker-password='<GITHUB_TOKEN>'? Step 2: Create GHCR Secret (ArgoCD Namespace)
Code:
kubectl -n <ARGOCD_NAMESPACE> create secret docker-registry ghcr-regcred
--docker-server=ghcr.io
--docker-username='<GITHUB_USERNAME>'
--docker-password='<GITHUB_TOKEN>'? Step 3: Create Git Credentials Secret
Code:
kubectl -n <ARGOCD_NAMESPACE> create secret generic argocd-image-updater-git-creds
--from-literal=username='<GITHUB_USERNAME>'
--from-literal=password='<GITHUB_TOKEN>'? Step 4: Register Git Repository in ArgoCD
Code:
apiVersion: v1
kind: Secret
metadata:
name: <REPO_SECRET_NAME>
labels:
argocd.argoproj.io/secret-type: repository
type: Opaque
stringData:
type: git
url: [url=https://github.com/]https://github.com/[/url]/.git
username: '<GITHUB_USERNAME>'
password: '<GITHUB_TOKEN>'Code:
kubectl -n <ARGOCD_NAMESPACE> apply -f repo-secret.yaml? Step 5: Create ArgoCD Application
Code:
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: <APPLICATION_NAME>
namespace: <ARGOCD_NAMESPACE>
spec:
project: <PROJECT_NAME>
source:
repoURL: [url=https://github.com/]https://github.com/[/url]/.git
targetRevision:
path:
destination:
server: [url=https://kubernetes.default.svc/]https://kubernetes.default.svc[/url]
namespace: <APP_NAMESPACE>
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true? Step 6: Configure ArgoCD Image Updater
Code:
apiVersion: argocd-image-updater.argoproj.io/v1alpha1
kind: ImageUpdater
metadata:
name: <IMAGE_UPDATER_NAME>
namespace: <ARGOCD_NAMESPACE>
spec:
namespace: <ARGOCD_NAMESPACE>
applicationRefs:
- namePattern: <APPLICATION_NAME>
images:
- alias:
imageName: ghcr.io//<IMAGE_NAME>
commonUpdateSettings:
updateStrategy: newest-build
allowTags: regexp:^(sha-)?[0-9a-f]{7,40}$
pullSecret: pullsecret:<ARGOCD_NAMESPACE>/ghcr-regcred
manifestTargets:
kustomize:
name: ghcr.io//<IMAGE_NAME>
writeBackConfig:
method: git
gitConfig:
branch:
writeBackTarget: kustomization:.? Step 7: Create RBAC Role
Code:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: argocd-image-updater-secret-reader
namespace: <APP_NAMESPACE>
rules:
[list]
[*]apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list"]? Step 8: Create RBAC RoleBinding
Code:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: argocd-image-updater-secret-reader
namespace: <APP_NAMESPACE>
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: argocd-image-updater-secret-reader
subjects:
[list]
[*]kind: ServiceAccount
name: argocd-image-updater-controller
namespace: <ARGOCD_NAMESPACE>✅ Final Notes
Verify:
Code:
kubectl get applications -n <ARGOCD_NAMESPACE>
kubectl logs -n <ARGOCD_NAMESPACE> deploy/argocd-image-updater