04-07-2026, 06:54 AM
Thread Title: ArgoCD + GHCR + Image Updater Setup (Production Guide)
? ArgoCD + Image Updater + GHCR Setup (Production)
This guide covers:
⚠️ Important
Never expose real GitHub tokens in public threads.
Replace all tokens with placeholders before sharing.
? Step 1: Create GHCR Secret (App Namespace)
? Step 2: Create GHCR Secret (ArgoCD Namespace)
? Step 3: Create Git Credentials Secret
? Step 4: Register Git Repository in ArgoCD
Apply using:
? Step 5: Create ArgoCD Application
? Step 6: Configure ArgoCD Image Updater
? Step 7: Create RBAC Role
[/list]
? Step 8: Create RBAC RoleBinding
[/list]
✅ Final Notes
Verify:
? ArgoCD + Image Updater + GHCR Setup (Production)
This guide covers:
- GHCR secret setup
- ArgoCD repo registration
- Application deployment
- Image updater configuration
- RBAC setup
⚠️ Important
Never expose real GitHub tokens in public threads.
Replace all tokens with placeholders before sharing.
? Step 1: Create GHCR Secret (App Namespace)
Code:
kubectl -n <APP_NAMESPACE> create secret docker-registry ghcr-regcred
--docker-server=ghcr.io
--docker-username='<GITHUB_USERNAME>'
--docker-password='<GITHUB_TOKEN>'? Step 2: Create GHCR Secret (ArgoCD Namespace)
Code:
kubectl -n <ARGOCD_NAMESPACE> create secret docker-registry ghcr-regcred
--docker-server=ghcr.io
--docker-username='<GITHUB_USERNAME>'
--docker-password='<GITHUB_TOKEN>'? Step 3: Create Git Credentials Secret
Code:
kubectl -n <ARGOCD_NAMESPACE> create secret generic argocd-image-updater-git-creds
--from-literal=username='<GITHUB_USERNAME>'
--from-literal=password='<GITHUB_TOKEN>'? Step 4: Register Git Repository in ArgoCD
Code:
apiVersion: v1
kind: Secret
metadata:
name: <REPO_SECRET_NAME>
labels:
argocd.argoproj.io/secret-type: repository
type: Opaque
stringData:
type: git
url: [url=https://github.com/]https://github.com/[/url]/.git
username: '<GITHUB_USERNAME>'
password: '<GITHUB_TOKEN>'Code:
kubectl -n <ARGOCD_NAMESPACE> apply -f repo-secret.yaml? Step 5: Create ArgoCD Application
Code:
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: <APPLICATION_NAME>
namespace: <ARGOCD_NAMESPACE>
spec:
project: <PROJECT_NAME>
source:
repoURL: [url=https://github.com/]https://github.com/[/url]/.git
targetRevision:
path:
destination:
server: [url=https://kubernetes.default.svc/]https://kubernetes.default.svc[/url]
namespace: <APP_NAMESPACE>
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true? Step 6: Configure ArgoCD Image Updater
Code:
apiVersion: argocd-image-updater.argoproj.io/v1alpha1
kind: ImageUpdater
metadata:
name: <IMAGE_UPDATER_NAME>
namespace: <ARGOCD_NAMESPACE>
spec:
namespace: <ARGOCD_NAMESPACE>
applicationRefs:
- namePattern: <APPLICATION_NAME>
images:
- alias:
imageName: ghcr.io//<IMAGE_NAME>
commonUpdateSettings:
updateStrategy: newest-build
allowTags: regexp:^(sha-)?[0-9a-f]{7,40}$
pullSecret: pullsecret:<ARGOCD_NAMESPACE>/ghcr-regcred
manifestTargets:
kustomize:
name: ghcr.io//<IMAGE_NAME>
writeBackConfig:
method: git
gitConfig:
branch:
writeBackTarget: kustomization:.? Step 7: Create RBAC Role
Code:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: argocd-image-updater-secret-reader
namespace: <APP_NAMESPACE>
rules:
[list]
[*]apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list"]? Step 8: Create RBAC RoleBinding
Code:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: argocd-image-updater-secret-reader
namespace: <APP_NAMESPACE>
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: argocd-image-updater-secret-reader
subjects:
[list]
[*]kind: ServiceAccount
name: argocd-image-updater-controller
namespace: <ARGOCD_NAMESPACE>✅ Final Notes
Verify:
Code:
kubectl get applications -n <ARGOCD_NAMESPACE>
kubectl logs -n <ARGOCD_NAMESPACE> deploy/argocd-image-updater