argocd-image-updater

Automate container image updates for Kubernetes workloads managed by Argo CD. USE WHEN configuring ArgoCD Image Updater, setting up automatic image updates, configuring update strategies (semver, digest, newest-build, alphabetical), implementing git write-back, troubleshooting image update issues, or working with ImageUpdater CRDs. Covers installation, configuration, authentication, and best practices.

16 stars

bydiegosouzapw

View on GitHub Installation ↓

Best use case

argocd-image-updater is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Teams using argocd-image-updater should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

You only need a quick one-off answer and do not need a reusable workflow.
You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/argocd-image-updater/SKILL.md --create-dirs "https://raw.githubusercontent.com/diegosouzapw/awesome-omni-skill/main/skills/devops/argocd-image-updater/SKILL.md"

Manual Installation

Download SKILL.md from GitHub
Place it in .claude/skills/argocd-image-updater/SKILL.md inside your project
Restart your AI agent — it will auto-discover the skill

How argocd-image-updater Compares

Feature / Agent	argocd-image-updater	Standard Approach
Platform Support	Not specified	Limited / Varies
Context Awareness	High	Baseline
Installation Complexity	Unknown	N/A

Frequently Asked Questions

What does this skill do?

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# ArgoCD Image Updater Skill

ArgoCD Image Updater is a tool that automates updating container images of Kubernetes workloads managed by Argo CD. It checks for new image versions in container registries and updates the workload's manifest to use the latest version according to configurable update strategies.

## Quick Reference

### Installation (Basic)

```bash
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj-labs/argocd-image-updater/stable/config/install.yaml
```

### Installation with Helm

```bash
helm repo add argo https://argoproj.github.io/argo-helm
helm install argocd-image-updater argo/argocd-image-updater -n argocd
```

## Core Concepts

### Update Strategies

| Strategy | Description | Use Case |
|----------|-------------|----------|
| `semver` | Semantic versioning with constraints | Production apps with version control |
| `newest-build` | Most recently built image | CI/CD pipelines, dev environments |
| `digest` | Track mutable tags via SHA digest | When using `latest` or other mutable tags |
| `alphabetical` | Lexical sort (CalVer, custom schemes) | Calendar versioning, custom schemes |

### Update Methods (Write-Back)

| Method | Description | Persistence |
|--------|-------------|-------------|
| `argocd` | Updates via Argo CD API (default) | Pseudo-persistent (survives restarts) |
| `git` | Commits changes to Git repository | Permanent (requires Argo CD v2.0+) |

## ImageUpdater CRD (v1.0.0+)

The recommended configuration approach uses the ImageUpdater Custom Resource Definition:

```yaml
apiVersion: argocd-image-updater.argoproj.io/v1alpha1
kind: ImageUpdater
metadata:
  name: my-image-updater
  namespace: argocd
spec:
  namespace: argocd
  commonUpdateSettings:
    updateStrategy: "semver"
    forceUpdate: false
  applicationRefs:
    - namePattern: "my-app-*"
      images:
        - alias: "myimage"
          imageName: "myregistry/myimage"
```

## Update Strategies Configuration

### Semver Strategy

Best for production applications with semantic versioning:

```yaml
spec:
  applicationRefs:
    - namePattern: "production-*"
      images:
        - alias: "app"
          imageName: "myregistry/app:1.x"
          commonUpdateSettings:
            updateStrategy: "semver"
```

**Semver Constraints:**

- `1.x` or `1.*` - Any 1.x.x version
- `1.2.x` - Any 1.2.x version
- `>=1.0.0 <2.0.0` - Range constraints
- `~1.2.3` - Patch-level changes (>=1.2.3 <1.3.0)
- `^1.2.3` - Minor-level changes (>=1.2.3 <2.0.0)

### Newest-Build Strategy

For CI/CD pipelines where you want the most recently pushed image:

```yaml
spec:
  applicationRefs:
    - namePattern: "dev-*"
      images:
        - alias: "app"
          imageName: "myregistry/app"
          commonUpdateSettings:
            updateStrategy: "newest-build"
```

### Digest Strategy

Track mutable tags (like `latest`) via their SHA digest:

```yaml
spec:
  applicationRefs:
    - namePattern: "staging-*"
      images:
        - alias: "app"
          imageName: "myregistry/app:latest"
          commonUpdateSettings:
            updateStrategy: "digest"
```

### Alphabetical Strategy

For CalVer or custom versioning schemes:

```yaml
spec:
  applicationRefs:
    - namePattern: "calver-*"
      images:
        - alias: "app"
          imageName: "myregistry/app"
          commonUpdateSettings:
            updateStrategy: "alphabetical"
```

## Git Write-Back Configuration

For permanent, GitOps-native updates:

```yaml
apiVersion: argocd-image-updater.argoproj.io/v1alpha1
kind: ImageUpdater
metadata:
  name: my-image-updater
  namespace: argocd
spec:
  namespace: argocd
  writeBackConfig:
    method: "git"
    gitConfig:
      repository: "git@github.com:myorg/myrepo.git"
      branch: "main"
      writeBackTarget: "helmvalues:./values.yaml"
  applicationRefs:
    - namePattern: "my-app-*"
      images:
        - alias: "nginx"
          imageName: "nginx:1.20"
          manifestTargets:
            helm:
              name: "image.repository"
              tag: "image.tag"
```

### Write-Back Targets

| Target | Description |
|--------|-------------|
| `.argocd-source-<appName>.yaml` | Default, creates parameter override file |
| `kustomization` | Updates kustomization.yaml |
| `helmvalues:<path>` | Updates specified Helm values file |

## Authentication

### Registry Authentication with Kubernetes Secret

```yaml
apiVersion: v1
kind: Secret
metadata:
  name: docker-registry-secret
  namespace: argocd
type: kubernetes.io/dockerconfigjson
data:
  .dockerconfigjson: <base64-encoded-docker-config>
```

Reference in ImageUpdater:

```yaml
spec:
  registries:
    - name: myregistry
      prefix: myregistry.example.com
      credentials: pullsecret:argocd/docker-registry-secret
```

### Git Credentials for Write-Back

```yaml
apiVersion: v1
kind: Secret
metadata:
  name: git-creds
  namespace: argocd
type: Opaque
stringData:
  username: git
  password: <your-token-or-password>
```

## Annotations Reference (Legacy)

For applications not using ImageUpdater CRD:

```yaml
metadata:
  annotations:
    argocd-image-updater.argoproj.io/image-list: myimage=myregistry/myimage
    argocd-image-updater.argoproj.io/myimage.update-strategy: semver
    argocd-image-updater.argoproj.io/myimage.allow-tags: regexp:^[0-9]+\.[0-9]+\.[0-9]+$
    argocd-image-updater.argoproj.io/write-back-method: git
```

## Common Operations

### Check Image Updater Logs

```bash
kubectl logs -n argocd -l app.kubernetes.io/name=argocd-image-updater -f
```

### Force Update Check

```bash
kubectl rollout restart deployment argocd-image-updater -n argocd
```

### List Managed Applications

```bash
kubectl get applications -n argocd -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.metadata.annotations.argocd-image-updater\.argoproj\.io/image-list}{"\n"}{end}'
```

### Verify ImageUpdater CRDs

```bash
kubectl get imageupdaters -n argocd
kubectl describe imageupdater <name> -n argocd
```

## Troubleshooting

### Common Issues

1. **Images not updating**
   - Check logs for authentication errors
   - Verify registry credentials are correct
   - Ensure application is managed by Argo CD
   - Check if update strategy matches your tagging scheme

2. **Git write-back failing**
   - Verify Git credentials secret exists
   - Check branch name is correct
   - Ensure repository URL is accessible
   - Verify SSH key or token has write permissions

3. **Wrong image version selected**
   - Review update strategy configuration
   - Check tag filtering rules (allow-tags, ignore-tags)
   - Verify semver constraints are correct

### Debug Commands

```bash
# Check Image Updater status
kubectl get pods -n argocd -l app.kubernetes.io/name=argocd-image-updater

# View detailed logs
kubectl logs -n argocd deployment/argocd-image-updater --tail=100

# Check ImageUpdater CR status
kubectl get imageupdater -n argocd -o yaml
```

## Namespace Scoping

The `spec.namespace` field in ImageUpdater CRD controls which namespace to discover Argo CD Applications from.

### Single Namespace (Default)

```yaml
spec:
  namespace: argocd  # Only discover Applications in argocd namespace
```

### Multi-Namespace Patterns

For multi-tenant clusters where Applications exist in multiple namespaces:

```yaml
# Option 1: Deploy separate ImageUpdater CRs per namespace
apiVersion: argocd-image-updater.argoproj.io/v1alpha1
kind: ImageUpdater
metadata:
  name: team-a-updater
  namespace: argocd
spec:
  namespace: team-a-apps  # Scope to team-a's Application namespace
  applicationRefs:
    - namePattern: "*"
---
apiVersion: argocd-image-updater.argoproj.io/v1alpha1
kind: ImageUpdater
metadata:
  name: team-b-updater
  namespace: argocd
spec:
  namespace: team-b-apps  # Scope to team-b's Application namespace
```

### Cross-Namespace Secrets

When ImageUpdater runs in `argocd` namespace but needs secrets from other namespaces:

1. **Registry credentials**: Use `pullsecret:NAMESPACE/SECRET-NAME` format
2. **Git credentials**: Reference secrets with full namespace path
3. **RBAC**: Grant ImageUpdater's ServiceAccount access via RoleBindings in target namespaces

```yaml
# Example: Grant secrets access in team-a namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: image-updater-secrets
  namespace: team-a  # Target namespace with secrets
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: secret-reader
subjects:
  - kind: ServiceAccount
    name: argocd-image-updater
    namespace: argocd  # ImageUpdater's namespace
```

## Best Practices

1. **Use specific version constraints** - Avoid overly broad semver constraints in production
2. **Implement tag filtering** - Use allow-tags/ignore-tags to exclude unwanted versions
3. **Use Git write-back for production** - Ensures changes are tracked in Git
4. **Separate registries by environment** - Different credentials for dev/staging/prod
5. **Monitor Image Updater logs** - Set up alerting for update failures
6. **Test updates in staging first** - Use different update policies per environment

## Limitations

- Only works with Argo CD managed applications
- Requires direct or API access to container registries
- Git write-back requires Argo CD v2.0+
- Cannot update images in init containers by default (requires configuration)

## Additional Resources

- [Official Documentation](https://argocd-image-updater.readthedocs.io/en/stable/)
- [GitHub Repository](https://github.com/argoproj-labs/argocd-image-updater)
- [Argo CD Documentation](https://argo-cd.readthedocs.io/en/stable/)

See `references/` directory for detailed guides on specific topics.

Related Skills

azure-ai-vision-imageanalysis-py

from diegosouzapw/awesome-omni-skill

Azure AI Vision Image Analysis SDK for captions, tags, objects, OCR, people detection, and smart cropping. Use for computer vision and image understanding tasks.

argocd

from diegosouzapw/awesome-omni-skill

GitOps continuous delivery for Kubernetes with ArgoCD. Use when creating/managing ArgoCD Applications, ApplicationSets, App of Apps patterns, Helm/Kustomize deployments, sync configurations, RBAC/projects setup, notifications, health checks, or private repository configuration.

argocd-generator

from diegosouzapw/awesome-omni-skill

Generates ArgoCD Application manifests following the App-of-Apps pattern.

argocd-expert

from diegosouzapw/awesome-omni-skill

Expert-level ArgoCD GitOps deployment, application management, sync strategies, and production operations

argocd-bootstrap

from diegosouzapw/awesome-omni-skill

Deploy and manage ArgoCD using the App-of-Apps pattern. Covers bootstrap Applications, ApplicationSets, and GitOps workflows. Use when setting up or troubleshooting ArgoCD deployments.

argocd-audit

from diegosouzapw/awesome-omni-skill

Audits ArgoCD Application manifests and raw K8s resources for anti-patterns, security issues, and best practice violations. Use when asked to audit, review, or check ArgoCD/GitOps quality. Generates a comprehensive report under reports/YYYY-MM-DD/argocd-audit.md. (project)

rule-updater

from diegosouzapw/awesome-omni-skill

Skill for programmatically reading, updating, and creating Cursor rules based on patterns and lessons learned

md-to-image

from diegosouzapw/awesome-omni-skill

Convert Markdown tables to PNG images for Telegram, WhatsApp, and other chat interfaces that don't support table formatting.

html-to-image-automation

from diegosouzapw/awesome-omni-skill

Automate Html To Image tasks via Rube MCP (Composio). Always search tools first for current schemas.

image-to-3d-pipeline

from diegosouzapw/awesome-omni-skill

Transformez une image 2D en modèle 3D animé prêt pour le web ou le jeu en moins de 30 minutes, en utilisant le workflow Dilum Sanjaya (Hunyuan3D + Mixamo). Use when: **Créer un personnage 3D pour un site web** - Mascotte, avatar, illustration interactive; **Prototyper un asset de jeu** - Character design, props, environnements; **Produire du contenu marketing 3D** - Produits rotatifs, personnages animés; **Convertir des illustrations existantes** - Logo, mascotte, character design → 3D; **Tes...

appimage-builder

from diegosouzapw/awesome-omni-skill

Build AppImage bundles with AppDir structure for portable Linux applications

tech-article-image

from diegosouzapw/awesome-omni-skill

为技术文章生成高质量主题配图。触发场景：(1)用户要求为文章配图/生成题图/制作封面图 (2)用户上传技术文章并要求生成配图 (3)用户提到"给文章配个图"、"生成主题图"、"做张封面"。核心能力：分析文章主题和情绪，从25种反AI油腻感的风格中匹配最佳选项，生成专业级图像提示词。支持MCP生图工具自动生成，无MCP时输出提示词供手动使用。