DEV Community: leroykayanda

Freeing up linux disk space

leroykayanda — Sat, 14 Feb 2026 02:16:48 +0000

Check how how much space journal logs are taking up.

sudo journalctl --disk-usage
Archived and active journals take up 4.0G on disk.

sudo du -h --max-depth=1 /var/log/journal | sort -hr
4.1G    /var/log/journal/ec2d0f46985d6ec5013a525e909aa54e
4.1G    /var/log/journal

Keep only 7 days of logs.

sudo journalctl --vacuum-time=7d

Do a docker cleanup.

docker system prune -a
WARNING! This will remove:
  - all stopped containers
  - all networks not used by at least one container
  - all images without at least one container associated to them
  - all build cache

Check how much space container logs are taking.

sudo find /var/lib/docker/containers -name "*-json.log" -exec du -h {} + | sort -hr | head

3.1G    /var/lib/docker/containers/ef043adc7a49077b85990e843cb510277b08485d4c024c7cb03f931fd194213f/ef043adc7a49077b85990e843cb510277b08485d4c024c7cb03f931fd194213f-json.log
2.2G    /var/lib/docker/containers/215f590bf565d1c535bde30be7ad157280e1c564f67170f8cacef51a689a106d/215f590bf565d1c535bde30be7ad157280e1c564f67170f8cacef51a689a106d-json.log
231M    /var/lib/docker/containers/d874dba42ab11e04385861601f469f46379bbc99f2d7da22867985a3181ed90a/d874dba42ab11e04385861601f469f46379bbc99f2d7da22867985a3181ed90a-json.log
55M     /var/lib/docker/containers/de870fb1974f6de6d8a502363338d0a877e259c3867211e6de4b71a3f95a969c/de870fb1974f6de6d8a502363338d0a877e259c3867211e6de4b71a3f95a969c-json.log
11M     /var/lib/docker/containers/e492275e03eb43b18388caaaba13f5fe17b2c29abec80edb4f33a193834c3bd7/e492275e03eb43b18388caaaba13f5fe17b2c29abec80edb4f33a193834c3bd7-json.log
11M     /var/lib/docker/containers/91c92b5d9939645bd7b6c802917d527bd63c0357ee6ad8f9519b912dc38554ed/91c92b5d9939645bd7b6c802917d527bd63c0357ee6ad8f9519b912dc38554ed-json.log
8.0K    /var/lib/docker/containers/e96b2115302f415aabf4cb44bfc6ecc80b78dd7afbe8d3a4bd10c9528b692d37/e96b2115302f415aabf4cb44bfc6ecc80b78dd7afbe8d3a4bd10c9528b692d37-json.log

Truncate them safely (no container restart)

sudo truncate -s 0 /var/lib/docker/containers/*/*-json.log

Setting up a retention policy for ElasticSearch

leroykayanda — Sat, 13 Dec 2025 09:50:35 +0000

We may want to delete old logs.

Navigate to index management.

This is a sample policy to delete logs older than 30 days.

{
  "policy": {
    "policy_id": "delete_old_indexes",
    "description": "Delete old indexes",
    "default_state": "warm",
    "states": [
      {
        "name": "warm",
        "actions": [],
        "transitions": [
          {
            "state_name": "delete",
            "conditions": {
              "min_index_age": "30d"
            }
          }
        ]
      },
      {
        "name": "delete",
        "actions": [
          {
            "delete": {}
          }
        ],
        "transitions": []
      }
    ],
    "ism_template": [
      {
        "index_patterns": [
          "cardinal-logs-*"
        ]
      }
    ]
  }
}

Upgrading EKS Cluster kubernetes version

leroykayanda — Wed, 06 Aug 2025 15:43:32 +0000

Verify the cluster's subnets have at least 5 available addresses. EKS will launch new nodes for the control plane. A rolling update is done.
Resolve any issues in EKS upgrade insights.
Ensure the worker nodes are running the same kubernetes version as the control plane.
Upgrade the control plane to the next minor version (for example, from 1.32 to 1.33). You can update only one minor version at a time. This can be done in the console.
Upgrade the nodes in the data plane to match that of the control plane.Starting 1.28 and above, EKS managed node groups support 3 minor version skew betweeen control plane and data plane. For example, if your EKS control plane version is 1.28, you can safely use kubelet versions as old as 1.25. A node's kubelet can't be newer than kube-apiserver.
Upgrade any additional applications that run on the cluster (for example, cluster-autoscaler). Update the Cluster Autoscaler to the latest version that matches the Kubernetes major and minor version that you updated to. For example, if your cluster’s Kubernetes version is 1.30 find the latest Cluster Autoscaler release that begins with 1.30.
Upgrade EKS addons. This can be triggered with a terraform apply.
Upgrade any clients that communicate with the cluster, for example, kubectl. Typically, kubectl is expected to be within one minor version difference (either newer or older) of the kube-apiserver.

References

Deleting Stuck Kubernetes Namespaces

leroykayanda — Wed, 23 Jul 2025 13:34:27 +0000

Namespaces may be stuck in a terminating state due to finalizers. Follow these steps to delete them.

First, you need to retrieve the full definition of the stuck namespace in JSON format.

kubectl get namespace user-d7gnp -o json > user-d7gnp.json

Edit the JSON to Remove Finalizers.

Before

{
    "apiVersion": "v1",
    "items": [
        {
            "apiVersion": "v1",
            "kind": "Namespace",
                "creationTimestamp": "2024-06-19T04:23:56Z",
                "deletionTimestamp": "2025-07-23T13:25:02Z",
                "finalizers": [
                    "controller.cattle.io/namespace-auth"
                ],
                "labels": {
                    "kubernetes.io/metadata.name": "user-d7gnp"
                },

After

{
    "apiVersion": "v1",
    "items": [
        {
            "apiVersion": "v1",
            "kind": "Namespace",
                "creationTimestamp": "2024-06-19T04:23:56Z",
                "deletionTimestamp": "2025-07-23T13:25:02Z",
                "labels": {
                    "kubernetes.io/metadata.name": "user-d7gnp"
                },

Apply the Modified JSON via kubectl replace.

kubectl replace --raw "/api/v1/namespaces/user-d7gnp/finalize" -f ./user-d7gnp.json

Verify Deletion.

k get ns user-d7gnp

A shortcut to do all this.

k delete ns user-d7gnp

kubectl get namespace user-d7gnp -o json > user-d7gnp.json

jq 'del(.metadata.finalizers) | del(.spec.finalizers)' user-d7gnp.json > user-d7gnp.json.tmp && mv user-d7gnp.json.tmp user-d7gnp.json

kubectl replace --raw "/api/v1/namespaces/user-d7gnp/finalize" -f ./user-d7gnp.json

k get ns user-d7gnp

To delete several namespaces.

k delete ns cert-manager grafana

namespaces=(
  grafana
  abc
)

for ns in "${namespaces[@]}"; do
  echo ""
  echo "Processing namespace: $ns"
  echo ""

  kubectl get namespace "$ns" -o json > "${ns}.json"

  jq 'del(.metadata.finalizers) | del(.spec.finalizers)' "${ns}.json" > "${ns}.json.tmp" && mv "${ns}.json.tmp" "${ns}.json"

  kubectl replace --raw "/api/v1/namespaces/${ns}/finalize" -f "${ns}.json"

  kubectl get ns "$ns"
  echo ""
  echo "---------------------------------------------"
done

Cache Busting in Ionic 3

leroykayanda — Thu, 22 May 2025 16:35:44 +0000

Browsers will often cache static assets to improve performance.

This can cause issues when a new version of the application is deployed but the browser is still reading the old cached version.

With cache busting, we append a hash to the static file names e.g vendor.js becomes vendor.437b51dcc2.js. When a deployment is made the hash changes e.g vendor.437b51dcc2.js may change to vendor.74t74t5tt.js. With cache validation enforced by the meta tags below, the browser will first check if the there is a new version of the file before using the cached versions. It will thus request for the new version of the file.

<meta http-equiv="Cache-control" content="no-cache, no-store, must-revalidate">
<meta http-equiv="Pragma" content="no-cache">

(Add these to your src/index.html as Step 1)

Step 2
Create a folder named config in the root of your project and create a file called webpack.config.js with the contents below.

var webpack = require("webpack");
const defaultWebpackConfig = require("../node_modules/@ionic/app-scripts/config/webpack.config.js");

module.exports = function () {
  defaultWebpackConfig.prod.output["chunkFilename"] =
    "[name].[chunkhash].chunk.js";
  defaultWebpackConfig.dev.output["chunkFilename"] =
    "[name].[chunkhash].chunk.js";
  return defaultWebpackConfig;
};

This will add a hash to chunked js files. Add the code below to your package.json so that webpack is used for the hash addition.

  "config": {
    "ionic_webpack": "./config/webpack.config.js"
  }

Run ionic build --prod. When you navigate to www/build, you will see that the chunked files now have a hash.

ll www/build  
total 3912
-rw-r--r--  1 leroy  admin   32916 May 22 18:55 0.8c4eb8d75238a2dbdd84.chunk.js
-rw-r--r--  1 leroy  admin   20629 May 22 18:55 1.576bc86e3f12e250668d.chunk.js
-rw-r--r--  1 leroy  admin   25414 May 22 18:55 10.d8e94bc91646b69468eb.chunk.js
-rw-r--r--  1 leroy  admin   21562 May 22 18:55 11.5cec3cc03fd360752259.chunk.js

Now we need a custom script that will add hash to other static assets e.g main.js, main.css, polyfills.js etc. Create a file called cache busting in the root of your project and paste the code below.

#!/usr/bin/env node
console.log("Cache busting...");

Ensure your CI runs chmod 755 ./cache-busting.js to give npm permission to run the cache busting script.

Add this to your package.json.

  "scripts": {
    "postbuild": "./cache-busting.js",
    "build": "npm run ionic:build --prod --release --verbose && npm run postbuild"
  }

Run your CI to ensure the cache busting script is run and "Cache busting..." is logged.

Now we can work on cache-busting.js. Install these which are needed by the script.

npm install rev-hash@^2.0.0 --save-dev
npm install cheerio@1.0.0-rc.10 --save-dev

Paste this code in cache-busting.js.

#!/usr/bin/env node
console.log("Cache busting...");

// This file when run (i.e: npm run postbuild) will add a hash to these files: main.js, main.css, polyfills.js, vendor.js
// and will update index.html so that the script/link tags request those files with their corresponding hashes
// Based upon source: https://gist.github.com/haydenbr/7df417a8678efc404c820c61b6ffdd24
// Don't forget to: chmod 755 scripts/cache-busting.js

var fs = require("fs"),
  path = require("path"),
  cheerio = require("cheerio"),
  revHash = require("rev-hash");

var rootDir = path.resolve(__dirname, "./");
console.log("rootDir", rootDir);
var wwwRootDir = path.resolve(rootDir, "www");
var buildDir = path.join(wwwRootDir, "build");
var indexPath = path.join(wwwRootDir, "index.html");

var cssPath = path.join(buildDir, "main.css");
var cssFileHash = revHash(fs.readFileSync(cssPath));
var cssNewFileName = `main.${cssFileHash}.css`;
var cssNewPath = path.join(buildDir, cssNewFileName);
var cssNewRelativePath = path.join("build", cssNewFileName);

var jsPath = path.join(buildDir, "main.js");
var jsFileHash = revHash(fs.readFileSync(jsPath));
var jsNewFileName = `main.${jsFileHash}.js`;
var jsNewPath = path.join(buildDir, jsNewFileName);
var jsNewRelativePath = path.join("build", jsNewFileName);

var jsPolyfillsPath = path.join(buildDir, "polyfills.js");
var jsPolyfillsFileHash = revHash(fs.readFileSync(jsPolyfillsPath));
var jsPolyfillsNewFileName = `polyfills.${jsPolyfillsFileHash}.js`;
var jsPolyfillsNewPath = path.join(buildDir, jsPolyfillsNewFileName);
var jsPolyfillsNewRelativePath = path.join("build", jsPolyfillsNewFileName);

var jsVendorPath = path.join(buildDir, "vendor.js");
var jsVendorFileHash = revHash(fs.readFileSync(jsVendorPath));
var jsVendorNewFileName = `vendor.${jsVendorFileHash}.js`;
var jsVendorNewPath = path.join(buildDir, jsVendorNewFileName);
var jsVendorNewRelativePath = path.join("build", jsVendorNewFileName);

// rename main.css to main.[hash].css
fs.renameSync(cssPath, cssNewPath);

// rename main.js to main.[hash].js
fs.renameSync(jsPath, jsNewPath);

// rename polyfills.js to polyfills.[hash].js
fs.renameSync(jsPolyfillsPath, jsPolyfillsNewPath);

// rename vendor.js to vendor.[hash].js
fs.renameSync(jsVendorPath, jsVendorNewPath);

// update index.html to load main.[hash].css
$ = cheerio.load(fs.readFileSync(indexPath, "utf-8"));

$('head link[href="build/main.css"]').attr("href", cssNewRelativePath);
$('body script[src="build/main.js"]').attr("src", jsNewRelativePath);
$('body script[src="build/polyfills.js"]').attr(
  "src",
  jsPolyfillsNewRelativePath,
);
$('body script[src="build/vendor.js"]').attr("src", jsVendorNewRelativePath);

fs.writeFileSync(indexPath, $.html());

Build the app. The other static files should now have a hash in the name.

 ll www/build | grep main
-rw-r--r--  1 leroy  admin   10367 May 22 19:30 main.012a9a78ab.js
-rw-r--r--  1 leroy  admin  613034 May 22 19:30 main.5f460e54f6.css

Setting up an IPSEC VPN using VyOS in AWS

leroykayanda — Wed, 19 Feb 2025 07:02:09 +0000

This will be a tunnel between 2 EC2 instances.

Let’s assume:

VyOS-A

Public IP: 23.23.46.168
Private IP: 10.113.129.113
Prod VPC CIDR: 10.113.0.0/16

VyOS-B

Public IP: 3.230.21.112
Private IP: 10.100.3.199
client_vpn VPC CIDR: 10.100.0.0/16

Ensure these ports are open in the Security Groups.

UDP 500 - ISAKMP/IKE
IP Protocol 50 - ESP
UDP 4500 - NAT-T

Disable src/dst check on the instances.

VyOS-A Setup

IKE Phase 1

set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev2'
set vpn ipsec ike-group IKE-GROUP proposal 1 encryption aes256
set vpn ipsec ike-group IKE-GROUP proposal 1 hash sha256
set vpn ipsec ike-group IKE-GROUP proposal 1 dh-group 19
set vpn ipsec ike-group IKE-GROUP lifetime 28800
set vpn ipsec ike-group IKE-GROUP close-action 'start'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'restart'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '30'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection timeout '60'

IPSec Phase 2

set vpn ipsec esp-group ESP-GROUP proposal 1 encryption aes256
set vpn ipsec esp-group ESP-GROUP proposal 1 hash sha256
set vpn ipsec esp-group ESP-GROUP lifetime 3600
set vpn ipsec esp-group ESP-GROUP pfs 'dh-group19'

Define the peer

set vpn ipsec interface 'eth0'

set vpn ipsec authentication psk VyOS-B secret 'MySecretKey'
set vpn ipsec authentication psk VyOS-B id '23.23.46.168'
set vpn ipsec authentication psk VyOS-B id '3.230.21.112'

set vpn ipsec site-to-site peer VyOS-B authentication local-id '23.23.46.168'
set vpn ipsec site-to-site peer VyOS-B authentication remote-id '3.230.21.112'
set vpn ipsec site-to-site peer VyOS-B local-address '10.113.129.113'
set vpn ipsec site-to-site peer VyOS-B remote-address '3.230.21.112'
set vpn ipsec site-to-site peer VyOS-B tunnel 1 local prefix '10.113.0.0/16'
set vpn ipsec site-to-site peer VyOS-B tunnel 1 remote prefix '10.100.0.0/16'  
set vpn ipsec site-to-site peer VyOS-B tunnel 1 esp-group ESP-GROUP
set vpn ipsec site-to-site peer VyOS-B authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer VyOS-B connection-type 'initiate'
set vpn ipsec site-to-site peer VyOS-B ike-group 'IKE-GROUP'
set vpn ipsec site-to-site peer VyOS-B default-esp-group 'ESP-GROUP'
set vpn ipsec site-to-site peer VyOS-B ikev2-reauth 'no'

VyOS-B Setup

IKE Phase 1

set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev2'
set vpn ipsec ike-group IKE-GROUP proposal 1 encryption aes256
set vpn ipsec ike-group IKE-GROUP proposal 1 hash sha256
set vpn ipsec ike-group IKE-GROUP proposal 1 dh-group 19
set vpn ipsec ike-group IKE-GROUP lifetime 28800
set vpn ipsec ike-group IKE-GROUP close-action 'start'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'restart'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '30'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection timeout '60'

IPSec Phase 2

set vpn ipsec esp-group ESP-GROUP proposal 1 encryption aes256
set vpn ipsec esp-group ESP-GROUP proposal 1 hash sha256
set vpn ipsec esp-group ESP-GROUP lifetime 3600
set vpn ipsec esp-group ESP-GROUP pfs 'dh-group19'

Define the peer

set vpn ipsec interface 'eth0'

set vpn ipsec authentication psk VyOS-A secret 'MySecretKey'
set vpn ipsec authentication psk VyOS-A id '23.23.46.168'
set vpn ipsec authentication psk VyOS-A id '3.230.21.112'

set vpn ipsec site-to-site peer VyOS-A authentication local-id '3.230.21.112'
set vpn ipsec site-to-site peer VyOS-A authentication remote-id '23.23.46.168'
set vpn ipsec site-to-site peer VyOS-A tunnel 1 local prefix '10.100.0.0/16'
set vpn ipsec site-to-site peer VyOS-A tunnel 1 remote prefix '10.113.0.0/16'  
set vpn ipsec site-to-site peer VyOS-A local-address '10.100.3.199'
set vpn ipsec site-to-site peer VyOS-A remote-address '23.23.46.168'
set vpn ipsec site-to-site peer VyOS-A tunnel 1 esp-group ESP-GROUP
set vpn ipsec site-to-site peer VyOS-A authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer VyOS-A connection-type 'respond'
set vpn ipsec site-to-site peer VyOS-A ike-group 'IKE-GROUP'
set vpn ipsec site-to-site peer VyOS-A default-esp-group 'ESP-GROUP'
set vpn ipsec site-to-site peer VyOS-A ikev2-reauth 'no'

Troubleshooting

show vpn ike sa
show vpn ipsec sa
show log vpn
show ip route
restart ipsec
reset vpn ipsec site-to-site peer Vodacom-TZ
ping 10.100.3.199 interface eth0
set system login user vyos authentication plaintext-password vyos

show vpn ike sa
Peer ID / IP                            Local ID / IP
------------                            -------------
3.230.21.112 3.230.21.112               10.113.129.113 23.23.46.168            

    State  IKEVer  Encrypt      Hash          D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------      ----          ---------      -----  ------  ------
    up     IKEv2   AES_CBC_256  HMAC_SHA2_256_128 ECP_256        yes    4987    22920  


show vpn ipsec sa
Connection       State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID     Proposal
---------------  -------  --------  --------------  ----------------  ----------------  ------------  -------------------------------------
VyOS-B-tunnel-1  up       34m50s    0B/0B           0/0               3.230.21.112      3.230.21.112  AES_CBC_256/HMAC_SHA2_256_128/ECP_256


ping 10.100.3.199 interface eth0
PING 10.100.3.199 (10.100.3.199) from 10.113.129.113 eth0: 56(84) bytes of data.
64 bytes from 10.100.3.199: icmp_seq=1 ttl=64 time=0.665 ms
64 bytes from 10.100.3.199: icmp_seq=2 ttl=64 time=0.718 ms
64 bytes from 10.100.3.199: icmp_seq=3 ttl=64 time=0.686 ms
^C
--- 10.100.3.199 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2074ms
rtt min/avg/max/mdev = 0.665/0.689/0.718/0.021 ms

Connect to AWS RDS using IAM credentials

leroykayanda — Thu, 10 Oct 2024 14:14:40 +0000

Ensure IAM authentication is enabled in RDS.

Ensure the user that will connect to RDS has these permissions.

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "rds-db:connect"
         ],
         "Resource":[
            "arn:aws:rds-db:<region>:<account-id>:dbuser:<DBInstanceResourceID>/<DatabaseUser>"
         ]
      }
   ]
}

CREATE USER db_user WITH LOGIN;;
GRANT rds_iam TO db_user;

Generate a password valid for 15min.

aws rds generate-db-auth-token \
  --hostname <dn-hostname> \
  --port 5432 \
  --username db_user

To connect to the db

export PGPASSWORD="$(aws rds generate-db-auth-token \
  --hostname <db-host> \
  --port 5432 \
  --region us-east-1 \
  --username db_user)"

psql "host=<db-host> \
      port=5432 \
      dbname=postgres \
      user=db_user \
      sslmode=require"

Connecting to a private AWS RDS DB using SSM

leroykayanda — Thu, 10 Oct 2024 02:54:03 +0000

Setup a small EC2 instance in a private subnet. Set up IAM roles to ensure it can be accessed via SSM. Ensure its security group allows outbound access to RDS.

Install the session manager plugin.

Run this command to open up a tunnel from your PC to RDS.

aws ssm start-session \
--target i-xxxx \
--document-name AWS-StartPortForwardingSessionToRemoteHost \
--parameters host="db-endpoint",portNumber="5432",localPortNumber="5432"

i-xxxx is your bastion. You can now connect to the DB using 127.0.0.1 as the endpoint and 5432 as the port. Example using Psql

psql -h 127.0.0.1 -p 5432 -U db_user -d db_name

This will also work using PgAdmin.

Terraform module for S3 static website hosting

leroykayanda — Fri, 20 Sep 2024 17:52:05 +0000

module "s3_website_bucket" {
  source                   = "terraform-aws-modules/s3-bucket/aws"
  bucket                   = "test.dev.net"
  acl                      = "public-read"
  control_object_ownership = true
  object_ownership         = "BucketOwnerPreferred"
  force_destroy            = false
  block_public_acls        = false
  block_public_policy      = false
  ignore_public_acls       = false
  restrict_public_buckets  = false
  tags                     = var.tags[var.world]

  website = {
    index_document = "index.html"
    error_document = "error.html"
  }

  # Allow public read access
  attach_policy = true
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Sid       = "PublicReadGetObject"
        Effect    = "Allow"
        Principal = "*"
        Action    = "s3:GetObject"
        Resource  = "arn:aws:s3:::test.dev.net/*"
      },
    ]
  })

}

Attaching an EFS volume to a linux instance

leroykayanda — Thu, 29 Aug 2024 12:38:58 +0000

# Installing the NFS client
apt-get -y install nfs-common

mkdir /efs

sudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport fs-<REDACED>.efs.af-south-1.amazonaws.com:/ /efs

# permanently mount
echo "fs-<REDACED>.efs.af-south-1.amazonaws.com:/ /efs nfs4 nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport,_netdev 0 0" | sudo tee -a /etc/fstab

Troubleshooting a bash script

leroykayanda — Mon, 05 Aug 2024 13:28:16 +0000

#!/bin/bash

set -e
set -u
set -x

set -e
Exit immediately if a command exits with a non-zero status.

set -u
Treat unset variables and parameters as errors.

set -x
Print commands and their arguments before executing them.

Save STDOUT and STDERR to user_data.log

exec &> /opt/odoo/user_data.log
set -x
echo "Hello"

Using ArgoCD Image Updater with ACR

leroykayanda — Tue, 21 May 2024 17:49:25 +0000

We may want the updater to trigger a deployment when an image is pushed to Azure Container Registry.

Create a secret used by argocd image updater to authenticate to ACR.

resource "kubernetes_secret" "argocd_image_updater_acr" {
  metadata {
    name      = "argocd-image-updater-acr-${var.service}"
    namespace = "argocd"
  }

  data = {
    ".dockerconfigjson" = jsonencode({
      auths = {
        "${azurerm_container_registry.acr.login_server}" = {
          auth = base64encode("${azurerm_container_registry.acr.admin_username}:${azurerm_container_registry.acr.admin_password}")
        }
      }
    })
  }
}

We install the updater in our cluster using terraform.

resource "helm_release" "image_updater" {
  name       = "argocd-image-updater"
  repository = "https://argoproj.github.io/argo-helm"
  chart      = "argocd-image-updater"
  namespace  = "argocd"

  values = [
    <<EOF
config:
  registries:
    - name: ACR demo-app
      api_url: https://devdemoapp.azurecr.io
      prefix: devdemoapp.azurecr.io
      ping: yes
      credentials: pullsecret:argocd/argocd-image-updater-acr-demo-app
EOF
  ]
}

These are the annotations for our ArgoCD application.

  annotations:
    argocd-image-updater.argoproj.io/image-list: repo=devdemoapp.azurecr.io/devdemoapp
    argocd-image-updater.argoproj.io/repo.update-strategy: newest-build

To troubleshooot, we can log in to the argocd container.

kubectl exec -n argocd -it argocd-image-updater-7fc87697d5-qtnhn -- ash

Test the connection to ACR.

argocd-image-updater test devdemoapp.azurecr.io/devdemoapp --update-strategy newest-build --credentials pullsecret:argocd/argocd-image-updater-acr-demo-app

Trigger a deploymemnt.

argocd-image-updater run --once --loglevel trace --argocd-namespace argocd --metrics-port 0