Automatically Committing Image Tags with Argo CD Image Updater

In GitOps workflows using Argo CD, automating container image updates is essential.

In this article, we will walk through how to set up Argo CD Image Updater in practice based on the following assumptions.

Prerequisites

• Argo CD is already installed
• Argo CD is connected to GitHub
• Kubernetes is running on EKS
• The container registry is ECR

What is Argo CD Image Updater?

Argo CD Image Updater

• Periodically scans kustomization.yaml or Helm values.yaml in registered repositories
• Retrieves the latest tags from container registries (e.g., ECR, Docker Hub)
• Compares them with the currently deployed image tags
• If there is a difference, automatically commits the change (or creates a PR) to GitHub
• Argo CD detects the change and performs a rolling update of the Deployment

Deployment Flow: Argo CD Image Updater × Argo CD

Directory Structure

First, create a Kustomize-based structure:

ops/kubernetes/eks/argocd-image-updater/
├── base/
└── overlays/
    └── stg/

Steps

① Setting up IAM Role and Pod Identity

② Install Image Updater using Helm Deploy it via Helm from Kustomize.

# ops/kubernetes/eks/argocd-image-updater/overlays/stg/kustomization.yaml

helmCharts:
  - name: argocd-image-updater
    repo: https://argoproj.github.io/argo-helm
    version: 0.12.1
    releaseName: argocd-image-updater
    namespace: argocd
    valuesFile: values.yaml

③ Configure values.yaml

config:
  logLevel: "info"

  registries:
    - name: ECR
      api_url: https://xxx.dkr.ecr.ap-northeast-1.amazonaws.com
      prefix: xxx.dkr.ecr.ap-northeast-1.amazonaws.com
      insecure: false
      credentials: ext:/scripts/ecr-login.sh

  git:
    writeBranch: develop
    commitMessageTemplate: "chore: update image tag to {{ .NewTag }}"
    authorName: "Argo CD Image Updater"
    authorEmail: "<your-email>"
    addSignature: false

argocd:
  config:
    enabled: true

rbac:
  create: true

serviceAccount:
  create: false
  name: argocd-image-updater-sa

authScripts:
  enabled: true
  scripts:
    ecr-login.sh: |
      #!/bin/sh
      aws ecr --region "ap-northeast-1" get-authorization-token \
        --output text \
        --query 'authorizationData[].authorizationToken' \
      | base64 -d

Key Point

credentials: ext:/scripts/ecr-login.sh

• ECR does not use static credentials like Docker Hub
• → You must retrieve a temporary token each time
• → Use a script to fetch the token and pass it to Image Updater

④ Add Annotations to the Application
Image Updater works based on annotations.(v0.x)

metadata:
  annotations:
    argocd-image-updater.argoproj.io/write-back-method: git
    argocd-image-updater.argoproj.io/write-back-target: "kustomization:/ops/kubernetes/eks/service/overlays/stg"

    argocd-image-updater.argoproj.io/image-list: >
      app-image=xxx.dkr.ecr.ap-northeast-1.amazonaws.com/service-stg

    argocd-image-updater.argoproj.io/app-image.update-strategy: newest-build
    argocd-image-updater.argoproj.io/app-image.kustomize.image-name: app-image

⑤ Verification Push a new image to ECR.

If you see logs like the following in:

argocd-image-updater > Pod details > Logs

then the setup is successful.