How to deploy helm charts which are stored in AWS ECR using argoCD

Question

I want to deploy helm charts, which are stored in a repository in AWS ECR, in the kubernetes cluster using ArgoCD. But I am getting a 401 unauthorized issue. I have pasted the entire issue below

Unable to create application: application spec is invalid: InvalidSpecError: Unable to get app details: rpc error: code = Unknown desc = `helm chart pull <aws account id>.dkr.ecr.<region>.amazonaws.com/testrepo:1.1.0` failed exit status 1: Error: unexpected status code [manifests 1.1.0]: 401 Unauthorized

did you add helm repo? https://helm.sh/docs/helm/helm_repo_add/ — Girdhar Singh Rathore, Mar 29 '21 at 13:36
How are you storing helm charts in ECR? I thought ECR only stored docker images. — jordanm, Mar 29 '21 at 15:40
@jordanm check this: https://docs.aws.amazon.com/AmazonECR/latest/userguide/push-oci-artifact.html — Rot-man, Sep 22 '21 at 21:11

score 6 · Answer 1 · answered May 17 '21 at 09:02

Yes, you can use ECR for storing helm charts (https://docs.aws.amazon.com/AmazonECR/latest/userguide/push-oci-artifact.html)

I have managed to add the repo to ArgoCD, but the token expires so it is not a complete solution.

argocd repo add XXXXXXXXXX.dkr.ecr.us-east-1.amazonaws.com --type helm --name some-helmreponame --enable-oci --username AWS --password $(aws ecr get-login-password --region us-east-1)

score 4 · Answer 2 · answered Jan 26 '23 at 15:14

Using the declarative repository definition (see https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#repositories, or just override .argo-cd.configs.repositories in the Helm chart) it is actually quite easy to create a cron-job that updates the ECR credentials:

apiVersion: batch/v1
kind: CronJob
metadata:
  name: argocd-ecr-credentials
spec:
  schedule: '0 */6 * * *' # every 6 hours, since credentials expire every 12 hours
  jobTemplate:
    metadata:
      name: argocd-ecr-credentials
    spec:
      template:
        spec:
          serviceAccountName: argocd-server
          restartPolicy: OnFailure
          containers:
            - name: update-secret
              image: alpine/k8s # Anything that contains kubectl + aws cli
              command:
                - /bin/bash
                - "-c"
                - |
                  PASSWORD=$(aws ecr get-login-password --region [your aws region] | base64 -w 0)
                  kubectl patch secret -n argocd argocd-repo-[name of your repository] --type merge -p "{\"data\": {\"password\": \"$PASSWORD\"}}"

ArgoCD repository secrets are usually called argocd-repo-* suffixed with the key of the repository entry in the values.yaml.

This will start a pod every 6 hours to do an ECR login and update the secret in kubernetes, that contains the repository definition for ArgoCD.

Make sure to use the argocd-server service account (or create your own) since the container will not be able to modify the secret otherwise.

score 0 · Answer 3 · answered Sep 11 '21 at 03:40

I'm experimenting with the following (Not yet complete)

Create a secret for an AWS IAM role that allows you to get an ECR login password.

apiVersion: v1
kind: Secret
metadata:
  name: aws-ecr-get-login-password-creds
  namespace: argocd
  labels:
    argocd.argoproj.io/secret-type: repository
stringData:
  AWS_ACCESS_KEY_ID: <Fill In>
  AWS_SECRET_ACCESS_KEY: <Fill In>

Now create an ArgoCD workflow that either runs every 12 hours or runs on PreSync Hook (Completely untested, will try to keep this updated, anyone can update this for me).

apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
  generateName: aws-ecr-get-login-password-
  annotations:
    argocd.argoproj.io/hook: PreSync
spec:
  entrypoint: update-ecr-login-password
  templates:

    # This is what will run.
    # First the awscli
    # Then the resource creation using the stdout of the previous step
    - name: update-ecr-login-password
      steps:
        - - name: awscli
            template: awscli
        - - name: argocd-ecr-credentials
            template: argocd-ecr-credentials
            arguments:
              parameters:
              - name: password
                value: "{{steps.awscli.outputs.result}}"

    # Create a container that has awscli in it
    # and run it to get the password using `aws ecr get-login-password`
    - name: awscli
      script:
        image: amazon/aws-cli:latest
        command: [bash]
        source: |
          aws ecr get-login-password --region us-east-1
        # We need aws secrets that can run `aws ecr get-login-password`
        envFrom:
          - secretRef:
              name: aws-ecr-get-login-password-creds

    # Now we can create the secret that has the password in it
    - name: argocd-ecr-credentials
      inputs:
        parameters:
          - name: password
      resource:
        action: create
        manifest: |
          apiVersion: v1
          kind: Secret
          metadata:
            name: argocd-ecr-credentials
            namespace: argocd
            labels:
              argocd.argoproj.io/secret-type: repository
          stringData:
            url: 133696059149.dkr.ecr.us-east-1.amazonaws.com
            username: AWS
            password: {{inputs.parameters.password}}

You are running Argo Workflows alongside ArgoCD to run this workflow, correct? — riemann, Oct 18 '22 at 12:51

How to deploy helm charts which are stored in AWS ECR using argoCD

3 Answers3