feat: add CI-driven image tag updates, remove Image Updater

operinko · operinko · commit 88a01271cb5c · 2026-05-19T19:23:12.000+03:00
Add update-tags job (stage 3) to build workflow using
wunderio/silta-actions/update-image-tags@v1. Remove images arrays
from apps.yaml — tags are now managed by CI instead of Image Updater.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -59,3 +59,23 @@ jobs:
           registry: ${{ env.REGISTRY }}
           registry-username: ${{ secrets.REGISTRY_USERNAME }}
           registry-password: ${{ secrets.REGISTRY_PASSWORD }}
+
+  # ---------------------------------------------------------------
+  # Stage 3: Update image tags in ArgoCD values files.
+  # Queries the registry for the latest tags and commits the update.
+  # ---------------------------------------------------------------
+  update-tags:
+    name: Update Image Tags
+    runs-on: ubuntu-latest
+    needs: build-image
+    permissions:
+      contents: write
+    steps:
+      - name: Update image tags
+        uses: wunderio/silta-actions/update-image-tags@v1
+        with:
+          image-names: nginx
+          values-file: values/simple.yaml
+          registry: ${{ env.REGISTRY }}
+          registry-username: ${{ secrets.REGISTRY_USERNAME }}
+          registry-password: ${{ secrets.REGISTRY_PASSWORD }}
diff --git a/k8s/feature/apps.yaml b/k8s/feature/apps.yaml
@@ -0,0 +1,16 @@
+---
+# apps.yaml — ArgoCD application definitions for feature/PR environments.
+#
+# Branch mapping: feature/hotfix/epic/* PRs -> pr-<N>
+# (see cluster-management PR ApplicationSet).
+#
+# UPDATE: Change the namespace to match your project.
+
+namespace: client-fi-CHANGEME
+
+apps:
+  - name: simple
+    chart: simple
+    repoURL: https://storage.googleapis.com/charts.wdr.io
+    version: ">=1.0.0"
+    valuesFile: values/simple.yaml
diff --git a/k8s/feature/secrets/ksops-generator.yaml b/k8s/feature/secrets/ksops-generator.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: viaduct.ai/v1
+kind: ksops
+metadata:
+  name: simple-secrets
+files:
+  - simple.sops.yaml
diff --git a/k8s/feature/secrets/kustomization.yaml b/k8s/feature/secrets/kustomization.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+generators:
+  - ksops-generator.yaml
diff --git a/k8s/feature/secrets/simple.sops.example.yaml b/k8s/feature/secrets/simple.sops.example.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: simple-project-secrets
+type: Opaque
+stringData:
+  # API_KEY: "..."
diff --git a/k8s/feature/values/simple.yaml b/k8s/feature/values/simple.yaml
@@ -0,0 +1,9 @@
+---
+# Helm values for the simple chart — feature/PR environments.
+#
+# UPDATE: Change image repository paths to match your Harbor project name.
+
+nginx:
+  image:
+    repository: registry.wdr.io/CHANGEME/nginx
+    tag: placeholder-00000000T000000-0000000
diff --git a/k8s/staging/apps.yaml b/k8s/staging/apps.yaml
@@ -0,0 +1,17 @@
+---
+# apps.yaml — ArgoCD application definitions for the staging environment.
+#
+# The platform chart in cluster-management reads this file and renders one
+# ArgoCD Application per entry in the apps[] list.
+# Branch mapping: main/master -> staging (see cluster-management ApplicationSets).
+#
+# UPDATE: Change the namespace to match your project (e.g. client-fi-mysite).
+
+namespace: client-fi-CHANGEME
+
+apps:
+  - name: simple
+    chart: simple
+    repoURL: https://storage.googleapis.com/charts.wdr.io
+    version: ">=1.0.0"
+    valuesFile: values/simple.yaml
diff --git a/k8s/staging/secrets/ksops-generator.yaml b/k8s/staging/secrets/ksops-generator.yaml
@@ -0,0 +1,11 @@
+---
+# ksops-generator.yaml — KSOPS generator config.
+#
+# This file MUST be named exactly ksops-generator.yaml to match the
+# CMP discover glob (**/ksops-generator.yaml) configured in ArgoCD.
+apiVersion: viaduct.ai/v1
+kind: ksops
+metadata:
+  name: simple-secrets
+files:
+  - simple.sops.yaml
diff --git a/k8s/staging/secrets/kustomization.yaml b/k8s/staging/secrets/kustomization.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+generators:
+  - ksops-generator.yaml
diff --git a/k8s/staging/secrets/simple.sops.example.yaml b/k8s/staging/secrets/simple.sops.example.yaml
@@ -0,0 +1,19 @@
+---
+# Example SOPS-encrypted secret.
+#
+# USAGE:
+#   1. Copy this file to simple.sops.yaml
+#   2. Fill in the real values in stringData
+#   3. Encrypt in-place:
+#        export SOPS_AGE_RECIPIENTS=age1...
+#        sops --encrypt --in-place k8s/staging/secrets/simple.sops.yaml
+#   4. Commit the encrypted file.
+#
+# IMPORTANT: Never commit the plaintext version of this file.
+apiVersion: v1
+kind: Secret
+metadata:
+  name: simple-project-secrets
+type: Opaque
+stringData:
+  # API_KEY: "..."
diff --git a/k8s/staging/values/simple.yaml b/k8s/staging/values/simple.yaml
@@ -0,0 +1,14 @@
+---
+# Helm values for the simple chart — staging environment.
+#
+# Image tags are updated by CI via wunderio/silta-actions/update-image-tags.
+# Tag format: {branch-normalized}-{timestamp}-{sha}
+# Example:    main-20260101T120000-abc1234
+#
+# UPDATE: Change image repository paths to match your Harbor project name.
+
+nginx:
+  image:
+    # UPDATE: Replace CHANGEME with your Harbor project name.
+    repository: registry.wdr.io/CHANGEME/nginx
+    tag: main-00000000T000000-0000000
