This is a follow up to my previous post,
Argo CD is already managing your kubernetes/ folder with Kustomize enabled.
Here we add Argo CD Image Updater so Argo CD automatically tracks the moving :test tag by digest (pins test@sha256:...) and rolls out the Backstage Deployment when :test points to a new image — using Application write-back (no Git commits).
Assumptions in this post:
- Harbor is publicly readable (no registry credentials needed)
Tagging convention (CI build)
- Every time we build a new Backstage image, we publish two tags pointing to the same image digest:
<7-char Git SHA>(immutable, traceable, good for rollbacks)test(mutable “moving” tag that is updated on every build)
- We use
testfor daily commit testing (always “latest under test”), while the SHA tag is the stable identifier for a specific build.
Example:
harbor.maksonlee.com/backstage/homelab-backstage:3c71cccharbor.maksonlee.com/backstage/homelab-backstage:test(updated to the latest build each run)
- Install Argo CD Image Updater
Install it into the same namespace as Argo CD (argocd):
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj-labs/argocd-image-updater/stable/config/install.yaml
Verify:
kubectl -n argocd get deploy | grep image-updater
kubectl -n argocd get crd | grep imageupdaters
- Create the ImageUpdater resource (Application write-back)
Create imageupdater-homelab-backstage.yaml:
apiVersion: argocd-image-updater.argoproj.io/v1alpha1
kind: ImageUpdater
metadata:
name: homelab-backstage
namespace: argocd
spec:
# Argo CD Applications live here
namespace: argocd
# Application write-back (no Git commits)
writeBackConfig:
method: argocd
applicationRefs:
- namePattern: "homelab-backstage"
images:
- alias: backstage
# Harbor project repo (avoid library/)
imageName: harbor.maksonlee.com/backstage/homelab-backstage:test
commonUpdateSettings:
updateStrategy: digest
# Must match the image identifier used in your manifests (without tag)
manifestTargets:
kustomize:
name: harbor.maksonlee.com/backstage/homelab-backstage
Apply it:
kubectl apply -f imageupdater-homelab-backstage.yaml
kubectl -n argocd get imageupdaters
- Push a new image and verify Argo CD updates (digest strategy follows
:test)
Important: with updateStrategy: digest and imageName: ...:test, Image Updater only updates when the digest behind :test changes. So each build must push the new SHA tag and update/push :test to the same image.
Push both tags (SHA + test)
Example tags:
harbor.maksonlee.com/backstage/homelab-backstage:3c71cccharbor.maksonlee.com/backstage/homelab-backstage:test
(Your Jenkins pipeline already does this by building with -t <sha> -t test and pushing both.)
Watch Image Updater logs
kubectl -n argocd logs deploy/argocd-image-updater-controller -f
You should see it detecting a new digest for ...:test and writing back changes to the Argo CD Application.
Verify the Application got a Kustomize image override
kubectl -n argocd get app homelab-backstage \
-o jsonpath='{.spec.source.kustomize.images}{"\n"}'
With digest, this may show a digest-pinned override (that’s expected).
Verify the Deployment image changed
kubectl -n backstage get deploy homelab-backstage \
-o jsonpath='{.spec.template.spec.containers[0].image}{"\n"}'
With updateStrategy: digest, you should expect the Deployment image to be digest-pinned, e.g. harbor.maksonlee.com/backstage/homelab-backstage:test@sha256:<digest>. When the :test tag moves to a new build, Image Updater updates the digest in the Argo CD Application, and Argo CD rolls out the Deployment.
Did this guide save you time?
Support this site