apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.19.0 name: imageupdaters.argocd-image-updater.argoproj.io spec: group: argocd-image-updater.argoproj.io names: kind: ImageUpdater listKind: ImageUpdaterList plural: imageupdaters singular: imageupdater scope: Namespaced versions: - name: v1alpha1 schema: openAPIV3Schema: description: ImageUpdater is the Schema for the imageupdaters API properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: |- ImageUpdaterSpec defines the desired state of ImageUpdater It specifies which applications to target, default update strategies, and a list of images to manage. properties: applicationRefs: description: |- ApplicationRefs indicates the set of applications to be managed. ApplicationRefs is a list of rules to select Argo CD Applications within the ImageUpdater CR's namespace. Each reference can also provide specific overrides for the global settings defined above. items: description: ApplicationRef contains various criteria by which to include applications for managing by image updater properties: commonUpdateSettings: description: |- CommonUpdateSettings overrides the global CommonUpdateSettings for applications matched by this selector. This field is ignored when UseAnnotations is true. properties: allowTags: description: |- AllowTags is a regex pattern for tags to allow. This acts as the default if not overridden. type: string forceUpdate: default: false description: |- ForceUpdate specifies whether updates should be forced. This acts as the default if not overridden. type: boolean ignoreTags: description: |- IgnoreTags is a list of glob-like patterns of tags to ignore. This acts as the default and can be overridden at more specific levels. items: type: string type: array x-kubernetes-list-type: atomic platforms: description: |- Platforms specifies a list of target platforms (e.g., "linux/amd64", "linux/arm64"). If specified, the image updater will consider these platforms when checking for new versions or digests. items: type: string type: array x-kubernetes-list-type: atomic pullSecret: description: |- PullSecret is the pull secret to use for images. This acts as the default if not overridden. type: string updateStrategy: default: semver description: |- UpdateStrategy defines the update strategy to apply. Examples: "semver", "latest", "digest", "name". This acts as the default if not overridden at a more specific level. type: string type: object images: description: |- Images contains a list of configurations that how images should be updated. These rules apply to applications selected by namePattern in ApplicationRefs, and each image can override global/ApplicationRef settings. This field is ignored when UseAnnotations is true. items: description: |- ImageConfig defines how a specific container image should be discovered, updated, and how those updates should be reflected in application manifests. properties: alias: description: |- Alias is a short, user-defined name for this image configuration. It MUST be unique within a single ApplicationRef's list of images. This field is mandatory. pattern: ^[a-zA-Z0-9][a-zA-Z0-9-._]*$ type: string commonUpdateSettings: description: CommonUpdateSettings overrides the effective default CommonUpdateSettings for this specific image. properties: allowTags: description: |- AllowTags is a regex pattern for tags to allow. This acts as the default if not overridden. type: string forceUpdate: default: false description: |- ForceUpdate specifies whether updates should be forced. This acts as the default if not overridden. type: boolean ignoreTags: description: |- IgnoreTags is a list of glob-like patterns of tags to ignore. This acts as the default and can be overridden at more specific levels. items: type: string type: array x-kubernetes-list-type: atomic platforms: description: |- Platforms specifies a list of target platforms (e.g., "linux/amd64", "linux/arm64"). If specified, the image updater will consider these platforms when checking for new versions or digests. items: type: string type: array x-kubernetes-list-type: atomic pullSecret: description: |- PullSecret is the pull secret to use for images. This acts as the default if not overridden. type: string updateStrategy: default: semver description: |- UpdateStrategy defines the update strategy to apply. Examples: "semver", "latest", "digest", "name". This acts as the default if not overridden at a more specific level. type: string type: object imageName: description: |- ImageName is the full identifier of the image to be tracked, including the registry (if not Docker Hub), the image name, and an initial/current tag or version. This is the string used to query the container registry and also as a base for finding updates. Example: "docker.io/library/nginx:1.17.10", "quay.io/prometheus/node-exporter:v1.5.0". This field is mandatory. type: string manifestTargets: description: |- ManifestTarget defines how and where to update this image in Kubernetes manifests. Only one of Helm or Kustomize should be specified within this block. This whole block is optional if the image update isn't written to a manifest in a structured way. properties: helm: description: |- Helm specifies update parameters if the target manifest is managed by Helm and updates are to be made to Helm values files. properties: name: description: |- Name is the dot-separated path to the Helm key for the image repository/name part. Example: "image.repository", "frontend.deployment.image.name". If neither spec nor name/tag are set, defaults to "image.name". If spec is set, this field is ignored. type: string spec: description: |- Spec is the dot-separated path to a Helm key where the full image string (e.g., "image/name:1.0") should be written. Use this if your Helm chart expects the entire image reference in a single field, rather than separate name/tag fields. If this is set, name and tag will be ignored. type: string tag: description: |- Tag is the dot-separated path to the Helm key for the image tag part. Example: "image.tag", "frontend.deployment.image.version". If neither spec nor name/tag are set, defaults to "image.tag". If spec is set, this field is ignored. type: string type: object kustomize: description: |- Kustomize specifies update parameters if the target manifest is managed by Kustomize and updates involve changing image tags in Kustomize configurations. properties: name: description: |- Name is the image name (which can include the registry and an initial tag) as it appears in the `images` list of a kustomization.yaml file that needs to be updated. The updater will typically change the tag or add a digest to this entry. Example: "docker.io/library/nginx". This field is required if the Kustomize target is used. type: string required: - name type: object type: object x-kubernetes-validations: - message: Exactly one of helm or kustomize must be specified within manifestTargets if the block is present. rule: 'has(self.helm) ? !has(self.kustomize) : has(self.kustomize)' required: - alias - imageName type: object type: array x-kubernetes-list-map-keys: - alias x-kubernetes-list-type: map labelSelectors: description: LabelSelectors indicates the label selectors to apply for application selection properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: |- operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: |- values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string description: |- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namePattern: description: NamePattern indicates the glob pattern for application name type: string useAnnotations: default: false description: |- UseAnnotations When true, read image configuration from Application's argocd-image-updater.argoproj.io/* annotations instead of requiring explicit Images[] configuration in this CR. When this field is set to true, only namePattern and labelSelectors are used for application selection. All other fields (CommonUpdateSettings, WriteBackConfig, Images) are ignored. type: boolean writeBackConfig: description: |- WriteBackConfig overrides the global WriteBackConfig settings for applications matched by this selector. This field is ignored when UseAnnotations is true. properties: gitConfig: description: |- GitConfig provides Git configuration settings if the write-back method involves Git. This can only be used when method is "git" or starts with "git:". properties: branch: description: |- Branch to commit updates to. Required if write-back method is Git and this is not specified at the spec level. type: string repository: description: |- Repository URL to commit changes to. If not specified here or at the spec level, the controller MUST infer it from the Argo CD Application's `spec.source.repoURL`. This field allows overriding that. type: string writeBackTarget: description: |- WriteBackTarget defines the path and type of file to update in the Git repository. Examples: "helmvalues:./helm/values.yaml", "kustomization:./kustomize/overlays/production". For ApplicationSet usage, `{{ .app.path.path }}` should be resolved by ApplicationSet before this CR is generated, resulting in a concrete path here. Required if write-back method is Git and this is not specified at the spec level. type: string type: object method: default: argocd description: |- Method defines the method for writing back updated image versions. This acts as the default if not overridden. If not specified, defaults to "argocd". pattern: ^(argocd|git|git:[a-zA-Z0-9][a-zA-Z0-9-._/:]*)$ type: string required: - method type: object required: - namePattern type: object x-kubernetes-validations: - message: Either useAnnotations must be true, or images must be provided with at least one item rule: '!(has(self.useAnnotations) && self.useAnnotations == true) ? (has(self.images) && size(self.images) > 0) : true' minItems: 1 type: array x-kubernetes-list-map-keys: - namePattern x-kubernetes-list-type: map commonUpdateSettings: description: |- CommonUpdateSettings provides global default settings for update strategies, tag filtering, pull secrets, etc., for all applications matched by this CR. These can be overridden at the ApplicationRef or ImageConfig level. properties: allowTags: description: |- AllowTags is a regex pattern for tags to allow. This acts as the default if not overridden. type: string forceUpdate: default: false description: |- ForceUpdate specifies whether updates should be forced. This acts as the default if not overridden. type: boolean ignoreTags: description: |- IgnoreTags is a list of glob-like patterns of tags to ignore. This acts as the default and can be overridden at more specific levels. items: type: string type: array x-kubernetes-list-type: atomic platforms: description: |- Platforms specifies a list of target platforms (e.g., "linux/amd64", "linux/arm64"). If specified, the image updater will consider these platforms when checking for new versions or digests. items: type: string type: array x-kubernetes-list-type: atomic pullSecret: description: |- PullSecret is the pull secret to use for images. This acts as the default if not overridden. type: string updateStrategy: default: semver description: |- UpdateStrategy defines the update strategy to apply. Examples: "semver", "latest", "digest", "name". This acts as the default if not overridden at a more specific level. type: string type: object namespace: description: |- Namespace indicates the target namespace of the applications. Deprecated: This field is deprecated and will be removed in a future release. The controller now uses the ImageUpdater CR's namespace (metadata.namespace) to determine which namespace to search for applications. This field is ignored. type: string writeBackConfig: description: |- WriteBackConfig provides global default settings for how and where to write back image updates. This can be overridden at the ApplicationRef level. properties: gitConfig: description: |- GitConfig provides Git configuration settings if the write-back method involves Git. This can only be used when method is "git" or starts with "git:". properties: branch: description: |- Branch to commit updates to. Required if write-back method is Git and this is not specified at the spec level. type: string repository: description: |- Repository URL to commit changes to. If not specified here or at the spec level, the controller MUST infer it from the Argo CD Application's `spec.source.repoURL`. This field allows overriding that. type: string writeBackTarget: description: |- WriteBackTarget defines the path and type of file to update in the Git repository. Examples: "helmvalues:./helm/values.yaml", "kustomization:./kustomize/overlays/production". For ApplicationSet usage, `{{ .app.path.path }}` should be resolved by ApplicationSet before this CR is generated, resulting in a concrete path here. Required if write-back method is Git and this is not specified at the spec level. type: string type: object method: default: argocd description: |- Method defines the method for writing back updated image versions. This acts as the default if not overridden. If not specified, defaults to "argocd". pattern: ^(argocd|git|git:[a-zA-Z0-9][a-zA-Z0-9-._/:]*)$ type: string required: - method type: object required: - applicationRefs type: object status: description: ImageUpdaterStatus defines the observed state of ImageUpdater properties: conditions: items: description: Condition contains details for one aspect of the current state of this API Resource. properties: lastTransitionTime: description: |- lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- message is a human readable message indicating details about the transition. This may be an empty string. maxLength: 32768 type: string observedGeneration: description: |- observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: description: |- reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ type: string status: description: status of the condition, one of True, False, Unknown. enum: - "True" - "False" - Unknown type: string type: description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string required: - lastTransitionTime - message - reason - status - type type: object type: array imageStatus: description: ImageStatus indicates the detailed status for the list of managed images items: description: ImageStatus contains information for an image:version and its update status in hosting applications properties: applications: description: Applications contains a list of applications and when the image was last updated therein items: description: ImageApplicationLastUpdated contains information for an application and when the image was last updated therein properties: appName: description: AppName indicates and namespace and the application name type: string lastUpdatedAt: description: LastUpdatedAt indicates when the image in this application was last updated format: date-time type: string required: - appName type: object type: array name: description: Name indicates the image name type: string version: description: Version indicates the image version type: string required: - name - version type: object type: array reconciledAt: description: LastUpdatedAt indicates when the image updater last ran format: date-time type: string type: object type: object served: true storage: true subresources: status: {} --- apiVersion: v1 kind: ServiceAccount metadata: labels: app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: argocd-image-updater name: argocd-image-updater-controller --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: app.kubernetes.io/component: argocd-image-updater-controller app.kubernetes.io/name: argocd-image-updater app.kubernetes.io/part-of: argocd-image-updater name: argocd-image-updater rules: - apiGroups: - "" resources: - secrets - configmaps verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: argocd-image-updater name: argocd-image-updater-leader-election-role rules: - apiGroups: - "" resources: - configmaps verbs: - get - list - watch - create - update - patch - delete - apiGroups: - coordination.k8s.io resources: - leases verbs: - get - list - watch - create - update - patch - delete - apiGroups: - "" resources: - events verbs: - create - patch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: argocd-image-updater-manager-role rules: - apiGroups: - "" resources: - events verbs: - create - apiGroups: - argocd-image-updater.argoproj.io resources: - imageupdaters verbs: - create - delete - get - list - patch - update - watch - apiGroups: - argocd-image-updater.argoproj.io resources: - imageupdaters/finalizers verbs: - update - apiGroups: - argocd-image-updater.argoproj.io resources: - imageupdaters/status verbs: - get - patch - update - apiGroups: - argoproj.io resources: - applications verbs: - get - list - patch - update - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: argocd-image-updater-metrics-auth-role rules: - apiGroups: - authentication.k8s.io resources: - tokenreviews verbs: - create - apiGroups: - authorization.k8s.io resources: - subjectaccessreviews verbs: - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: argocd-image-updater-metrics-reader rules: - nonResourceURLs: - /metrics verbs: - get --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: app.kubernetes.io/component: argocd-image-updater-controller app.kubernetes.io/name: argocd-image-updater app.kubernetes.io/part-of: argocd-image-updater name: argocd-image-updater roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: argocd-image-updater subjects: - kind: ServiceAccount name: argocd-image-updater-controller --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: argocd-image-updater name: argocd-image-updater-leader-election-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: argocd-image-updater-leader-election-role subjects: - kind: ServiceAccount name: argocd-image-updater-controller --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: argocd-image-updater name: argocd-image-updater-manager-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: argocd-image-updater-manager-role subjects: - kind: ServiceAccount name: argocd-image-updater-controller namespace: argocd --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: argocd-image-updater-metrics-auth-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: argocd-image-updater-metrics-auth-role subjects: - kind: ServiceAccount name: argocd-image-updater-controller namespace: argocd --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: argocd-image-updater-metrics-reader-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: argocd-image-updater-metrics-reader subjects: - kind: ServiceAccount name: argocd-image-updater-controller namespace: argocd --- apiVersion: v1 kind: ConfigMap metadata: labels: app.kubernetes.io/name: argocd-image-updater-config app.kubernetes.io/part-of: argocd-image-updater-controller name: argocd-image-updater-config --- apiVersion: v1 kind: ConfigMap metadata: labels: app.kubernetes.io/name: argocd-image-updater-ssh-config app.kubernetes.io/part-of: argocd-image-updater-controller name: argocd-image-updater-ssh-config --- apiVersion: v1 kind: Secret metadata: labels: app.kubernetes.io/name: argocd-image-updater-secret app.kubernetes.io/part-of: argocd-image-updater-controller name: argocd-image-updater-secret --- apiVersion: v1 kind: Service metadata: labels: app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: argocd-image-updater control-plane: argocd-image-updater-controller name: argocd-image-updater-controller-metrics-service spec: ports: - name: https port: 8443 protocol: TCP targetPort: 8443 selector: control-plane: argocd-image-updater-controller --- apiVersion: apps/v1 kind: Deployment metadata: labels: app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: argocd-image-updater-controller control-plane: argocd-image-updater-controller name: argocd-image-updater-controller spec: replicas: 1 selector: matchLabels: control-plane: argocd-image-updater-controller template: metadata: annotations: kubectl.kubernetes.io/default-container: argocd-image-updater-controller labels: app.kubernetes.io/name: argocd-image-updater control-plane: argocd-image-updater-controller spec: containers: - args: - --metrics-bind-address=:8443 - run command: - /manager env: - name: ARGOCD_NAMESPACE valueFrom: configMapKeyRef: key: argocd.namespace name: argocd-image-updater-config optional: true - name: IMAGE_UPDATER_INTERVAL valueFrom: configMapKeyRef: key: interval name: argocd-image-updater-config optional: true - name: IMAGE_UPDATER_LOGLEVEL valueFrom: configMapKeyRef: key: log.level name: argocd-image-updater-config optional: true - name: IMAGE_UPDATER_LOGFORMAT valueFrom: configMapKeyRef: key: log.format name: argocd-image-updater-config optional: true - name: MAX_CONCURRENT_APPS valueFrom: configMapKeyRef: key: max_concurrent_apps name: argocd-image-updater-config optional: true - name: MAX_CONCURRENT_RECONCILES valueFrom: configMapKeyRef: key: max_concurrent_reconciles name: argocd-image-updater-config optional: true - name: GIT_COMMIT_USER valueFrom: configMapKeyRef: key: git.user name: argocd-image-updater-config optional: true - name: GIT_COMMIT_EMAIL valueFrom: configMapKeyRef: key: git.email name: argocd-image-updater-config optional: true - name: GIT_COMMIT_SIGNING_KEY valueFrom: configMapKeyRef: key: git.commit-signing-key name: argocd-image-updater-config optional: true - name: GIT_COMMIT_SIGNING_METHOD valueFrom: configMapKeyRef: key: git.commit-signing-method name: argocd-image-updater-config optional: true - name: GIT_COMMIT_SIGN_OFF valueFrom: configMapKeyRef: key: git.commit-sign-off name: argocd-image-updater-config optional: true - name: IMAGE_UPDATER_KUBE_EVENTS valueFrom: configMapKeyRef: key: kube.events name: argocd-image-updater-config optional: true - name: ENABLE_WEBHOOK valueFrom: configMapKeyRef: key: webhook.enable name: argocd-image-updater-config optional: true - name: WEBHOOK_PORT valueFrom: configMapKeyRef: key: webhook.port name: argocd-image-updater-config optional: true - name: QUAY_WEBHOOK_SECRET valueFrom: secretKeyRef: key: webhook.quay-secret name: argocd-image-updater-secret optional: true - name: DOCKER_WEBHOOK_SECRET valueFrom: secretKeyRef: key: webhook.docker-secret name: argocd-image-updater-secret optional: true - name: GHCR_WEBHOOK_SECRET valueFrom: secretKeyRef: key: webhook.ghcr-secret name: argocd-image-updater-secret optional: true - name: HARBOR_WEBHOOK_SECRET valueFrom: secretKeyRef: key: webhook.harbor-secret name: argocd-image-updater-secret optional: true - name: CLOUDEVENTS_WEBHOOK_SECRET valueFrom: secretKeyRef: key: webhook.cloudevents-secret name: argocd-image-updater-secret optional: true - name: WEBHOOK_RATELIMIT_ALLOWED valueFrom: configMapKeyRef: key: webhook.ratelimit-allowed name: argocd-image-updater-config optional: true image: quay.io/argoprojlabs/argocd-image-updater:v1.1.1 livenessProbe: httpGet: path: /healthz port: 8081 initialDelaySeconds: 15 periodSeconds: 20 name: argocd-image-updater-controller readinessProbe: httpGet: path: /readyz port: 8081 initialDelaySeconds: 5 periodSeconds: 10 resources: limits: cpu: 500m memory: 1024Mi requests: cpu: 250m memory: 512Mi securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true seccompProfile: type: RuntimeDefault volumeMounts: - mountPath: /app/config name: image-updater-conf - mountPath: /app/config/ssh name: ssh-known-hosts - mountPath: /app/.ssh name: ssh-config - mountPath: /tmp name: tmp - mountPath: /app/ssh-keys/id_rsa name: ssh-signing-key readOnly: true subPath: sshPrivateKey securityContext: runAsNonRoot: true serviceAccountName: argocd-image-updater-controller terminationGracePeriodSeconds: 10 volumes: - configMap: items: - key: registries.conf path: registries.conf - key: git.commit-message-template path: commit.template name: argocd-image-updater-config optional: true name: image-updater-conf - configMap: name: argocd-ssh-known-hosts-cm optional: true name: ssh-known-hosts - configMap: name: argocd-image-updater-ssh-config optional: true name: ssh-config - name: ssh-signing-key secret: optional: true secretName: ssh-git-creds - emptyDir: {} name: tmp --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: labels: app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: argocd-image-updater-controller control-plane: argocd-image-updater-controller name: allow-metrics-traffic spec: ingress: - from: - namespaceSelector: matchLabels: metrics: enabled ports: - port: 8443 protocol: TCP podSelector: matchLabels: control-plane: argocd-image-updater-controller policyTypes: - Ingress