Image Updater writes back to repo but does not trigger new deployment (dry run=true)

[anishbista60]

Description:

Hi team,

I’m using the latest version of Argo CD Image Updater and facing an issue where the updater successfully writes back the updated image digest to the Git repository, but the new image is not deployed to the cluster.

The logs show:

Successfully updated image '...@sha256:966c4a3...' 
to '...:dev@sha256:fb78c6f...', but pending spec update (dry run=true)

It seems like the updater is running in dry-run mode, even though that’s not configured anywhere.

Configuration Details

ImageUpdater CR

apiVersion: argocd-image-updater.argoproj.io/v1alpha1
kind: ImageUpdater
metadata:
  name: all-apps-image-updater
  namespace: argocd
spec:
  namespace: argocd
  applicationRefs:
    - namePattern: "proxy"
      images:
        - alias: "proxy"
          imageName: "<ACCOUNT_ID>.dkr.ecr.us-east-1.amazonaws.com/abc-dev/proxy:dev"
          commonUpdateSettings:
            allowTags: "regexp:dev"
            updateStrategy: "digest"
  writeBackConfig:
    method: "git:secret:argocd/argocd-ssh"
    gitConfig:
      branch: dev

Application YAML

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: proxy
  namespace: argocd
  annotations:
    notifications.argoproj.io/subscribe.on-deployed.slack: abc-deployments
    notifications.argoproj.io/subscribe.on-sync-failed.slack: abc-deployments
spec:
  destination:
    namespace: proxy
    server: https://kubernetes.default.svc
  project: default
  source:
    path: code/infra/kubernetes/apps/proxy/dev
    repoURL: <REPO_URL>
    targetRevision: dev
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true

Observed Behavior

The write-back commit includes two image references:

kustomize:
  images:
  - <ACCOUNT_ID>.dkr.ecr.us-east-1.amazonaws.com/abc-dev/proxy@sha256:fb78c6fc9a2d84a6d3f8de902c1da822f7e38792a6c8f678a443068a5d652a7e
  - <ACCOUNT_ID>.dkr.ecr.us-east-1.amazonaws.com/abc-dev/proxy:dev@sha256:fb78c6fc9a2d84a6d3f8de902c1da822f7e38792a6c8f678a443068a5d652a7e

I’m not sure why two images are being written back, and which one the application actually picks up.
The deployment itself references the digest-only format (without the tag), so the extra :dev@sha256 entry might be confusing the sync detection.

---

What’s Working

• Image Updater can successfully read images from ECR
• It writes the updated digest back to the Git repository

What’s Not Working

• The new image is not deployed to the cluster
• Logs show dry run=true even though not set

Expected Behavior

Once the digest is updated and written to Git, Argo CD should detect the change and trigger a new deployment.

Environment

• Argo CD Image Updater version: v1.0.0 (latest)
• Argo CD version: v3.2.0
• Image registry: AWS ECR
• Git write-back method: git:secret:argocd/argocd-ssh

Additional Context

The Argo CD Application remains Synced and Healthy, but no new deployment is triggered after the image updater commit.
It feels like the updater believes it’s in dry-run mode or not detecting spec changes correctly.

[dkarpele]

Hi @anishbista60 Thanks for reporting.
In the ImageUpdater CR you provided there is a missing required key applicationRefs. The correct config should look like this:

apiVersion: argocd-image-updater.argoproj.io/v1alpha1
kind: ImageUpdater
metadata:
  name: all-apps-image-updater
  namespace: argocd
spec:
  namespace: argocd
  applicationRefs:
    - namePattern: "proxy"
      images:
        - alias: "redteam-proxy"
          imageName: "<ACCOUNT_ID>.dkr.ecr.us-east-1.amazonaws.com/abc-dev/proxy:dev"
          commonUpdateSettings:
            allowTags: "regexp:dev"
            updateStrategy: "digest"
  writeBackConfig:
    method: "git:secret:argocd/argocd-ssh"
    gitConfig:
      branch: dev

Could you please recheck?

[anishbista60]

sorry it has it but I missed to include in the issue section
Updated the issue section

[dkarpele]

I could not reproduce that.

My configs looks like

apiVersion: argocd-image-updater.argoproj.io/v1alpha1
kind: ImageUpdater
metadata:
  name: image-updater-007
  namespace: argocd-image-updater-e2e
spec:
  namespace: argocd-image-updater-e2e
  writeBackConfig:
    method: "git:secret:argocd-image-updater-e2e/e2e-git-repo"
    gitConfig:
      branch: master
      repository: "https://127.0.0.1:30003/testdata.git"
  applicationRefs:
    - namePattern: "image-updater-007"
      images:
        - alias: "test"
          imageName: "127.0.0.1:30000/test-image:latest"
          commonUpdateSettings:
            platforms:
              - "linux/arm64"
            allowTags: "regexp:latest"
            updateStrategy: "digest"   

and each time I push new changes to the `latest` tag the file `.argocd-source-image-updater-007.yaml` replaces only digest, so

kustomize:
  images:
  - 127.0.0.1:30000/test-image:latest@sha256:52f66737b2c8c21a247cd42abde68a4b16047300ddd89a5a0041eb0a1641c502

was replaced with

kustomize:
  images:
  - 127.0.0.1:30000/test-image:latest@sha256:38005e6a23c0b0a292b243047a3b8740b390494ae8bc31f3eda93d760d218b34

and ArgoCD app was updated.

I have a couple of questions.

but the new image is not deployed to the cluster.
and which one the application actually picks up.

Am I right, that application image was not updated?
Do you observe the same issue using Image Updater 0.17?
Could you provide more detailed logging info with log level trace?

[anishbista60]

Thank you so much for taking the time to look into this.

Write-back was never the issue — the Image Updater is able to read from ECR, write back to the repo, and it also correctly updates the digest in the Git repo whenever a new image is pushed to ECR. The only problem was that the new image was not getting deployed automatically.

For now, I changed the write-back method to argocd, and that is working.

Previously, I was using Image Updater version 0.12.0 with the annotation in argo application

argocd-image-updater.argoproj.io/write-back-method: git

I changed the write-back method from argocd to git, but even after debugging the whole day, it was not able to write back to the repo. There were no logs in the Image Updater pod, and the write permissions were correct. I’m confident the configuration was correct because I used the same setup in another project.

The only difference is that I upgraded Argo CD to the latest version — Argo CD is now 3.2.0 while the Image Updater was still 0.12.0. I though it might be a compatibility issue, so I upgraded Image Updater to the latest version (1.0.0). Since, new image update provides it own custom resource , we removed the annotation and from argo application and migrated to CR approach.

---

My only concern now is why it created two image references:

kustomize:
  images:
    - <ACCOUNT_ID>.dkr.ecr.us-east-1.amazonaws.com/abc-dev/proxy@sha256:fb78c6...
    - <ACCOUNT_ID>.dkr.ecr.us-east-1.amazonaws.com/abc-dev/proxy:dev@sha256:fb78c6...

There is also a frontend Argo application that uses the same image format, but for that application, Image Updater writes only one image reference:

kustomize:
  images:
    - <ACCOUNT_ID>.dkr.ecr.us-east-1.amazonaws.com/enkryptai-dev/frontend@sha256:469b97...

Here is the configuration for the frontend image:

applicationRefs:
  - namePattern: "frontend"
    images:
      - alias: "frontend"
        imageName: "<>.amazonaws.com/enkryptai-dev/frontend:dev"
        commonUpdateSettings:
          allowTags: "regexp:dev"
          updateStrategy: "digest"

Since the dev tag is there, shouldn’t it also create :dev@sha256:... like above?

[anishbista60]

Could you please try to reproduce using same configuraiton like me with tag,regex and strategy as digest ?

imageName: "<>.amazonaws.com/enkryptai-dev/frontend:dev"
        commonUpdateSettings:
          allowTags: "regexp:dev"
          updateStrategy: "digest"

[anishbista60]

Issue are :

• Why new image is not getting deployed after latest write back ?
• Why two image reference and which one will be pickedup by argocd ?

[dkarpele]

What is the target filename? This one .argocd-source-<appName>.yaml

[anishbista60]

.argocd-source-argocd_<app-name>.yaml

[dkarpele]

Please rename target file from .argocd-source-argocd_redteam-proxy.yaml to .argocd-source-redteam-proxy.yaml (remove argocd_), commit and push changes to git and check if your argocd app was updated.

[anishbista60]

ok need to check. But why it created the wrong file ?

[dkarpele]

Because it's a bug. This issue duplicates #1343

[anishbista60]

@dkarpele ok then write back to argocd is fine for me for now. I don't want to take extra overhead. Will switch to write back to git once all the things start working as expected.

Any way thanks for follow up. Really appreciate the effort.