imago

Imago

This project aims to ease continuous delivery of docker images in a kubernetes cluster.

Imago is the last stage of an insect, it also refer to image and go (golang).

imago looks for kubernetes Deployments, DaemonSets, StatefulSet and CronJobs configuration and update them to use the latest image sha256 digest from the docker repository.

This is useful to handle the following cases:

• image is rebuilt for security fixes
• ensure all pods use exactly the same image
• image is rebuilt by CI for continuous delivery

imago ensure your pods are running the latest build.

How it works ?

imago looks for Deployments, DaemonSets, StatefulSet and CronJob configuration, get the latest sha256 digest from registry and update containers specifications to set image to the corresponding registry/image@sha256:... notation. It track the original image specification in the imago-config-spec annotation.

Alternatively, with the -restart option, it check running pods sha256 and just restart resource that need to use newer images (assuming imagePullPolicy is Always). This method is slower than -update but it leave the container image in manifests untouched.

Arguments

$ imago --help
Usage of imago:
  -A	Check deployments and daemonsets on all namespaces (shorthand) (default false)
  -all-namespaces
		Check deployments and daemonsets on all namespaces (default false)
  -check-pods
		check image digests of running pods (default false)
  -field-selector string
		Kubernetes field-selector
		example: metadata.name=myapp
  -kubeconfig string
		kube config file (default "~/.kube/config")
  -l string
		Kubernetes labels selectors
		Warning: applies to Deployment, DaemonSet, StatefulSet and CronJob, not pods !
  -n value
		Check deployments and daemonsets in given namespaces (default to current namespace)
  -restart
		rollout restart deployments and daemonsets to use newer images, implies -check-pods and assume imagePullPolicy is Always (default false)
  -update
		update deployments and daemonsets to use newer images (default false)
  -x value
		Check deployments and daemonsets in all namespaces except given namespaces (implies --all-namespaces)

By default, imago doesn't update your deployments, unless invoked with --update.

The --check-pods is a less intrusive mode where update is done only if one of the running pods doesn't run on latest digest image.

Example output

$ imago --update
2019/02/11 17:55:21 checking default/Deployment/aptly:
2019/02/11 17:55:21   aptly ok
2019/02/11 17:55:21   nginx ok
2019/02/11 17:55:22 checking default/Deployment/kibana:
2019/02/11 17:55:22   kibana ok
2019/02/11 17:55:22   nginx ok
2019/02/11 17:55:22 update default/Deployment/philpep.org
2019/02/11 17:55:22 checking DaemonSet/fluentd:
2019/02/11 17:55:22   fluentd has to be updated from r.in.philpep.org/fluentd to r.in.philpep.org/fluentd@sha256:6a92af8a9db2ca243e0eba8d401cec11b124822e15b558b35ab45825ed4d1f54
2019/02/11 17:55:22 update default/DaemonSet/fluentd

Install and run

From the command line

Assuming you have a working ~/.kube/config file, just download and build the code:

$ go get github.com/upbeatcopy/imago/...
$ $(go env GOPATH)/bin/imago --help

From the docker image

Assuming you have a working ~/.kube/config file:

$ docker pull philpep/imago
$ docker run --rm -it -u $(id -u) -v ~/.kube/config:/var/lib/imago/.kube/config philpep/imago --help

From a pre-built binary

Check releases page.

Inside the cluster

You can run imago inside the cluster, for instance in a CronJob kubernetes object that runs every day.

See the ServiceAccount and CronJob objects.

$ kubectl apply -f deploy/serviceaccount.yaml
$ kubectl apply -f deploy/cronjob.yaml

Docker credentials

Image will looks for docker registry credentials in ~/.docker/config.json (e.g. /var/lib/imago/.docker/config.json in docker image). So, in case you're using imagePullSecrets, you will have to mount the secret here.