README
¶
Imago
This project aims to ease continuous delivery of docker images in a kubernetes cluster.
Imago is the last stage of an
insect, it also refer to image
and go
(golang).
imago
looks for kubernetes Deployments
, DaemonSets
, StatefulSet
and CronJobs
configuration and update them to use the latest image sha256 digest from
the docker repository.
This is useful to handle the following cases:
- image is rebuilt for security fixes
- ensure all pods use exactly the same image
- image is rebuilt by CI for continuous delivery
imago
ensure your pods are running the latest build.
How it works ?
imago
looks for Deployments
, DaemonSets
, StatefulSet
and CronJob
configuration, get the
latest sha256 digest from registry and update containers specifications
to set image to the corresponding registry/image@sha256:...
notation.
It track the original image specification in the imago-config-spec
annotation.
Alternatively, with the -restart
option, it check running pods sha256 and
just restart resource that need to use newer images (assuming imagePullPolicy
is Always). This method is slower than -update
but it leave the container
image in manifests untouched.
Arguments
$ imago --help
Usage of imago:
-A Check deployments and daemonsets on all namespaces (shorthand) (default false)
-all-namespaces
Check deployments and daemonsets on all namespaces (default false)
-check-pods
check image digests of running pods (default false)
-field-selector string
Kubernetes field-selector
example: metadata.name=myapp
-kubeconfig string
kube config file (default "~/.kube/config")
-l string
Kubernetes labels selectors
Warning: applies to Deployment, DaemonSet, StatefulSet and CronJob, not pods !
-n value
Check deployments and daemonsets in given namespaces (default to current namespace)
-restart
rollout restart deployments and daemonsets to use newer images, implies -check-pods and assume imagePullPolicy is Always (default false)
-update
update deployments and daemonsets to use newer images (default false)
-x value
Check deployments and daemonsets in all namespaces except given namespaces (implies --all-namespaces)
By default, imago
doesn't update your deployments, unless invoked with
--update
.
The --check-pods
is a less intrusive mode where update is done only if
one of the running pods doesn't run on latest digest image.
Example output
$ imago --update
2019/02/11 17:55:21 checking default/Deployment/aptly:
2019/02/11 17:55:21 aptly ok
2019/02/11 17:55:21 nginx ok
2019/02/11 17:55:22 checking default/Deployment/kibana:
2019/02/11 17:55:22 kibana ok
2019/02/11 17:55:22 nginx ok
2019/02/11 17:55:22 update default/Deployment/philpep.org
2019/02/11 17:55:22 checking DaemonSet/fluentd:
2019/02/11 17:55:22 fluentd has to be updated from r.in.philpep.org/fluentd to r.in.philpep.org/fluentd@sha256:6a92af8a9db2ca243e0eba8d401cec11b124822e15b558b35ab45825ed4d1f54
2019/02/11 17:55:22 update default/DaemonSet/fluentd
Install and run
From the command line
Assuming you have a working ~/.kube/config
file, just download and
build the code:
$ go get github.com/upbeatcopy/imago/...
$ $(go env GOPATH)/bin/imago --help
From the docker image
Assuming you have a working ~/.kube/config
file:
$ docker pull philpep/imago
$ docker run --rm -it -u $(id -u) -v ~/.kube/config:/var/lib/imago/.kube/config philpep/imago --help
From a pre-built binary
Check releases page.
Inside the cluster
You can run imago
inside the cluster, for instance in a CronJob
kubernetes object that runs every day.
See the ServiceAccount and CronJob objects.
$ kubectl apply -f deploy/serviceaccount.yaml
$ kubectl apply -f deploy/cronjob.yaml
Docker credentials
Image will looks for docker registry credentials in ~/.docker/config.json (e.g.
/var/lib/imago/.docker/config.json in docker image).
So, in case you're using imagePullSecrets
, you will have to mount the secret here.
Documentation
¶
Overview ¶
Copyright 2019 Philippe Pepiot <phil@philpep.org>
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.