image-updater
This is a small tool and service for updating YAML files with image references,
to simplify continuous deployment pipelines.
It updates a YAML file in a Git repository, and optionally opens a Pull Request.
$ ./image-updater --help
Update YAML files in a Git service, with optional automated Pull Requests
Usage:
image-updater [command]
Available Commands:
help Help about any command
http update repositories in response to image hooks
pubsub update repositories in response to gcr pubsub events
update update a repository configuration
Flags:
-h, --help help for image-updater
Use "image-updater [command] --help" for more information about a command.
There are three sub-commands, http
, pubsub
and update
.
http
provides a Webhook service, pubsub
subscribes to pubsub events and update
will perform the same
functionality from the command-line.
This requires a AUTH_TOKEN
environment variable with a token.
$ ./image-updater update --file-path service-a/deployment.yaml --image-repo quay.io/myorg/my-image --source-repo mysource/my-repo --new-image-url quay.io/myorg/my-image:v1.1.0 --update-key spec.template.spec.containers.0.image
This would update a file service-a/deployment.yaml
in a GitHub repo at mysource/my-repo
, changing the spec.template.spec.containers.0.image
key in the file to quay.io/myorg/my-image:v1.1.0
, the PR will indicate that this is an update from quay.io/myorg/my-image
.
If you need to access a private GitLab or GitHub installation, you can provide
the --api-endpoint
e.g.
$ ./image-updater update --file-path service-a/deployment.yaml --image-repo quay.io/myorg/my-image --source-repo mysource/my-repo --new-image-url quay.io/myorg/my-image:v1.1.0 --update-key spec.template.spec.containers.0.image
For the HTTP service, you will likely need to adapt the deployment.
You can also opt to allow for insecure TLS access with --insecure
.
Webhook Service
This is a micro-service for updating Git Repos when a hook is received indicating that a new image has been pushed from an image repository.
This currently supports receiving hooks from Docker and Quay.io.
WARNING
Neither Docker Hub nor Quay.io provide a way for receivers to authenticate Webhooks, which makes this insecure, a malicious user could trigger the creation of pull requests in your git hosting service.
Please understand the risks of using this component.
Pubsub Service
Similarly to the Webhook service, the pubsub services allows to update Git Repos when a pubsub Event is received.
This currently supports Events from Google Cloud Registry.
It requires two arguments --project-id
and --subscription-name
. See below for more details on how to setup the subscription.
Configuration
Both the Webhook and Pubsub service uses a really simple configuration:
repositories:
- name: testing/repo-image
sourceRepo: my-org/my-project
sourceBranch: main
filePath: service-a/deployment.yaml
updateKey: spec.template.spec.containers.0.image
branchGenerateName: repo-imager-
tagMatch: "^main-.*"
This is a single repository configuration, Repo Push notifications from the
image testing/repo-image
, will trigger an update in the repo
my-org/my-project
.
The change will be based off the main
branch, and updating the file
service-a/deployment.yaml
.
Within that file, the spec.template.spec.containers.0.image
field will be replaced
with the incoming image.
A new branch will be created based on the branchGenerateName
field, which
would look something like repo-imager-kXzdf
.
The presence of the tagMatch
field means that it should only apply the update,
if the tag being changed matches this regular expression, in this case, tags
like "main-c1f79ab" would match, but "test-pr-branch-c1f79ab" would not.
Updating the sourceBranch directly
If no value is provided for branchGenerateName
, then the sourceBranch
will
be updated directly, this means that if you use main
, then the token must
have access to push a change directly to main
.
Creating the configuration
The tool reads a YAML definition, which in the provided Deployment
is mounted
in from a ConfigMap
.
$ kubectl create configmap image-updater-config --from-file=config.yaml
The default deployment requires a secret to expose the GITHUB_TOKEN
to the
service.
$ export GITHUB_TOKEN=<insert github token>
$ kubectl create secret generic image-updater-secret --from-literal=token=$GITHUB_TOKEN
Deployment
A Kubernetes Deployment
is provided in ./deploy/deployment.yaml.
The service is not dependent on being executed within a Kubernetes cluster.
Choosing a hook parser
By default, this accepts hooks from Docker hub but the deployment can easily be
changed to support Quay.io.
The --parser
command-line option chooses which of the supported (Quay, Docker)
hook formats to parse.
Exposing the Handler
The Service exposes a Hook handler at /
on port 8080 that handles the
configured hook type.
Tekton
A Tekton task is provided in ./tekton which allows you to apply
updates to repos from a Tekton pipeline run.
Google Container registry setup
gcloud pubsub topics create gcr
gcloud pubsub subscriptions create gcr-image-updater --topic projects/$GOOGLE_PROJECT/topics/gcr
gcloud iam service-accounts create
gcloud iam service-accounts keys create credentials.json \
--iam-account $SA_NAME@$GOOGLE_PROJECT.iam.gserviceaccount.com
gcloud pubsub subscriptions add-iam-policy-binding gcr-image-updater \
--member=serviceAccount:$SA_NAME@$GOOGLE_PROJECT.iam.gserviceaccount.com --role=roles/pubsub.subscriber
You then need to set the GOOGLE_APPLICATION_CREDENTIALS
environment variable to the path the generated credentials.json
file.
Building
A Dockerfile
is provided for building a container, but otherwise:
$ go build ./cmd/image-updater
Testing
$ go test ./...