philpep / imago Goto Github PK
View Code? Open in Web Editor NEWEnsure kubernetes pods run on latest images builds from the docker registry
License: Apache License 2.0
Ensure kubernetes pods run on latest images builds from the docker registry
License: Apache License 2.0
Is there any way to ensure that imago maintains the current architecture when looking for the newest docker image? When upgrading a container that has a multiarch image, it seems to always choose the first (amd64), which causes my raspberry pi (arm) to fail.
This would be very useful so you can ignore for example k8s-wait-for init containers.
We use imago to update the actual service images the init containers are much less important and an update for k8s-wait-for causes everything to restart at once.
EDIT: Replacing init-container images does not seem to work at all, it keeps looping every iteration and restarting everything.
Seems the algorithm requesting disgest in https://github.com/philpep/imago/blob/master/main.go#L149 is not good for all responses types.
We have some issues with gcr.io and quay.io
Hi,
First of all thank you so much for creating such tool. This makes our live easier!
I'm trying to run it on inside a 1.20 k8s cluster using the defautl configuration explained in the readme.
If I use the "--update" flag everything seems to work well:
$ kubectl create job --from=cronjob/imago update-test
$ kubectl logs -f job/update-test
2021/01/29 15:56:19 checking test/Deployment/postgres
2021/01/29 15:56:21 postgres ok
2021/01/29 15:56:22 checking test/CronJob/imago
2021/01/29 15:56:23 imago ok
but if I change the "--update" flag to "--restart" I get the following output:
$ kubectl create job --from=cronjob/imago update-test
$ kubectl logs -f job/update-test -
2021/01/29 15:57:16 checking test-trytonacademy/Deployment/postgres
2021/01/29 15:57:16 replicasets.apps "postgres-67c4854f74" is forbidden: User "system:serviceaccount:test:imago" cannot get resource "replicasets" in API group "apps" in the namespace "test"
2021/01/29 15:57:19 checking test-trytonacademy/CronJob/imago
It seems an issue related to permission but I'm unable to fix it. Do you have any clue? Or it is really a bug?
If this is something due to configuration I will be happy to update the documentationt to fix it.
TIA
First of all: thank your for this project! It may can be the missing link in our deployment chain.
Unfortunately we use various private docker repositories in our projects and this tool doesn't support this yet.
use case
I want to check a deployment build out from a private repository for any updates.
solution
The tool supports a new command line parameter to specify a Kubernetes registry object, which use the given registry and its credentials to check for any updates.
docker run --rm -it -u $(id -u) -v ~/.kube/config:/config philpep/imago -n default --registry my-private-reg
nice enhancement
it would be nice to support multiple registries as commadn line paramaters. but i think its nice to have.
If more information needed please feel free to ask.
Thx
imago remove security_context { seccomp_profile { type = "RuntimeDefault" } } when it restarted pods!!
In Docker Hub it is possible to enable an automatic build trigger that is triggered when a dependent repository is updated. This ensures the imago docker container is also up to date automatically instead of only manually when something new is added.
The admission controller will modify the configured images with fixed digest and add imago annotation.
I am using imago in my Jenkins pipeline, and run imago in command line:
go get github.com/philpep/imago/...
$(go env GOPATH)/bin/imago -n default -check-pods -update
This works perfectly in these months, but since today, it is stuck in the go get command.
Would you mind checking is there anything wrong?
Go version 1.16 is not currently released. Downgrade go.mod to 1.15, as you will get errors when trying to build.
Hello, thanks for the awesome project.
Looks like the docker image you are shipping to dockerhub hasn't been updated in 2 years.
Can we get the build fixed so we have a recent docker image?
Thanks!
Hello ,
Maybe it's docker hub , but here is my deployment:
...
image: docker.io/library/nextcloud:latest
imagePullPolicy: Always
...
Imago say :
2022/03/21 09:32:01 app on app-7dfcd6b8c-97gct need to be updated from docker.io/library/nextcloud@sha256:069177198529ce4fcc4705c4d3953082142be7001edf0ee2ba76461fcb1d11df to
docker.io/library/nextcloud@sha256:6bf15beecaeaca23442375182e9cde1c34830cf661fc017b7aba978cdeaa5ca2
kubectl event on deployement restart said :
2s Normal Pulling pod/app-69d94675b7-6gtxc Pulling image "docker.io/library/nextcloud:latest"
0s Normal Pulled pod/app-69d94675b7-6gtxc Successfully pulled image "docker.io/library/nextcloud:latest" in 1.484645146s
And describing the pods said :
Image ID: docker.io/library/nextcloud@sha256:069177198529ce4fcc4705c4d3953082142be7001edf0ee2ba76461fcb1d11df
So the issue is taht imago see an update hash , but k3s / crictl said that we are already at the last hash of this tag
Have you any idea ?
When running imago in a cron job for a specific namespace, I keep getting an error but no context on it so I can debug:
2023/07/29 10:16:33 checking appsmith/StatefulSet/appsmith
2023/07/29 10:16:35 psql-init-container ok
2023/07/29 10:16:36 redis-init-container ok
2023/07/29 10:16:36 mongo-init-container ok
2023/07/29 10:16:38 appsmith ok
2023/07/29 10:16:38 checking appsmith/StatefulSet/appsmith-mongodb
2023/07/29 10:16:38 mongodb ok
2023/07/29 10:16:38 checking appsmith/StatefulSet/appsmith-mongodb-arbiter
2023/07/29 10:16:38 mongodb-arbiter ok
2023/07/29 10:16:38 checking appsmith/StatefulSet/appsmith-postgresql
2023/07/29 10:16:39 postgresql ok
2023/07/29 10:16:39 checking appsmith/StatefulSet/appsmith-redis-master
2023/07/29 10:16:40 redis ok
2023/07/29 10:16:40 checking appsmith/StatefulSet/appsmith-redis-replicas
2023/07/29 10:16:40 redis ok
2023/07/29 10:16:40 the server could not find the requested resource
Hello,
This is an awesome tool! Thank you for making it.
I can't seem to find a way to get imago
to ignore an SSL error for my internal registry. It's using a private CA to sign the cert (instead of a public one). I looked at the output of --help
and searched for an existing issue, but no luck.
Hello,
This need a k8s go client update I think
# /usr/local/bin/imago -A -kubeconfig /usr/local/etc/imago/config.yaml -l imago_update=yes -restart -check-pods
2022/08/25 10:24:49 checking uptime-kuma/Deployment/uptime-kuma
....
2022/08/25 10:24:55 checking ferdi/Deployment/app
2022/08/25 10:24:57 app on app-6546744585-6fndt ok
W0825 10:24:57.405278 899190 warnings.go:70] batch/v1beta1 CronJob is deprecated in v1.21+, unavailable in v1.25+; use batch/v1 CronJob
My k8s(k3s) version is v1.24.3+k3s1
In the container runtime we use, owner/repo
is a synonym for docker.io/owner/repo
. However, imago doesn't understand that:
2022/11/28 04:00:09 element on element-674f8b8bd4-rfh8w need to be updated from docker.io/vectorim/element-web@sha256:aecc84718746ac455556dcb60a3ad0674c44792bd9e472cd5886da1b0afe6bd3 to vectorim/element-web@sha256:aecc84718746ac455556dcb60a3ad0674c44792bd9e472cd5886da1b0afe6bd3
Likewise, repo
is a synonym for docker.io/library/repo
. imago doesn't understand that either:
2022/11/28 04:00:08 metrics-proxy on pretix-54f4c584df-bxt2f need to be updated from docker.io/library/nginx@sha256:e209ac2f37c70c1e0e9873a5f7231e91dcd83fdf1178d8ed36c2ec09974210ba to nginx@sha256:e209ac2f37c70c1e0e9873a5f7231e91dcd83fdf1178d8ed36c2ec09974210ba
Wouldn't it be sufficient for imago to check the SHA-256 hash? After all, we don't care how the image is named, if the content is correct.
When using the latest imago, I have clusters running GKE inside GCP. I get the following error message:
$ imago
2020/10/31 14:26:52 no Auth Provider found for name "gcp"
See kubernetes/client-go#242 for the fix.
We should remove use of log.Fatal()
in the code and handle errors for each Deployment/DaemonSet individually.
Currently, imago modify the manifest to use image@sha256, we could add a -restart
mode which will just run a rollout restart without modifying the manifest (assuming AlwaysPullImages is enabled).
When running imago outside of the cluster we could use ~/.docker/config.json
When running imago inside the cluster, the secret might be in ServiceAccount instead of imagePullSecrets, or in a file on the node.
We have 2 kube clusters. In first we have jenkins with imago which deploy jobs on second kube cluster. Problem is imago can not see second cluster because he ignore kubeConfig:
func inClusterClientPossible() bool {
fi, err := os.Stat("/var/run/secrets/kubernetes.io/serviceaccount/token")
return os.Getenv("KUBERNETES_SERVICE_HOST") != "" &&
os.Getenv("KUBERNETES_SERVICE_PORT") != "" &&
err == nil && !fi.IsDir()
}
I think there should be option to use kubeConfig even it is inside another kube cluster
if inClusterClientPossible() {
//kubeconfig is ignored
clusterConfig, err = rest.InClusterConfig()
if err != nil {
return nil, err
}
if err = setNamespace(true); err != nil {
return nil, err
}
} else {
clusterConfig, err = clientcmd.BuildConfigFromFlags("", kubeconfig)
if err != nil {
return nil, err
}
if err = setNamespace(false); err != nil {
return nil, err
}
}
Do you have benchmarks for how much cpu/mem imago needs? I would like to set requirements & limits in my k8s configuration but cannot easily determine a safe range for imago to operate in. Thanks!
For example:
$ curl -X POST https://imago.example.com/deployment/app
{
"containers": {
"app": {
"new": "registry/app@sha256:YYYY",
"old": "registry/app@sha256:XXXX"
},
"initContainers": {}
}
The webhook url could be protected by basic auth / ingress.
The next code doesn't work in the case the image is from private registry
image := strings.Split(container.Image, ":")[0] + "@" + digest
I suggest the following fixup
ss := strings.Split(container.Image, ":")
image := ss[0] + "@" + digest
if len(ss) > 2 {
image = ss[0] + ":" + ss[1] + "@" + digest
}
vh
Hi,
I want to use a label on my kubernetes deployments, so imago will only update the ones which a marked. But I a m not sure how the correct syntax for the command is, and several tries did not work. The label I want to use is:
continous-deployment: true
I've deployed imago as cronjob and in my spec I gave the following args, but this did not work. Imago does not update anything.
"containers": [
{
"args": [
"--update",
"--l=continous-deployment=true"
],
"image": "philpep/imago:latest",
"imagePullPolicy": "Always",
"name": "imago"
}
Is this supported and what are the correct args for this? Thanks for any help.
Hello,
We are looking for a solution so that our developers can deploy some kubernetes manifest on their local machine using docker-for-desktop (windows/mac) or minikube.
and then been able to build a new image locally and have their pod automatically restarted with this new image.
I have performed some test using imago but was not sucessful.
Any idea on how to make this work ?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.