philpep / imago Goto Github PK

I am using imago in my Jenkins pipeline, and run imago in command line:

go get github.com/philpep/imago/...
$(go env GOPATH)/bin/imago -n default -check-pods -update

This works perfectly in these months, but since today, it is stuck in the go get command.
Would you mind checking is there anything wrong?

Currently, imago modify the manifest to use image@sha256, we could add a -restart mode which will just run a rollout restart without modifying the manifest (assuming AlwaysPullImages is enabled).

Hello,

This is an awesome tool! Thank you for making it.

I can't seem to find a way to get imago to ignore an SSL error for my internal registry. It's using a private CA to sign the cert (instead of a public one). I looked at the output of --help and searched for an existing issue, but no luck.

Hello, thanks for the awesome project.

Looks like the docker image you are shipping to dockerhub hasn't been updated in 2 years.

Can we get the build fixed so we have a recent docker image?

Thanks!

This would be very useful so you can ignore for example k8s-wait-for init containers.

We use imago to update the actual service images the init containers are much less important and an update for k8s-wait-for causes everything to restart at once.

EDIT: Replacing init-container images does not seem to work at all, it keeps looping every iteration and restarting everything.

Do you have benchmarks for how much cpu/mem imago needs? I would like to set requirements & limits in my k8s configuration but cannot easily determine a safe range for imago to operate in. Thanks!

Hello,

This need a k8s go client update I think

# /usr/local/bin/imago -A -kubeconfig /usr/local/etc/imago/config.yaml -l imago_update=yes -restart -check-pods
2022/08/25 10:24:49 checking uptime-kuma/Deployment/uptime-kuma
....
2022/08/25 10:24:55 checking ferdi/Deployment/app
2022/08/25 10:24:57     app on app-6546744585-6fndt ok
W0825 10:24:57.405278  899190 warnings.go:70] batch/v1beta1 CronJob is deprecated in v1.21+, unavailable in v1.25+; use batch/v1 CronJob

My k8s(k3s) version is v1.24.3+k3s1

imago remove security_context { seccomp_profile { type = "RuntimeDefault" } } when it restarted pods!!

The next code doesn't work in the case the image is from private registry

•           image := strings.Split(container.Image, ":")[0] + "@" + digest
  

I suggest the following fixup

•           ss := strings.Split(container.Image, ":")
  

•           image := ss[0] + "@" + digest
  

•           if len(ss) > 2 {
  

•                   image = ss[0] + ":" + ss[1] + "@" + digest
  

•           }
  

vh

The admission controller will modify the configured images with fixed digest and add imago annotation.

First of all: thank your for this project! It may can be the missing link in our deployment chain.
Unfortunately we use various private docker repositories in our projects and this tool doesn't support this yet.

use case
I want to check a deployment build out from a private repository for any updates.

solution
The tool supports a new command line parameter to specify a Kubernetes registry object, which use the given registry and its credentials to check for any updates.

docker run --rm -it -u $(id -u) -v ~/.kube/config:/config philpep/imago -n default --registry my-private-reg

nice enhancement
it would be nice to support multiple registries as commadn line paramaters. but i think its nice to have.

If more information needed please feel free to ask.
Thx

Seems the algorithm requesting disgest in https://github.com/philpep/imago/blob/master/main.go#L149 is not good for all responses types.

We have some issues with gcr.io and quay.io

We have 2 kube clusters. In first we have jenkins with imago which deploy jobs on second kube cluster. Problem is imago can not see second cluster because he ignore kubeConfig:

func inClusterClientPossible() bool {
	fi, err := os.Stat("/var/run/secrets/kubernetes.io/serviceaccount/token")
	return os.Getenv("KUBERNETES_SERVICE_HOST") != "" &&
		os.Getenv("KUBERNETES_SERVICE_PORT") != "" &&
		err == nil && !fi.IsDir()
}

I think there should be option to use kubeConfig even it is inside another kube cluster

	if inClusterClientPossible() {
//kubeconfig is ignored
		clusterConfig, err = rest.InClusterConfig()
		if err != nil {
			return nil, err
		}
		if err = setNamespace(true); err != nil {
			return nil, err
		}
	} else {
		clusterConfig, err = clientcmd.BuildConfigFromFlags("", kubeconfig)
		if err != nil {
			return nil, err
		}
		if err = setNamespace(false); err != nil {
			return nil, err
		}
	}

In Docker Hub it is possible to enable an automatic build trigger that is triggered when a dependent repository is updated. This ensures the imago docker container is also up to date automatically instead of only manually when something new is added.

In the container runtime we use, owner/repo is a synonym for docker.io/owner/repo. However, imago doesn't understand that:

2022/11/28 04:00:09     element on element-674f8b8bd4-rfh8w need to be updated from docker.io/vectorim/element-web@sha256:aecc84718746ac455556dcb60a3ad0674c44792bd9e472cd5886da1b0afe6bd3 to vectorim/element-web@sha256:aecc84718746ac455556dcb60a3ad0674c44792bd9e472cd5886da1b0afe6bd3

Likewise, repo is a synonym for docker.io/library/repo. imago doesn't understand that either:

2022/11/28 04:00:08     metrics-proxy on pretix-54f4c584df-bxt2f need to be updated from docker.io/library/nginx@sha256:e209ac2f37c70c1e0e9873a5f7231e91dcd83fdf1178d8ed36c2ec09974210ba to nginx@sha256:e209ac2f37c70c1e0e9873a5f7231e91dcd83fdf1178d8ed36c2ec09974210ba

Wouldn't it be sufficient for imago to check the SHA-256 hash? After all, we don't care how the image is named, if the content is correct.

When running imago outside of the cluster we could use ~/.docker/config.json
When running imago inside the cluster, the secret might be in ServiceAccount instead of imagePullSecrets, or in a file on the node.

We should remove use of log.Fatal() in the code and handle errors for each Deployment/DaemonSet individually.

When using the latest imago, I have clusters running GKE inside GCP. I get the following error message:

$  imago
2020/10/31 14:26:52 no Auth Provider found for name "gcp"

See kubernetes/client-go#242 for the fix.

Hi,

I want to use a label on my kubernetes deployments, so imago will only update the ones which a marked. But I a m not sure how the correct syntax for the command is, and several tries did not work. The label I want to use is:

continous-deployment: true

I've deployed imago as cronjob and in my spec I gave the following args, but this did not work. Imago does not update anything.

                        "containers": [
                            {
                                "args": [
                                    "--update",
                                    "--l=continous-deployment=true"
                                ],
                                "image": "philpep/imago:latest",
                                "imagePullPolicy": "Always",
                                "name": "imago"
                            }

Is this supported and what are the correct args for this? Thanks for any help.

Is there any way to ensure that imago maintains the current architecture when looking for the newest docker image? When upgrading a container that has a multiarch image, it seems to always choose the first (amd64), which causes my raspberry pi (arm) to fail.

For example:

$ curl -X POST https://imago.example.com/deployment/app
{
   "containers": {
        "app": {
           "new": "registry/app@sha256:YYYY",
           "old": "registry/app@sha256:XXXX"
    },
    "initContainers": {}
}

The webhook url could be protected by basic auth / ingress.

Go version 1.16 is not currently released. Downgrade go.mod to 1.15, as you will get errors when trying to build.

Hello,
We are looking for a solution so that our developers can deploy some kubernetes manifest on their local machine using docker-for-desktop (windows/mac) or minikube.
and then been able to build a new image locally and have their pod automatically restarted with this new image.
I have performed some test using imago but was not sucessful.
Any idea on how to make this work ?

Hello ,

Maybe it's docker hub , but here is my deployment:

...
        image: docker.io/library/nextcloud:latest
        imagePullPolicy: Always
...

Imago say :

2022/03/21 09:32:01     app on app-7dfcd6b8c-97gct need to be updated from docker.io/library/nextcloud@sha256:069177198529ce4fcc4705c4d3953082142be7001edf0ee2ba76461fcb1d11df to
docker.io/library/nextcloud@sha256:6bf15beecaeaca23442375182e9cde1c34830cf661fc017b7aba978cdeaa5ca2

kubectl event on deployement restart said :

2s          Normal   Pulling             pod/app-69d94675b7-6gtxc      Pulling image "docker.io/library/nextcloud:latest"
0s          Normal   Pulled              pod/app-69d94675b7-6gtxc      Successfully pulled image "docker.io/library/nextcloud:latest" in 1.484645146s

And describing the pods said :

    Image ID:       docker.io/library/nextcloud@sha256:069177198529ce4fcc4705c4d3953082142be7001edf0ee2ba76461fcb1d11df

So the issue is taht imago see an update hash , but k3s / crictl said that we are already at the last hash of this tag

Have you any idea ?

Hi,

First of all thank you so much for creating such tool. This makes our live easier!

I'm trying to run it on inside a 1.20 k8s cluster using the defautl configuration explained in the readme.
If I use the "--update" flag everything seems to work well:

$ kubectl create job --from=cronjob/imago update-test
$ kubectl logs -f job/update-test                                                                                                                                                                  
2021/01/29 15:56:19 checking test/Deployment/postgres
2021/01/29 15:56:21     postgres ok
2021/01/29 15:56:22 checking test/CronJob/imago
2021/01/29 15:56:23     imago ok

but if I change the "--update" flag to "--restart" I get the following output:

$ kubectl create job --from=cronjob/imago update-test
$  kubectl logs -f job/update-test -
2021/01/29 15:57:16 checking test-trytonacademy/Deployment/postgres
2021/01/29 15:57:16 replicasets.apps "postgres-67c4854f74" is forbidden: User "system:serviceaccount:test:imago" cannot get resource "replicasets" in API group "apps" in the namespace "test"
2021/01/29 15:57:19 checking test-trytonacademy/CronJob/imago

It seems an issue related to permission but I'm unable to fix it. Do you have any clue? Or it is really a bug?
If this is something due to configuration I will be happy to update the documentationt to fix it.

TIA

When running imago in a cron job for a specific namespace, I keep getting an error but no context on it so I can debug:

2023/07/29 10:16:33 checking appsmith/StatefulSet/appsmith
2023/07/29 10:16:35     psql-init-container ok
2023/07/29 10:16:36     redis-init-container ok
2023/07/29 10:16:36     mongo-init-container ok
2023/07/29 10:16:38     appsmith ok
2023/07/29 10:16:38 checking appsmith/StatefulSet/appsmith-mongodb
2023/07/29 10:16:38     mongodb ok
2023/07/29 10:16:38 checking appsmith/StatefulSet/appsmith-mongodb-arbiter
2023/07/29 10:16:38     mongodb-arbiter ok
2023/07/29 10:16:38 checking appsmith/StatefulSet/appsmith-postgresql
2023/07/29 10:16:39     postgresql ok
2023/07/29 10:16:39 checking appsmith/StatefulSet/appsmith-redis-master
2023/07/29 10:16:40     redis ok
2023/07/29 10:16:40 checking appsmith/StatefulSet/appsmith-redis-replicas
2023/07/29 10:16:40     redis ok
2023/07/29 10:16:40 the server could not find the requested resource