This project aims to ease continuous delivery of docker images in a kubernetes cluster.
Imago is the last stage of an
insect, it also refer to
imago looks for kubernetes
configuration and update them to use the latest image sha256 digest from
the docker repository.
This is useful to handle the following cases:
- image is rebuilt for security fixes
- ensure all pods use exactly the same image
- image is rebuilt by CI for continuous delivery
imago ensure your pods are running the latest build.
How it works ?
imago looks for
CronJob configuration, get the
latest sha256 digest from registry and update containers specifications
to set image to the corresponding
It track the original image specification in the
Alternatively, with the
-restart option, it check running pods sha256 and
just restart resource that need to use newer images (assuming imagePullPolicy
is Always). This method is slower than
-update but it leave the container
image in manifests untouched.
$ imago --help Usage of imago: -A Check deployments and daemonsets on all namespaces (shorthand) (default false) -all-namespaces Check deployments and daemonsets on all namespaces (default false) -check-pods check image digests of running pods (default false) -field-selector string Kubernetes field-selector example: metadata.name=myapp -kubeconfig string kube config file (default "~/.kube/config") -l string Kubernetes labels selectors Warning: applies to Deployment, DaemonSet, StatefulSet and CronJob, not pods ! -n value Check deployments and daemonsets in given namespaces (default to current namespace) -restart rollout restart deployments and daemonsets to use newer images, implies -check-pods and assume imagePullPolicy is Always (default false) -update update deployments and daemonsets to use newer images (default false) -x value Check deployments and daemonsets in all namespaces except given namespaces (implies --all-namespaces)
imago doesn't update your deployments, unless invoked with
--check-pods is a less intrusive mode where update is done only if
one of the running pods doesn't run on latest digest image.
$ imago --update 2019/02/11 17:55:21 checking default/Deployment/aptly: 2019/02/11 17:55:21 aptly ok 2019/02/11 17:55:21 nginx ok 2019/02/11 17:55:22 checking default/Deployment/kibana: 2019/02/11 17:55:22 kibana ok 2019/02/11 17:55:22 nginx ok 2019/02/11 17:55:22 update default/Deployment/philpep.org 2019/02/11 17:55:22 checking DaemonSet/fluentd: 2019/02/11 17:55:22 fluentd has to be updated from r.in.philpep.org/fluentd to r.in.philpep.org/fluentd@sha256:6a92af8a9db2ca243e0eba8d401cec11b124822e15b558b35ab45825ed4d1f54 2019/02/11 17:55:22 update default/DaemonSet/fluentd
Install and run
From the command line
Assuming you have a working
~/.kube/config file, just download and
build the code:
$ go get github.com/philpep/imago/... $ $(go env GOPATH)/bin/imago --help
From the docker image
Assuming you have a working
$ docker pull philpep/imago $ docker run --rm -it -u $(id -u) -v ~/.kube/config:/var/lib/imago/.kube/config philpep/imago --help
From a pre-built binary
Check releases page.
Inside the cluster
You can run
imago inside the cluster, for instance in a
kubernetes object that runs every day.
$ kubectl apply -f deploy/serviceaccount.yaml $ kubectl apply -f deploy/cronjob.yaml
Image will looks for docker registry credentials in ~/.docker/config.json (e.g.
/var/lib/imago/.docker/config.json in docker image).
So, in case you're using
imagePullSecrets, you will have to mount the secret here.