mod is a universal package manager complements task runners and build tools like make and variant.
It turns any set of files in Git/S3/GCS/HTTP as a reusable module with managed, versioned dependencies.
Think of it as a vgo, npm, bundle alternative, but for any project.
Let's assume you have a Dockerfile to build a Docker image containing specific version of helm:
Dockerfile:
FROM alpine:3.9
ARG HELM_VERSION=2.14.2
ADD http://storage.googleapis.com/kubernetes-helm/${HELM_FILE_NAME} /tmp
RUN tar -zxvf /tmp/${HELM_FILE_NAME} -C /tmp \
&& mv /tmp/linux-amd64/helm /bin/helm \
&& rm -rf /tmp/* \
&& /bin/helm init --client-only
With mod, you can automate the process of occasionally updating the version number in HELM_VERSION.
Replace the hard-coded version number 2.14.2 with a template expression {{ .helm_version }}, that refers to the latest helm version which is tracked by mod:
Dockerfile.tpl:
FROM alpine:3.9
ARG HELM_VERSION={{ .helm_version }}
ADD http://storage.googleapis.com/kubernetes-helm/${HELM_FILE_NAME} /tmp
RUN tar -zxvf /tmp/${HELM_FILE_NAME} -C /tmp \
&& mv /tmp/linux-amd64/helm /bin/helm \
&& rm -rf /tmp/* \
&& /bin/helm init --client-only
Create a variant.mod that defines:
- How you want to fetch available version numbers of
helm(dependencies.helm) - Which file to update/how to update it according to which variable managed by
mod:
variant.mod:
provisioners:
files:
Dockerfile:
source: Dockerfile.tpl
arguments:
helm_version: "{{ .helm.version }}"
helm:
releasesFrom:
githubReleases:
source: helm/helm
version: "> 1.0.0"
Dockerfile(Updated automatically by mod:
FROM alpine:3.9
ARG HELM_VERSION=2.14.3
ADD http://storage.googleapis.com/kubernetes-helm/${HELM_FILE_NAME} /tmp
RUN tar -zxvf /tmp/${HELM_FILE_NAME} -C /tmp \
&& mv /tmp/linux-amd64/helm /bin/helm \
&& rm -rf /tmp/* \
&& /bin/helm init --client-only
Run mod build and see mod retrieves the latest version number of helm that satisfies the semver constraint > 1.0.0 and updates your Dockerfile by rendering Dockerfile.tpl accordingly.
- Automate Any-Dependency Updates with GitHub Actions v2
- Use mod-action, a GitHub action for running mod to periodically run
modand submit a pull request to update everything managed viamodautomatically
- Use mod-action, a GitHub action for running mod to periodically run
- Automating container image updates
- Initializing repository manually created from a GitHub Repository Template
- Configure your CI to run
mod up --build --pull-request --title "Initialize this repository"in response to "repository created" webhook and submit a PR for initialization
- Configure your CI to run
- Create and initialize repository from a GitHub Repository Template
- Run
mod create myorg/mytemplate-repo myorg/mynew-repo --build --pull-request
- Run
- Automatically update container image tags in git-managed CRDs (See flux#1194 for the motivation
mod is basically the package manager for any make/variant-based project with git support. mod create creates a new project from a template repo by rendering all the gomplate-like template on init.
mod up updates dependencies of the project originally created from the template repo, re-rendering required files.
You can define one or more stages so that mod can update stages one by one promoting revisions tested with previous stages to later stages.
Let's say you want three stages, development, staging and production, where development stage has test envirnoment associated, and staging stage has manual and stress environemnts, and production stage has prod environment associated.
stages:
- name: development
environments:
- test
- name: staging
environments:
- qa
- stress
- name: production
environments:
- prod
provisioners:
files:
helmfile:
path: states/helmfile.{{ .stage.environment }}.yaml
source: templates/helmfile.yaml.tpl
arguments:
MYAPP_VERSION: "{{ .stage.dependencies.myapp.version }}"
dependencies:
myapp:
releasesFrom:
dockerImageTags:
source: example.com/myorg/myapp
version: "> 0.1.0"
When there's any update in dependencies, you will firstly deploy it to the test environment by running:
$ mod up development --build --pull-request
This command updates the list of dependencies, and updates the development stage if and only if there were one or more new versions of dependencies.
mod delegates the actual update for the development stage to your CD system. That's done by mod generating the desired state of the development stage by executing the file provider defined in the config.
In the above example, the desired state is rendered from the template file located at states/helmfile.test.yaml, whose content is generated by rendering the go template templates/helmfile.yaml.tpl, as defined in the config.
The environment name listed in stage's environments is available for use in file provisioner's arguments, so that you can generate the desired state depending on the environment included in the stage.
For development stage, path: states/helmfile.{{ .stage.environment }}.yaml is evaluated to states/helmfile.test.yaml, which is why mod up development --build updates states/helmfile.test.yaml.
In addition to generating the desired state, due to that the --pull-request flag is provided, mod automatically creates a pull request to update a gitops config repo, which is then reviewed and merged by your team.
Once the pull request has been merged and deployed, you can run the below command to promote the previous deployment passed the test stage to the next staging stage:
$ mod up staging --build --pull-request
For the above example, updating staging stage results in updating states/helmfile.qa.yaml and states/helmfile.stress.yaml.
For example, merging the pull request updating those two files should result in updating qa and stress Kubernetes clusters, so that the new revision can be tested by respective teams.
After your QA team finished testing it in qa and your peformance team finished testing it in the stress environments, you can finally ship it to production:
$ mod up production --build --pull-request
As you might have guessed, this updates states/helmfile.prod.yaml, and merging the pull request updating it should trigger a production deployment.
Navigate to the following examples to see practical usage of mod:
- examples/eks-k8s-vers for updating your [eksctl] cluster on new K8s release
- examples/image-tag-in-dockerfile-and-config for updating your
Dockerfileand.circleci/config.ymlon new Golang release
Under provisioners[].files, you can write a JSON object whose keys are destination file paths and values are URLs of remote source files.
URLs are go-getter URLs. We altered a custom logic for auto-detecting go-getter protocol from an URL so you usually have a better result by specifing the protocol explicitly.
That said, when you'd like to let mod download README.md from a GitHub repository at OWNER/REPO from the latest tag
that is greater than 0.1, you compose your variant.mod configuration file like below.
provisioners:
files:
testout/foo.md:
source: git::https://github.com/OWNER/REPO.git@README.md?ref=v{{.myservice.version}}
dependencies:
myservice:
releasesFrom:
githubReleases:
source: OWNER/REPO
version: "> 0.1"go-getter's git protocol supports private repositories as it runs the real git command under the hood that uses your SSH private key for authentication. That means mod supports downloading files from private GitHub repositories, too!
mod provides a custom go-getter protocol implementation named githubdownload. This implementation, as it's name states, allows you to easily download release assets from GitHub repositories.
Let's say you want mod to download a asset named some.txt for the latest release that is greater than 0.1, you write variant.mod configuration like:
provisioners:
files:
testout/sha512sum.txt:
source: githubdownload::https://github.com/OWNER/REPO/releases/download/v${myservice.version}/some.txt
dependencies:
myservice:
releasesFrom:
githubReleases:
source: OWNER/REPO
version: "> 0.1"As similar as the go-getter's standard git protocol, this supports downloading from private repositories, too, but with another authentication method. It automatically reads the GITHUB_TOKEN environment variable for a GitHub personal access token, and uses that for authentication.
Under the hood, mod transform the remote source file URL to a series of GitHub API calls, to figure out the asset ID of the named asset, and finally download the asset as a binary file by sending GitHub a GET HTTP request for https://api.github.com/repos/OWNER/REPO/releases/assets/ASSET_ID with Accept: application/octet-stream.
So, if you had questioned yourself why you can't just use go-getter's https support for downloading release assets, the answer is- it isn't actually like literally HTTP-getting https://github.com/OWNER/REPO/releases/download/v${myservice.version}/some.txt :)
regexpReplace updates any text file like Dockerfile with regular expressions.
Let's say you want to automate updating the base image of the below Dockerfile:
FROM helmfile:0.94.0
RUN echo hello
You can write a variant.mod file like the below so that mod knows where is the image tag to be updated:
provisioners:
regexpReplace:
Dockerfile:
from: "(FROM helmfile:)(\\S+)(\\s+)"
to: "${1}{{.Dependencies.helmfile.version}}${3}"
dependencies:
helmfile:
releasesFrom:
dockerImageTags:
source: quay.io/roboll/helmfile
version: "> 0.94.0"Setting provisioners.executables.NAME.platforms[].docker allows you to run mod exec -- NAME $args where the executable is backed by a docker image which is managed by mod.
variant.mod:
parameters:
defaults:
version: "1.12.6"
provisioners:
executables:
dockergo:
platforms:
# Adds $VARIANT_MOD_PATH/mod/cache/CACHE_KEY/dockergo to $PATH
# Or its shim at $VARIANT_MOD_PATH/MODULE_NAME/shims
- docker:
command: go
image: golang
tag: '{{.version}}'
volume:
- $PWD:/work
workdir: /work
$ go version
go version go1.12.7 darwin/amd64
$ mod exec -- dockergo version
go version go1.12.6 linux/amd64The following template functions are available for use within template provisioners:
{{ hasKey .Foo.Bar "mykey" }}returnstrueif.Foo.Baris amap[string]interface{}and the value for the keymykeyis set.{{ trimSpace .Str }}removes spaces, tabs, and new-lines from.Str``
The dockerImageTags dependency provider accepts the host field to customize the
host that serves the Registry v2 API.
For example, AWS ECR uses <MY_AWS_ACCOUNT_ID>.dkr.ecr.<AWS_REGION>.amazonaws.com as the host. With that in mind, you might be able to update the tag of the base image hosted on ECR within your Dockerfile by something like the below:
Dockerfile:
FROM <MY_AWS_ACCOUNT_ID>.dkr.ecr.<AWS_REGION>.amazonaws.com/actions-runner-controller:0.24.0
variant.mod:
provisioners:
regexpReplace:
Dockerfile:
from: "(FROM <MY_AWS_ACCOUNT_ID>.dkr.ecr.<AWS_REGION>.amazonaws.com/actions-runner-controller:)(\\S+)(\\s+)"
to: "${1}{{.Dependencies.arc.version}}${3}"
dependencies:
arc:
releasesFrom:
dockerImageTags:
source: actions-runner-controller
host: <MY_AWS_ACCOUNT_ID>.dkr.ecr.<AWS_REGION>.amazonaws.com
version: "> 0.24.0"Beware that you must set DOCKER_USERNAME and DOCKER_PASSWORD when running the mod build command. The username is AWS and the password can be obtained via aws ecr get-login-password as of July 2022.
$ export DOCKER_USERNAME=AWS
$ export DOCKER_PASSWORD=$(docker run -e AWS_DEFAULT_REGION -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY --rm -it amazon/aws-cli ecr get-login-password)
$ mod build
#=> This will read the `./variant.mod` file shown above and updates the `./Dockerfile`.Assuming there's a image tag 0.25.0 that is newer than 0.24.0 on ECR(as you specified so in variant.mod with "> 0.24.0"), the Dockerfile would get updated with:
FROM <MY_AWS_ACCOUNT_ID>.dkr.ecr.<AWS_REGION>.amazonaws.com/actions-runner-controller:0.25.0