Community

Blog Events Webinars Tutorials Forum
  1. Blog
  2. Events
  3. Webinars
  4. Tutorials
  5. Forum
Create Account
×
Community Blog Use Git, Appcenter, and Container Registry to Create a GitOps Pipeline to Automate Container Image Updates

Use Git, Appcenter, and Container Registry to Create a GitOps Pipeline to Automate Container Image Updates

This article describes how to use Git, appcenter, and Container Registry to create a GitOps pipeline to automate container image updates for applications deployed in ACK.

By Liusheng

Overview

This article describes how to use Git, appcenter, and Container Registry to create a GitOps pipeline to automate container image updates for applications deployed in Container Service for Kubernetes (ACK).

This example shows how appcenter automatically monitors image updates in a Container Registry repository. If an image tag that matches the specified filter condition is updated, the following pipeline is triggered:

1

You can use a third-party Continuous Integration (CI) system to complete the following CI pipeline:

2

After the CI system pushes a container image of an application to a Container Registry repository, the Continuous Delivery (CD) pipeline is triggered, and the container image of the application is updated.

Limits

  • The GitOps pipeline is only available for applications created using appcenter 2.2.5.1 or later.
  • The GitOps pipeline is only available for applications whose manifests are rendered and managed using Kustomize or Helm.
  • The GitOps pipeline only takes effect on applications using the auto-sync update policy.
  • The credentials used to pull private images must be stored in the cluster where appcenter is deployed. Appcenter cannot retrieve credentials from other clusters.

Getting-Started

An Overview of an Application Example

The GitHub address of the application used in this example: https://github.com/haoshuwei/guestbook.git

You must log on to GitHub and create a branch within your account for the application. This allows data center to update the container image of the application and write the updated container image back to the GitHub repository automatically.

The orchestration catalog of the application named guestbook:

├── helm
│   ├── Chart.yaml
│   ├── templates
│   │   ├── frontend-deployment.yaml
│   │   ├── frontend-service.yaml
│   │   ├── ingress.yaml
│   │   ├── redis-master-deployment.yaml
│   │   ├── redis-master-service.yaml
│   │   ├── redis-slave-deployment.yaml
│   │   └── redis-slave-service.yaml
│   ├── values-idc.yaml
│   └── values.yaml
└── README.md

The guestbook image is in the frontend Deployment of the guestbook application. The following code block shows the relevant parameters in the values.yaml file:

frontend:
  replicaCount: 3
  image:
    repository: registry.cn-hangzhou.aliyuncs.com/haoshuwei24/guestbook
    tag: "v1"

Specify the Container Registry Credentials Appcenter Uses to Check Image Repositories Periodically

Specify the Container Registry credentials appcenter uses to check image repositories periodically and perform the following steps to modify the ConfigMap named argocd-image-updater-config in the appcenter namespace:

$ kubectl -n appcenter get cm argocd-image-updater-config -oyaml
apiVersion: v1
data:
  registries.conf: |
    registries:
    - name: AlibabaCloud Container Registry
      api_url: https://registry.cn-hangzhou.aliyuncs.com
      prefix: registry.cn-hangzhou.aliyuncs.com
      credentials: secret:appcenter/acr#acr
kind: ConfigMap
metadata:
  name: argocd-image-updater-config
  namespace: appcenter
  • name: The name of the image repository
  • api_url: The API endpoint of the image repository
  • prefix: The prefix of the image repository
  • credentials: The credentials used to access the image repository. The credentials must be in the following format: secret:<secret_namespace>/<secret_name>#<your_key>

Run the following command to configure a Secret named acr in the appcenter namespace

The Secret is used by appcenter to access the image repository in the cn-hongkong region:

$ kubectl -n appcenter apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
  name: acr
type: Opaque
stringData:
  acr: <your_username>:<your_password>
EOF

Note: Replace <your_username>:<your_password> with the credentials of your image repository.

Use Appcenter to Create an Application from an Image Stored in a Git Repository

Create an application in the console: https://www.alibabacloud.com/help/en/container-service-for-kubernetes/latest/application-management-create-an-application-by-using-a-git-repository

Step 1: Use Appcenter to Create an Application Named Guestbook

Use appcenter to create an application named guestbook. The example of the yaml orchestration of the application is listed below:

$ kubectl -n appcenter get application guestbook -oyaml
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: guestbook
  namespace: appcenter
spec:
  destination:
    namespace: guestbook
    server: https://192.168.0.32:6443
  project: default
  source:
    helm:
      valueFiles:
      - values.yaml
    path: helm
    repoURL: https://github.com/haoshuwei/guestbook.git
targetRevision: main

Step 2: Specify the auto-sync Update Policy for the Guestbook Application

$ cat <<EOF > syncPolicy.patch
spec:
  syncPolicy:
    automated: {}
EOF

$ kubectl -n appcenter patch Application guestbook --type=merge -p "$(cat syncPolicy.patch)"

Step 3: Configure an Automatic Container Image Update for the Guestbook Application

$ cat <<EOF > imageUpdate.patch
metadata:
  annotations:
    argocd-image-updater.argoproj.io/image-list: guestbook=registry.cn-hangzhou.aliyuncs.com/haoshuwei24/guestbook
    argocd-image-updater.argoproj.io/guestbook.helm.image-name: frontend.image.repository
    argocd-image-updater.argoproj.io/guestbook.helm.image-tag: frontend.image.tag
EOF

$ kubectl -n appcenter patch Application guestbook --type=merge -p "$(cat imageUpdate.patch)"

You can use an annotation in the following format to specify one or more container images:

argocd-image-updater.argoproj.io/image-list: <image_spec_list>

<image_spec_list> specifies a list of container images re separated by commas (,). The container image list must be in the following format:

[<alias_name>=]<image_path>[:<version_constraint>]

You can use an annotation in the following format to specify how to update image name and image tag for applications whose manifests are rendered and managed using Helm:

argocd-image-updater.argoproj.io/<alias_name>.helm.<image_name>: <helm_values>
argocd-image-updater.argoproj.io/<alias_name>.helm.<image_tag>: <helm_values>

If the image parameters of the frontend component in the values.yaml file of the guestbook application are set to the following values:

frontend:
  replicaCount: 3

  image:
    repository: registry.cn-hangzhou.aliyuncs.com/haoshuwei24/guestbook
tag: "v1"

The corresponding annotation is:

argocd-image-updater.argoproj.io/guestbook.helm.image-name: frontend.image.repository
argocd-image-updater.argoproj.io/guestbook.helm.image-tag: frontend.image.tag

Step 4: Configure the Git Write-Back Feature to Write the Updated Image of the Guestbook Application Back to the Git Repository

$ cat <<EOF > gitWriteback.patch
metadata:
  annotations:
    argocd-image-updater.argoproj.io/write-back-method: git
EOF

$ kubectl -n appcenter patch Application guestbook --type=merge -p "$(cat gitWriteback.patch)"

Verify That the Container Image Is Updated Automatically

Push the new guestbook image:

$ docker tag registry.cn-hangzhou.aliyuncs.com/haoshuwei24/guestbook:v1 registry.cn-hangzhou.aliyuncs.com/haoshuwei24/guestbook:v4
$ docker push registry.cn-hangzhou.aliyuncs.com/haoshuwei24/guestbook:v4

Print the log of the argocd-image-updater component in the appcenter namespace:

$ kubectl -n appcenter logs -f argocd-image-updater-<xxx>
$ kubectl -n appcenter logs -f argocd-image-updater-<xxx>
time="2022-03-28T07:28:27Z" level=info msg="Successfully updated image 'registry.cn-hangzhou.aliyuncs.com/haoshuwei24/guestbook:v1' to 'registry.cn-hangzhou.aliyuncs.com/haoshuwei24/guestbook:v4', but pending spec update (dry run=false)" alias=guestbook application=guestbook image_name=haoshuwei24/guestbook image_tag=v1 registry=registry.cn-hangzhou.aliyuncs.com
time="2022-03-28T07:28:27Z" level=info msg="Committing 1 parameter update(s) for application guestbook" application=guestbook

Check whether the guestbook application generates a file named .argocd-source-guestbook.yaml on GitHub:

3

Check whether the guestbook application is updated to the latest container image:

$ kubectl -n guestbook get deploy frontend -ojsonpath="{.spec.template.spec.containers[0].image}" 
registry.cn-hangzhou.aliyuncs.com/haoshuwei24/guestbook:v4

Configuration Parsing

Configuration of Key Credential

We demonstrated an example of appcenter automatically monitoring ACR image repository changes and updating the application in the sample application of the guestbook.

This process involves the key credentials:

  • The Container Registry access credential of appcenter regularly checking the ACR image repository
  • The Git access credentials of appcenter writing back the change information of the application container image to the Git system

(1) Please see this link for the Container Registry access credential of appcenter regularly checking the ACR image repository.

(2) Configuring the Git Credentials access credential of appcenter write-back application container image change information to the Git System. There are two ways to configure the Git Credentials:

  • Use the Git credentials stored in appcenter. The credentials are created when you create the corresponding application in the appcenter.

Example:

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  annotations:
argocd-image-updater.argoproj.io/write-back-method: git
  • Use the Git credentials stored in a Secret:
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  annotations:
    argocd-image-updater.argoproj.io/write-back-method: git:secret:appcenter/git-creds

git:secret:appcenter/git-creds indicates a Secret named git-creds in the appcenter namespace. The following code block shows how to create the Secret:

$ kubectl -n appcenter create secret generic git-creds \
  --from-literal=username=<your_username> \
  --from-literal=password=<your_password>

Configure a Container Image Update

Annotation Format

You can add an annotation to an application created in appcenter to specify one or more container images to be automatically updated. The annotation must be in the following format:

argocd-image-updater.argoproj.io/image-list: <image_spec_list>

<image_spec_list> specifies a list of container images separated by commas (,). You must specify container images in the following format:

[<alias_name>=]<image_path>[:<version_constraint>]

The format of the image will be explained below.

Image Tag Filter Conditions

You can configure two types of image tag filter conditions to limit the image tags that can trigger image updates. The registry.cn-hongkong.aliyuncs.com/haoshuwei24/guestbook image is used as an example in the following filter conditions.

(1) The following filter condition allows all tags to trigger image updates:

argocd-image-updater.argoproj.io/image-list: registry.cn-hangzhou.aliyuncs.com/haoshuwei24/guestbook

(2) The following filter condition only allows tags that match the regular expression to trigger image updates:

argocd-image-updater.argoproj.io/<image_name>.allow-tags: <match_func>

The value of the <match_func> parameter must be in the following format, in which <expression> specifies a standard regular expression.

regexp:<expression>

Please use the following annotation to only allow tags from v2 to v9 to trigger image updates:

argocd-image-updater.argoproj.io/<image_name>.allow-tags: regexp:^v[1-9]

Specify an Alias for a Container Image

You can specify an alias for a container image and then use the alias in relevant configurations. Container image aliases can only contain letters. You can only use container image aliases in the image-list annotation, as shown in the following example:

argocd-image-updater.argoproj.io/image-list: guestbook=registry.cn-hangzhou.aliyuncs.com/haoshuwei24/guestbook

guestbook is the alias of the registry.cn-hongkong.aliyuncs.com/haoshuwei24/guestbook image.

Configure a Container Image Update Policy

The following table describes the container image update policies you can configure. The default container image update policy is semver.

Policy Description
semver Update to the latest image version in a list sorted based on semantic versions
latest Update to the latest image version in a list sorted based on creation dates
name Update to the latest image version in an alphabetically sorted list
digest Update to the latest image version pushed with a mutable tag

The annotation must be in the following format:

argocd-image-updater.argoproj.io/<image_name>.update-strategy: <strategy>

The following example shows how to specify the latest policy for the guestbook=registry.cn-hongkong.aliyuncs.com/haoshuwei24/guestbook image:

argocd-image-updater.argoproj.io/guestbook.update-strategy: latest

Parameter Settings for Helm Orchestration Application

The image update annotation may specify multiple container images. For example, the image update annotation for the guestbook application specifies frontend.image.repository, frontend.image.tag, redis.master.image.repository, and redis.master.image.tag. The annotation must be in the following format:

annotations:
  argocd-image-updater.argoproj.io/image-list: guestbook=registry.cn-hangzhou.aliyuncs.com/haoshuwei24/guestbook,redis-master=registry.cn-hangzhou.aliyuncs.com/haoshuwei24/redis
  argocd-image-updater.argoproj.io/guestbook.helm.image-name: frontend.image.repository
  argocd-image-updater.argoproj.io/guestbook.helm.image-tag: frontend.image.tag
  argocd-image-updater.argoproj.io/redis-master.helm.image-name: redis.master.image.repository
  argocd-image-updater.argoproj.io/redis-master.helm.image-tag: redis.master.image.tag

Parameter Settings for Kustomize Orchestration Application

You must specify the aliases of the new images and the addresses of the original images. You can include image tags in image aliases but cannot include image tags in image addresses. The annotation must be in the following format:

annotations:
  argocd-image-updater.argoproj.io/image-list: <image_alias>=<image_name>:<image_tag>
  argocd-image-updater.argoproj.io/<image_alias>.kustomize.image-name: <original_image_name>

Example:

annotations:
  argocd-image-updater.argoproj.io/image-list: guestbook=registry.cn-hangzhou.aliyuncs.com/haoshuwei24/guestbook
  argocd-image-updater.argoproj.io/guestbook.kustomize.image-name: registry.cn-hangzhou.aliyuncs.com/haoshuwei24/guestbook
DevOps Computing Developers Container Service Container Registry GitOps Git appcenter
0 0 0
Share on

Read previous post:

Kubernetes File Collection Practices: Sidecar + hostPath Volumes

Read next post:

ACK One GitOps Security Model

Alibaba Container Service

120 posts | 26 followers

You may also like

Comments

Alibaba Container Service

120 posts | 26 followers

Related Products

More Posts by Alibaba Container Service

See All