By Liusheng
This article describes how to use Git, appcenter, and Container Registry to create a GitOps pipeline to automate container image updates for applications deployed in Container Service for Kubernetes (ACK).
This example shows how appcenter automatically monitors image updates in a Container Registry repository. If an image tag that matches the specified filter condition is updated, the following pipeline is triggered:
You can use a third-party Continuous Integration (CI) system to complete the following CI pipeline:
After the CI system pushes a container image of an application to a Container Registry repository, the Continuous Delivery (CD) pipeline is triggered, and the container image of the application is updated.
auto-sync
update policy.The GitHub address of the application used in this example: https://github.com/haoshuwei/guestbook.git
You must log on to GitHub and create a branch within your account for the application. This allows data center to update the container image of the application and write the updated container image back to the GitHub repository automatically.
The orchestration catalog of the application named guestbook:
├── helm
│ ├── Chart.yaml
│ ├── templates
│ │ ├── frontend-deployment.yaml
│ │ ├── frontend-service.yaml
│ │ ├── ingress.yaml
│ │ ├── redis-master-deployment.yaml
│ │ ├── redis-master-service.yaml
│ │ ├── redis-slave-deployment.yaml
│ │ └── redis-slave-service.yaml
│ ├── values-idc.yaml
│ └── values.yaml
└── README.md
The guestbook image is in the frontend Deployment
of the guestbook application. The following code block shows the relevant parameters in the values.yaml file:
frontend:
replicaCount: 3
image:
repository: registry.cn-hangzhou.aliyuncs.com/haoshuwei24/guestbook
tag: "v1"
Specify the Container Registry credentials appcenter uses to check image repositories periodically and perform the following steps to modify the ConfigMap
named argocd-image-updater-config
in the appcenter namespace:
$ kubectl -n appcenter get cm argocd-image-updater-config -oyaml
apiVersion: v1
data:
registries.conf: |
registries:
- name: AlibabaCloud Container Registry
api_url: https://registry.cn-hangzhou.aliyuncs.com
prefix: registry.cn-hangzhou.aliyuncs.com
credentials: secret:appcenter/acr#acr
kind: ConfigMap
metadata:
name: argocd-image-updater-config
namespace: appcenter
secret:<secret_namespace>/<secret_name>#<your_key>
Run the following command to configure a Secret named acr
in the appcenter namespace
The Secret is used by appcenter to access the image repository in the cn-hongkong
region:
$ kubectl -n appcenter apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
name: acr
type: Opaque
stringData:
acr: <your_username>:<your_password>
EOF
Note: Replace <your_username>:<your_password>
with the credentials of your image repository.
Create an application in the console: https://www.alibabacloud.com/help/en/container-service-for-kubernetes/latest/application-management-create-an-application-by-using-a-git-repository
Use appcenter to create an application named guestbook. The example of the yaml orchestration of the application is listed below:
$ kubectl -n appcenter get application guestbook -oyaml
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: guestbook
namespace: appcenter
spec:
destination:
namespace: guestbook
server: https://192.168.0.32:6443
project: default
source:
helm:
valueFiles:
- values.yaml
path: helm
repoURL: https://github.com/haoshuwei/guestbook.git
targetRevision: main
auto-sync
Update Policy for the Guestbook Application$ cat <<EOF > syncPolicy.patch
spec:
syncPolicy:
automated: {}
EOF
$ kubectl -n appcenter patch Application guestbook --type=merge -p "$(cat syncPolicy.patch)"
$ cat <<EOF > imageUpdate.patch
metadata:
annotations:
argocd-image-updater.argoproj.io/image-list: guestbook=registry.cn-hangzhou.aliyuncs.com/haoshuwei24/guestbook
argocd-image-updater.argoproj.io/guestbook.helm.image-name: frontend.image.repository
argocd-image-updater.argoproj.io/guestbook.helm.image-tag: frontend.image.tag
EOF
$ kubectl -n appcenter patch Application guestbook --type=merge -p "$(cat imageUpdate.patch)"
You can use an annotation in the following format to specify one or more container images:
argocd-image-updater.argoproj.io/image-list: <image_spec_list>
<image_spec_list>
specifies a list of container images re separated by commas (,). The container image list must be in the following format:
[<alias_name>=]<image_path>[:<version_constraint>]
You can use an annotation in the following format to specify how to update image name
and image tag
for applications whose manifests are rendered and managed using Helm:
argocd-image-updater.argoproj.io/<alias_name>.helm.<image_name>: <helm_values>
argocd-image-updater.argoproj.io/<alias_name>.helm.<image_tag>: <helm_values>
If the image parameters of the frontend component in the values.yaml file of the guestbook application are set to the following values:
frontend:
replicaCount: 3
image:
repository: registry.cn-hangzhou.aliyuncs.com/haoshuwei24/guestbook
tag: "v1"
The corresponding annotation is:
argocd-image-updater.argoproj.io/guestbook.helm.image-name: frontend.image.repository
argocd-image-updater.argoproj.io/guestbook.helm.image-tag: frontend.image.tag
$ cat <<EOF > gitWriteback.patch
metadata:
annotations:
argocd-image-updater.argoproj.io/write-back-method: git
EOF
$ kubectl -n appcenter patch Application guestbook --type=merge -p "$(cat gitWriteback.patch)"
Push the new guestbook image:
$ docker tag registry.cn-hangzhou.aliyuncs.com/haoshuwei24/guestbook:v1 registry.cn-hangzhou.aliyuncs.com/haoshuwei24/guestbook:v4
$ docker push registry.cn-hangzhou.aliyuncs.com/haoshuwei24/guestbook:v4
Print the log of the argocd-image-updater component in the appcenter namespace:
$ kubectl -n appcenter logs -f argocd-image-updater-<xxx>
$ kubectl -n appcenter logs -f argocd-image-updater-<xxx>
time="2022-03-28T07:28:27Z" level=info msg="Successfully updated image 'registry.cn-hangzhou.aliyuncs.com/haoshuwei24/guestbook:v1' to 'registry.cn-hangzhou.aliyuncs.com/haoshuwei24/guestbook:v4', but pending spec update (dry run=false)" alias=guestbook application=guestbook image_name=haoshuwei24/guestbook image_tag=v1 registry=registry.cn-hangzhou.aliyuncs.com
time="2022-03-28T07:28:27Z" level=info msg="Committing 1 parameter update(s) for application guestbook" application=guestbook
Check whether the guestbook application generates a file named .argocd-source-guestbook.yaml on GitHub:
Check whether the guestbook application is updated to the latest container image:
$ kubectl -n guestbook get deploy frontend -ojsonpath="{.spec.template.spec.containers[0].image}"
registry.cn-hangzhou.aliyuncs.com/haoshuwei24/guestbook:v4
We demonstrated an example of appcenter automatically monitoring ACR image repository changes and updating the application in the sample application of the guestbook.
This process involves the key credentials:
(1) Please see this link for the Container Registry access credential of appcenter regularly checking the ACR image repository.
(2) Configuring the Git Credentials access credential of appcenter write-back application container image change information to the Git System. There are two ways to configure the Git Credentials:
Example:
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
annotations:
argocd-image-updater.argoproj.io/write-back-method: git
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
annotations:
argocd-image-updater.argoproj.io/write-back-method: git:secret:appcenter/git-creds
git:secret:appcenter/git-creds
indicates a Secret named git-creds
in the appcenter namespace. The following code block shows how to create the Secret:
$ kubectl -n appcenter create secret generic git-creds \
--from-literal=username=<your_username> \
--from-literal=password=<your_password>
You can add an annotation to an application created in appcenter to specify one or more container images to be automatically updated. The annotation must be in the following format:
argocd-image-updater.argoproj.io/image-list: <image_spec_list>
<image_spec_list>
specifies a list of container images separated by commas (,). You must specify container images in the following format:
[<alias_name>=]<image_path>[:<version_constraint>]
The format of the image will be explained below.
You can configure two types of image tag filter conditions to limit the image tags that can trigger image updates. The registry.cn-hongkong.aliyuncs.com/haoshuwei24/guestbook
image is used as an example in the following filter conditions.
(1) The following filter condition allows all tags to trigger image updates:
argocd-image-updater.argoproj.io/image-list: registry.cn-hangzhou.aliyuncs.com/haoshuwei24/guestbook
(2) The following filter condition only allows tags that match the regular expression to trigger image updates:
argocd-image-updater.argoproj.io/<image_name>.allow-tags: <match_func>
The value of the <match_func>
parameter must be in the following format, in which <expression>
specifies a standard regular expression.
regexp:<expression>
Please use the following annotation to only allow tags from v2
to v9
to trigger image updates:
argocd-image-updater.argoproj.io/<image_name>.allow-tags: regexp:^v[1-9]
You can specify an alias for a container image and then use the alias in relevant configurations. Container image aliases can only contain letters. You can only use container image aliases in the image-list
annotation, as shown in the following example:
argocd-image-updater.argoproj.io/image-list: guestbook=registry.cn-hangzhou.aliyuncs.com/haoshuwei24/guestbook
guestbook
is the alias of the registry.cn-hongkong.aliyuncs.com/haoshuwei24/guestbook
image.
The following table describes the container image update policies you can configure. The default container image update policy is semver
.
Policy | Description |
semver | Update to the latest image version in a list sorted based on semantic versions |
latest | Update to the latest image version in a list sorted based on creation dates |
name | Update to the latest image version in an alphabetically sorted list |
digest | Update to the latest image version pushed with a mutable tag |
The annotation must be in the following format:
argocd-image-updater.argoproj.io/<image_name>.update-strategy: <strategy>
The following example shows how to specify the latest
policy for the guestbook=registry.cn-hongkong.aliyuncs.com/haoshuwei24/guestbook
image:
argocd-image-updater.argoproj.io/guestbook.update-strategy: latest
The image update annotation may specify multiple container images. For example, the image update annotation for the guestbook
application specifies frontend.image.repository
, frontend.image.tag
, redis.master.image.repository
, and redis.master.image.tag
. The annotation must be in the following format:
annotations:
argocd-image-updater.argoproj.io/image-list: guestbook=registry.cn-hangzhou.aliyuncs.com/haoshuwei24/guestbook,redis-master=registry.cn-hangzhou.aliyuncs.com/haoshuwei24/redis
argocd-image-updater.argoproj.io/guestbook.helm.image-name: frontend.image.repository
argocd-image-updater.argoproj.io/guestbook.helm.image-tag: frontend.image.tag
argocd-image-updater.argoproj.io/redis-master.helm.image-name: redis.master.image.repository
argocd-image-updater.argoproj.io/redis-master.helm.image-tag: redis.master.image.tag
You must specify the aliases of the new images and the addresses of the original images. You can include image tags in image aliases but cannot include image tags in image addresses. The annotation must be in the following format:
annotations:
argocd-image-updater.argoproj.io/image-list: <image_alias>=<image_name>:<image_tag>
argocd-image-updater.argoproj.io/<image_alias>.kustomize.image-name: <original_image_name>
Example:
annotations:
argocd-image-updater.argoproj.io/image-list: guestbook=registry.cn-hangzhou.aliyuncs.com/haoshuwei24/guestbook
argocd-image-updater.argoproj.io/guestbook.kustomize.image-name: registry.cn-hangzhou.aliyuncs.com/haoshuwei24/guestbook
Kubernetes File Collection Practices: Sidecar + hostPath Volumes
155 posts | 29 followers
FollowAlibaba Container Service - August 1, 2023
Alibaba Container Service - May 31, 2023
Alibaba Container Service - July 24, 2024
Alibaba Cloud Native Community - April 7, 2022
Alibaba Container Service - September 19, 2024
Alibaba Container Service - July 29, 2019
155 posts | 29 followers
FollowAccelerate software development and delivery by integrating DevOps with the cloud
Learn MoreAlibaba Cloud Container Service for Kubernetes is a fully managed cloud container management service that supports native Kubernetes and integrates with other Alibaba Cloud products.
Learn MoreAn enterprise-level continuous delivery tool.
Learn MoreProvides a control plane to allow users to manage Kubernetes clusters that run based on different infrastructure resources
Learn MoreMore Posts by Alibaba Container Service