A utility the updates a Kubernetes deployment based on a Quay.io webhook.
Updatekate allows a Kubernetes deployment update to be included as part of a CI/CD workflow without
kubectl
needing to be installed on the build box. This is especially useful for builds directly on Quay or
GKE environments where auth is more problematic (gcloud
cli etc). By providing a webhook on success it also allows
post deployment steps such as interface or load testing to be performed.
Basic workflow is this:
-
Updatekate starts and pulls the following info from the ENV
UK_NAMESPACE
: The k8s namespace when the target deployment lives - defaults todefault
UK_DEPLOYMENT
: The k8s deployment to update - empty by defaultUK_REPO
: The repository to allow updates from -- empty by defaultUK_WEBHOOK
: A webhook to invoke upon success -- empty by defaultUK_INFO
: Setting to false disables the/info
endpoint which could possibly leak sensitive data - defaults to true (i.e. the endpoint is enabled by default)
-
It then listens on port container port 8888 for a Quay.io webhook post to
/webhook
.
See docs here for the webhooks expected format. It also exposes/info
which will the deployments json to -
When a webhook is received it will check the version of the deployment's container image against the updated tags in the webhook. The code uses the semantic versioning rules to evaluate which versions are newer. For example:
1.0.0
>0.5.0
0.0.2-SNAPSHOT
<0.0.2-SNAPSHOT.2
- etc... full docs on the library used found here
-
If a newer tag is found the deployment will be updated to use that image. Updatekate will poll the deployments status 10 time (incremental backoff) or until there is at least 1 container available.
-
After a successful deployment update, updatekate will POST a simple chunk of JSON to the webhook -- if provided. todo: add json sample
By restricting the image updates to a single repository, updatekate essentially restricts updates to those allowed
to push to your repo. Of course, by opening listening port it does expose these system to the typical vulnerabilities (DDOS etc).
Unless needed for debugging the /info
endpoint should also be disabled
# get source
git clone https://github.com/tingold/updatekate.git
cd update kate
# install glide for dependencies
curl https://glide.sh/get | sh
glide install
# build it
go build