Automating component image updates in BKPR

The Bitnami Kubernetes Production Runtime (BKPR) is a curated collection of services running on top of your existing Kubernetes cluster with the aim of automating the configuration of public access, logging and monitoring, and management of DNS records and TLS certificates. Read the Bitnami Kubernetes Production Runtime announcement to learn more about the motivation behind the development of BKPR.

One of our goals for BKPR is to provide cluster administrators with software components that are up-to-date and regularly patched for security vulnerabilities. The Bitnami toolchain publishes new Docker images on a daily cadence, providing software updates and more importantly: addressing security vulnerabilities. Keeping up with the release frequency of the Bitnami toolchain is an arduous task, so we needed to automate the process of updating the images used in BKPR.

Workflow

We had two goals in mind while designing the process for updating the component images in the BKPR manifests:

  • Automate image update pull request creation
  • Exercise control over the changes that are merged

The first part would fully automate the process of discovering new image releases and creation of pull requests with the updates, while the second part would require review by the BKPR project maintainers before the updates are accepted to be merged by the CI/CD pipeline.

The workflow can be summed up by the following sequence of steps:

  1. Detect new image releases
  2. Determine if the BKPR versioning policy permits the update
  3. Create a pull request with the update
  4. Review of changes by BKPR project maintainers
  5. Merge the changes using the CI/CD pipeline

Implementation

The first step in the automation task was checking if the Docker images used in each maintenance branch of BKPR had any available updates. All Docker images used in BKPR are listed in the images.json file of the BKPR manifests. For each image used in the manifests, we needed to look up the Docker Hub registry to check for newer releases.

Docker Hub offers a convenient API endpoint for getting the list of all published tags for any Docker image released at Docker Hub. For example, using the following curl command, we can get the list of all tags published for the bitnami/prometheus image on Docker Hub.

curl https://registry.hub.docker.com/v1/repositories/bitnami/prometheus/tags

Once we had the published image tags, the next step was to determine if the BKPR manifests should be updated. While the latest versions can be applied to the development (master) branch, the BKPR versioning policy only permits PATCH version updates for maintenance branches. This required us to scan all the released tags and pick the right version for each maintenance branch of BKPR.

For the final step of the automation. the hub command-line tool was used to create a pull request with the changes to the BKPR project. The tool also allowed us to tag the BKPR project maintainers to review these pull requests.

A BASH script was developed with this logic, and a Jenkins job was set up to launch the script every day.

The automation in action

bitnami-bot pull requests

With all the pieces of the automation in place, the automation script started picking up new image releases from the Docker Hub registry and submitting pull requests with the updates for review by the BKPR project maintainers.

bitnami-bot pull requests

Users of the Bitnami Kubernetes Production Runtime can now be assured that their BKPR enabled Kubernetes clusters are running the best and most secure software coming out from the Bitnami toolchain.

Development of the Bitnami Kubernetes Production Runtime takes place on GitHub under the Apache-2.0 license. Please try it out for your cluster and applications. We welcome your thoughts, feedback and contributions.

Useful resources

Check out the following resources to learn more about BKPR: