Using Image Scan to Update Container Image References

Image scan in fleet allows you to scan your image repository, fetch the desired image and update your git repository, without the need to manually update your manifests.

Using Image Scan to Update Container Image References - 图1caution

This feature is considered as experimental feature.

Go to fleet.yaml and add the following section.

  1. imageScans:
  2. # specify the policy to retrieve images, can be semver or alphabetical order
  3. - policy:
  4.     # if range is specified, it will take the latest image according to semver order in the range
  5.     # for more details on how to use semver, see https://github.com/Masterminds/semver
  6.     semver:
  7.       range: "*"
  8.     # can use ascending or descending order
  9.     alphabetical:
  10.       order: asc
  12.   # specify images to scan
  13.   image: "your.registry.com/repo/image"
  15.   # Specify the tag name, it has to be unique in the same bundle
  16.   tagName: test-scan
  18.   # specify secret to pull image if in private registry
  19.   secretRef:
  20.     name: dockerhub-secret
  22.   # Specify the scan interval
  23.   interval: 5m

Using Image Scan to Update Container Image References - 图2info

You can create multiple image scans in fleet.yaml.

Go to your manifest files and update the field that you want to replace. For example:

  1. apiVersion: apps/v1
  2. kind: Deployment
  3. metadata:
  4.   name: redis-slave
  5. spec:
  6.   selector:
  7.     matchLabels:
  8.       app: redis
  9.       role: slave
  10.       tier: backend
  11.   replicas: 2
  12.   template:
  13.     metadata:
  14.       labels:
  15.         app: redis
  16.         role: slave
  17.         tier: backend
  18.     spec:
  19.       containers:
  20.       - name: slave
  21.         image: <image>:<tag> # {"$imagescan": "test-scan"}
  22.         resources:
  23.           requests:
  24.             cpu: 100m
  25.             memory: 100Mi
  26.         ports:
  27.         - containerPort: 6379

Using Image Scan to Update Container Image References - 图3note

There are multiple form of tagName you can reference. For example

{"$imagescan": "test-scan"}: Use full image name(foo/bar:tag)

{"$imagescan": "test-scan:name"}: Only use image name without tag(foo/bar)

{"$imagescan": "test-scan:tag"}: Only use image tag

{"$imagescan": "test-scan:digest"}: Use full image name with digest(foo/bar:tag@sha256…)

Create a GitRepo that includes your fleet.yaml

  1. kind: GitRepo
  2. apiVersion: fleet.cattle.io/v1alpha1
  3. metadata:
  4.   name: my-repo
  5.   namespace: fleet-local
  6. spec:
  7.   # change this to be your own repo
  8.   repo: https://github.com/rancher/fleet-examples
  9.   # define how long it will sync all the images and decide to apply change
  10.   imageScanInterval: 5m
  11.   # user must properly provide a secret that have write access to git repository
  12.   clientSecretName: secret
  13.   # specify the commit pattern
  14.   imageScanCommit:
  15.     authorName: foo
  16.     authorEmail: [email protected]
  17.     messageTemplate: "update image"

Try pushing a new image tag, for example, <image>:<new-tag>. Wait for a while and there should be a new commit pushed into your git repository to change tag in deployment.yaml. Once change is made into git repository, fleet will read through the change and deploy the change into your cluster.