k3s/updatecli/README.md

3.1 KiB

Updatecli automation

Note: This automation is still work in progress and subject to change. For more information, please consult PR #6559.

This project uses Updatecli to automate and orchestrate security related updates and versions bumps in K3s.

Tool

We use Updatecli for this automation, instead of Dependabot or Renovate, because of its extensibility and multiple plugins resources that allow greater flexibility when automating sequences of conditional update steps across multiple repos.

For detailed information on how to use Updatecli, please consult its documentation page.

Scope

The main usage of Updatecli is for:

  • Bumping versions in unstructured formats, e.g., environment variables in Dockerfiles and by matching regular expressions.
  • Scripting the automation process, e.g., update package A in repo B after package X in repo Y matches a pre-defined version criteria.

Not in scope

  • Updatecli will only open a pull request in the targeted repo. It's not responsible for approving and merging the PR.
  • The resulting PR must still follow the rules of the targeted repo, e.g., passing checks, QA testing, review process etc.

Project organization

A manifest or pipeline consists of three stages - source, condition and target - that define how to apply the update strategy.

When adding a new manifest, please follow the example structure defined below.

.
└── updatecli
    ├── scripts                            # Contains the auxiliary scripts used in the manifests
    ├── updatecli.d
    │   ├── golang-alpine.yaml             # Ideally each pipeline file corresponds to a dependency update
    │   ├── helm-controller.yaml
    │   ├── klipper.yaml
    └── values.yaml                        # Configuration values

Local testing

Local testing of manifests require:

  1. Updatecli binary that can be download from updatecli/updatecli#releases. Test only with the latest stable version.
    1. Always run locally with the command diff, that will show the changes without actually applying them.
  2. A GitHub PAT (personal access token). The only required permission scope for Updatecli to work, when targeting only public repos, is public_repo.
    1. For obvious security reasons and to avoid leaking your GH PAT, export it as a local environment variable.
export UPDATECLI_GITHUB_TOKEN="your GH PAT"
updatecli diff --clean --config updatecli/updatecli.d/ --values updatecli/values.yaml            

Contributing

Everyone is free to contribute with new manifests and pipelines for security version bumps targeting Rancher owned repos.

Before contributing, please follow the guidelines provided in this readme and make sure to test locally your changes before opening a PR.