Merge pull request #3 from bryopsida/implement-fetch-images-job

Build image list of running images in cluster

Author: bryopsida

Makefile

@@ -0,0 +1,6 @@
+HELM_NAMESPACE ?= patchwork
+HELM_RELEASE_NAME ?= patchwork
+HELM_IMAGE_TAG ?= main
+
+helmDeploy:
+	helm upgrade --install --namespace=$(HELM_NAMESPACE) $(HELM_RELEASE_NAME) charts/patchwork --set image.tag=$(HELM_IMAGE_TAG) --debug --wait $(HELM_EXTRA_ARGS)

README.md

@@ -1,34 +1,18 @@
-# Nest.JS Starter Template
+# Patchwork
 
-## What's Included
+## What does this do?
 
-- OpenAPI/Swagger
-- Health EP `/health`
-- Helmet
-- Dockerfile
-- Helm Chart
-- GitHub Action workflows to lint, test, build image, and verify helm chart
+This inspects your statefulsets, daemonsets, deployments and checks the associated registries to see if the tag has been updated. If an update is available it triggers a rollout on that resource. This is very early in development and should not be run in production servers.
 
-## NPM Scripts
+## What are the current limitations
 
-| Syntax             | Description                                                         |
-| ------------------ | ------------------------------------------------------------------- |
-| minikube:start     | Creates a minikube cluster for testing                              |
-| minikube:stop      | Stops the minikube cluster                                          |
-| minikube:delete    | Deletes the minikube cluster                                        |
-| minikube:copyImage | Load the build image from build:image into the minikube cluster     |
-| build              | Compile the TypeScript to JavaScript                                |
-| build:image        | Build the container image                                           |
-| build:docs         | Builds the docs folder                                              |
-| start:dev          | Run the server with hot reloading on save                           |
-| start              | Start the server                                                    |
-| lint               | Check if code passes linting rules                                  |
-| lint:fix           | Automatically fix any formatting or linting rules that can be fixed |
-| helm:deploy        | Deploy the chart with the local to your cluster                     |
-| helm:uninstall     | Delete the chart release from your cluster                          |
-| helm:test          | Run the packaged tests (postman) for the helm release               |
-| test               | Run the unit tests                                                  |
+This is still very early in development and has a few limitations.
 
-## How to use published chart
+1. Does not support private registries
+2. Does not pull updates for things without `imagePullPolicy = Always`
+3. Only supports querying `linux/arm64` image repositories at the moment
+4. Only looks for updates to the same tag, IE for cases where base patches have been pushed to a tag
 
-First add the repo `helm repo add nestjs-starter  https://bryopsida.github.io/nestjs-starter/`, then fetch updates `helm repo update`, and finally, install with `helm upgrade --install starter nestjs-starter/nestjs-starter --wait`.
+## How to deploy
+
+First add the repo `helm repo add patchwork  https://bryopsida.github.io/patchwork/`, then fetch updates `helm repo update`, and finally, install with `helm upgrade --install patchwork patchwork/patchwork --wait`.

charts/patchwork/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: patchwork
 description: A Helm chart for Kubernetes
 type: application
-version: 0.2.1
+version: 0.2.2
 appVersion: '0.1.0'
 dependencies:
   - name: redis

charts/patchwork/templates/rbac.yaml

@@ -0,0 +1,34 @@
+{{- if .Values.rbac.create }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Release.Name }}-patchwork-updater
+rules:
+# need to be able to fetch pull secrets to interact with private registries
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get"]
+# meed to to be able to fetch indivudal pods to lookup image hashes
+# need to be able to lookup images on node and the node arch
+- apiGroups: [""]
+  resources: ["pods", "nodes"]
+  verbs: ["get", "list", "watch"]
+# need to be able to lookup/list and patch apps
+- apiGroups: ["apps"]
+  resources: ["deployments", "daemonsets", "statefulsets"]
+  verbs: ["get", "list", "watch", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ .Release.Name }}-patchwork-updater
+subjects:
+- kind: ServiceAccount
+  name: {{ include "nestjs-starter.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ .Release.Name }}-patchwork-updater
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}

charts/patchwork/values.yaml

@@ -13,6 +13,9 @@ imagePullSecrets: []
 nameOverride: ''
 fullnameOverride: ''
 
+rbac:
+  # if set, the chart will create a clusterrole and rolebinding to give it the permissions its needs
+  create: truewq
 serviceAccount:
   # Specifies whether a service account should be created
   create: true
@@ -62,11 +65,11 @@ ingress:
 
 resources:
   limits:
-    cpu: 100m
-    memory: 128Mi
+    cpu: 500m
+    memory: 256Mi
   requests:
-    cpu: 100m
-    memory: 128Mi
+    cpu: 250m
+    memory: 256Mi
 
 autoscaling:
   enabled: false

package-lock.json

@@ -20,7 +20,8 @@
     "services:start": "docker-compose up -d",
     "services:stop": "docker-compose down",
     "start": "nest start",
-    "start:dev": "nest start --watch | pino-pretty",
+    "start:dev:prettyLogs": "nest start --watch | pino-pretty",
+    "start:dev": "nest start --watch | jq -R '. as $line | try (fromjson) catch $line'",
     "test": "jest --coverage",
     "lint": "eslint --ext .ts src/ && prettier --check .",
     "lint:fix": "eslint --ext .ts src/ --fix && prettier --write .",
@@ -37,6 +38,7 @@
     "@nestjs/schedule": "^3.0.1",
     "@nestjs/swagger": "^7.0.1",
     "@nestjs/terminus": "^10.0.1",
+    "@snyk/docker-registry-v2-client": "^2.10.0",
     "bull": "^4.10.4",
     "fast-json-patch": "^3.1.1",
     "helmet": "^7.0.0",

package.json

@@ -4,6 +4,8 @@ import { RegistryService } from './registry.service'
 import { BullModule } from '@nestjs/bull'
 import { ImageListWorker } from './image-list.consumer'
 import { TaskRegisterService } from './task-register.service'
+import { KubernetesModule } from '../kubernetes/kubernetes.module'
+import { ImageDescriptorWorker } from './image-descriptor.consumer'
 
 @Module({
   imports: [
@@ -13,8 +15,13 @@ import { TaskRegisterService } from './task-register.service'
     BullModule.registerQueue({
       name: 'analyzer.check.updates',
     }),
+    BullModule.registerQueue({
+      name: 'patcher.update',
+    }),
+    KubernetesModule,
   ],
   providers: [
+    ImageDescriptorWorker,
     ImageService,
     RegistryService,
     ImageListWorker,

src/analyzer/analyzer.module.ts

@@ -0,0 +1,112 @@
+import { Processor, Process, InjectQueue } from '@nestjs/bull'
+import { Logger } from '@nestjs/common'
+import { Job, Queue } from 'bull'
+import { ImageDescriptor } from '../kubernetes/k8s.service'
+import { getManifest, contentTypes } from '@snyk/docker-registry-v2-client'
+@Processor('analyzer.check.updates')
+export class ImageDescriptorWorker {
+  private readonly logger = new Logger(ImageDescriptorWorker.name)
+  private readonly patchQueue: Queue
+
+  constructor(@InjectQueue('patcher.update') queue: Queue) {
+    this.patchQueue = queue
+  }
+
+  @Process()
+  async fetchImageList(job: Job<ImageDescriptor>) {
+    try {
+      this.logger.debug(
+        `Checking for updates of ${job.data.repository}:${
+          job.data.tag
+        } used by ${
+          job.data.owner.namespace
+        }/${job.data.owner.type.toString()}/${job.data.owner.name}`
+      )
+      // split on / check for a . in the first snippet
+      const parts = job.data.repository.split('/')
+      // this may not be universarlly true
+      const isDockerIo = parts[0].indexOf('.') === -1
+      const dockerIoRegistryDomain = 'registry-1.docker.io'
+      const dockerIo = 'docker.io'
+      const registry = isDockerIo
+        ? 'registry-1.docker.io'
+        : parts[0] === dockerIo
+        ? dockerIoRegistryDomain
+        : parts[0]
+      const repo = isDockerIo
+        ? parts.length === 1
+          ? `library/${job.data.repository}`
+          : job.data.repository
+        : parts[0] === dockerIo
+        ? job.data.repository.substring(dockerIo.length + 1)
+        : job.data.repository.substring(registry.length + 1)
+      this.logger.debug(
+        `Fetching manifest for registry = ${registry}, repo = ${repo}, tag = ${job.data.tag}`
+      )
+      const reqOptions =
+        registry === 'ghcr.io'
+          ? {
+              acceptManifest: `${contentTypes.MANIFEST_V2}, ${contentTypes.MANIFEST_LIST_V2}, ${contentTypes.OCI_INDEX_V1}, ${contentTypes.OCI_MANIFEST_V1}`,
+            }
+          : undefined
+      const manifest = await getManifest(
+        registry,
+        repo,
+        job.data.tag,
+        undefined,
+        undefined,
+        reqOptions,
+        {
+          os: 'linux',
+          architecture: job.data.arch,
+        }
+      )
+      if (manifest == null || manifest?.indexDigest == null) {
+        this.logger.warn(
+          'Failed to get a workable manifest for %s with tag %s from registry %s',
+          repo,
+          job.data.tag,
+          registry
+        )
+      }
+      this.logger.debug(
+        `Fetched manifest digest = ${manifest?.indexDigest}, running hash = ${job.data.hash}, repo = ${job.data.repository}`,
+        manifest
+      )
+      if (
+        manifest.indexDigest !== job.data.hash &&
+        manifest.indexDigest != null
+      ) {
+        this.logger.warn(
+          `Found an update for ${registry}/${repo}:${job.data.tag}`
+        )
+        // queueu work for the patcher
+        await this.patchQueue.add({
+          ...job.data,
+          ...{
+            currentSha: job.data.hash,
+            targetSha: manifest.indexDigest,
+          },
+        })
+        return {
+          detectedUpdate: true,
+          current: job.data.hash,
+          detectedLatest: manifest.indexDigest,
+        }
+      } else {
+        return {
+          detectedUpdate: false,
+          current: job.data.hash,
+          detectedLatest: manifest.indexDigest,
+        }
+      }
+    } catch (err) {
+      this.logger.error(
+        `Error while checking for updates for ${job.data.repository}:${job.data.tag}: ${err.message}`,
+        null,
+        err
+      )
+      throw err
+    }
+  }
+}