Automating Lagoon Image updates from Upstream Source images

Toby Bellwood - Jul 14 '21 - - Dev Community

As Lagoon images ordinarily extend “Docker Official” images with tooling and configuration necessary for Lagoon, we have a dependency on these upstream images. To date, we haven’t been able to exert much control over which versions of these images we use to build our versions. As we were refactoring the release process anyway, it made sense to look more closely at which exact versions of upstream images we consume, and how we could avoid additional burden in tracking them.

We identified that to specify exact versions in our Dockerfiles, and then to have an automated dependency resolution system watch these, and submit pull requests to us for any updates would be the most automated solution to this. We selected Whitesource Renovate for this purpose – the level of control over how these updates are selected was by far the most customizable for our needs. We didn’t want a situation where a Node.js 14 update was submitted for a Node.js 12 image, or where the PHP base version for two different images wasn’t simultaneously updated. We also wanted to be able to control whether a particular image got updates based on patch or minor releases.

We are always actively working on the configuration for Renovate and will continue to fine-tune it. Having pull requests created for every upstream version change will also optimise the generation of automated changelogs (using the excellent Release Drafter GitHub Action we were already using on Lagoon).

In early 2020, we made the first steps in aligning all our base images on Alpine 3.11, and because of this work, it has been much easier to upgrade to Alpine 3.12 and 3.13 along the way. Now that Alpine 3.14 has been released we will continue to monitor our upstreams, and once the balance of our images is available, we will commence the testing process.

We've also integrated vulnerability scanning into the CI process - using Aqua Security's Trivy scanner to scan each image as it's created and saving the results in the CI run. We'll cover securities and vulnerabilities in a later post!

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .