2. 2
WHO AM I?
o Consultant at Ordina
o Software architect & developer background
o Interested in: Automation, public cloud in enterprises,
hyperscale software
o Company blog & LinkedIn
7. o Knowing when there is an update
o Knowing what to update
o Knowing how to update
o Validate that the update works
o Rollout to production
7
WHAT IS NEEDED
11. 11
HOW DOES IT WORK
Java project
repo/
├─ src/
├─ Dockerfile
├─ pom.xml
12. 12
HOW DOES IT WORK
Java project
Docker: amazoncorretto:18.0.0
Maven: org.apache.logging.log4j:log4j-core:2.12.2
13. 13
HOW DOES IT WORK
Java project
Docker: amazoncorretto:18.0.0
Maven: org.apache.logging.log4j:log4j-core:2.12.2
amazoncorretto:18.0.1
org.apache.logging.log4j:log4j-core:2.18.0
14. 14
HOW DOES IT WORK
Java project
Docker: amazoncorretto:18.0.0 -> 18.0.1
Maven: org.apache.logging.log4j:log4j-core:2.12.2 -> 2.18.0
15. 15
HOW DOES IT WORK
Java project
Docker: amazoncorretto:18.0.0 -> 18.0.1
Maven: org.apache.logging.log4j:log4j-core:2.12.2 -> 2.18.0
PR: amazoncorretto: 18.0.1
PR: log4j: 2.18.0
16. 16
HOW DOES IT WORK
Java project
PR: amazoncorretto: 18.0.1
PR: log4j: 2.18.0
Build: amazoncorretto: 18.0.1
Build: log4j: 2.18.0
24. 24
HOW DOES RENOVATE WORK
Deployment
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- resources/deployment.yaml
- https://github.com/pietervincken/my-other-service?ref=0.0.0
25. 25
HOW DOES RENOVATE WORK
Deployment
Kubernetes: image: pietervincken/my-java-service:0.0.0
Kustomize: resource: github.com/pietervincken/my-other-service:0.0.0
26. 26
HOW DOES RENOVATE WORK
Deployment
Kubernetes: image: pietervincken/my-java-service:0.0.0
Kustomize: resource: github.com/pietervincken/my-other-service:0.0.0
27. HOW DOES RENOVATE WORK
Deployment
Kubernetes: image: pietervincken/my-java-service:0.0.0 -> 0.0.1
Kustomize: resource: github.com/pietervincken/my-other-service:0.0.0 -> 0.1.0
27
28. HOW DOES RENOVATE WORK
Deployment
my-java-service:0.0.0 -> 0.0.1
my-other-service:0.0.0 -> 0.1.0
PR: my-java-service: 0.0.1
PR: my-other-service: 0.1.0
28
29. HOW DOES RENOVATE WORK
Deployment
PR: my-java-service: 0.0.1
PR: my-other-service: 0.1.0
29
34. HOW DOES IT WORK
Deployment
Kubernetes: image: pietervincken/my-java-service:0.0.1
Kustomize: resource: github.com/pietervincken/my-other-service:0.1.0
34
35. HOW DOES IT WORK
Deployment
Kubernetes: image: pietervincken/my-java-service:0.0.1
Kustomize: resource: github.com/pietervincken/my-other-service:0.1.0
Repository
changed
35
36. HOW DOES IT WORK
Deployment
Build kustomization
36
41. o Inform about the update
o Build confidence in update sources
o Docker hub
o Maven central
o Internal sources
o Start with low impact
o Limit amount of concurrent updates
41
CONVINCE THE BRASS
Baby steps
43. • Conventional commits
• At least semver based tags
• Good automated testing
• -> high level of confidence for auto-merge
• Clear deployment process to (pre-) production
• Automation and configuration as code are key
43
NOT REQUIRED, BUT GOOD TO HAVE
Example of Log4Shell / Log4J vulnerabilty
TODO Embracing updates and upgrading frequently allow for small changes
And very little effort to update. Big bang upgrades are costly.
TODO Upgrading is inevitable. Having an (automated) process in place is key
https://www.comparitech.com/blog/information-security/cybersecurity-vulnerability-statistics/
https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/
Too this day, still unpatched log4shell systems available…
Renovate -> not only what to update but also how -> Changelog!
Dependency detection: https://docs.renovatebot.com/modules/manager/
Supported repository systems https://docs.renovatebot.com/#supported-platforms
Renovate:
Scans your repositories to detect package files and their dependencies
Checks if any newer versions exist
Raises Pull Requests for available updates
Fictive example!
Fictive example!
Fictive example!
Fictive example!
Fictive example!
You can allow Renovate to merge automatically on successful builds, but in general and definitely when starting to use this, you’ll merge these PRs by hand.
Grab a coffee and scroll through some Reddit posts about how automation makes your life easy!
Fictive example!
Dependency detection: https://docs.renovatebot.com/modules/manager/
Docker-compose, Ansible, Kubernetes, Flux, Helm, kustomize, Terraform, Tekton(?!?)
Supported repository systems https://docs.renovatebot.com/#supported-platforms
Github, Bitbucket, Gitlab, …
Renovate:
Scans your repositories to detect package files and their dependencies
Checks if any newer versions exist
Raises Pull Requests for available updates
Dependency detection: https://docs.renovatebot.com/modules/manager/
Supported repository systems https://docs.renovatebot.com/#supported-platforms
Renovate:
Scans your repositories to detect package files and their dependencies
Checks if any newer versions exist
Raises Pull Requests for available updates
Dependency detection: https://docs.renovatebot.com/modules/manager/
Supported repository systems https://docs.renovatebot.com/#supported-platforms
Renovate:
Scans your repositories to detect package files and their dependencies
Checks if any newer versions exist
Raises Pull Requests for available updates
Dependency detection: https://docs.renovatebot.com/modules/manager/
Supported repository systems https://docs.renovatebot.com/#supported-platforms
Renovate:
Scans your repositories to detect package files and their dependencies
Checks if any newer versions exist
Raises Pull Requests for available updates
Dependency detection: https://docs.renovatebot.com/modules/manager/
Supported repository systems https://docs.renovatebot.com/#supported-platforms
Renovate:
Scans your repositories to detect package files and their dependencies
Checks if any newer versions exist
Raises Pull Requests for available updates
Either automated or manually
Moves through your normal development process
E.g. deploy it to a development environment first. After that’s validated, merge to main for production
Prevent copy paste errors by allowing renovate to update the different environment repositories
Fictive example!
Fictive example!
Dependency detection: https://docs.renovatebot.com/modules/manager/
Supported repository systems https://docs.renovatebot.com/#supported-platforms
Renovate:
Scans your repositories to detect package files and their dependencies
Checks if any newer versions exist
Raises Pull Requests for available updates
Dependency detection: https://docs.renovatebot.com/modules/manager/
Supported repository systems https://docs.renovatebot.com/#supported-platforms
Renovate:
Scans your repositories to detect package files and their dependencies
Checks if any newer versions exist
Raises Pull Requests for available updates
Dependency detection: https://docs.renovatebot.com/modules/manager/
Supported repository systems https://docs.renovatebot.com/#supported-platforms
Renovate:
Scans your repositories to detect package files and their dependencies
Checks if any newer versions exist
Raises Pull Requests for available updates
yaml file extension by Grafix Point from https://thenounproject.com/browse/icons/term/yaml-file-extension
ArgoCD performs API calls based on the YAML it has generated.
The only 2 manual actions we had to do was merge 2 PRs.
Everything else was automated.
Outdated versions
Security vulnerabilties
Only update when new feature needed
Update all depedencies at once -> not a good idea
Small updates, validated, one by one -> way to go
Possibility to limit type of updates
Major / minor / patch
Limit what to update
In/exclude update sources (E.g. only internal container registry)
Auto-merge trusted sources
E.g. in-house maintained libraries
Auto-merge low impact targets
E.g. supporting application
Limit number of PRs
Grouping similar updates
Limiting PRs by design
Custom/additional upgrade steps through scripts
Zalando’s, Netflixes and Tesla’s of the world are build to change.
The fast moving companies are able to adapt quickly and efficiently
The key to move fast is to often in small steps. Big leaps rarely work out.