I am currently switching from docker compose to kubernetes. Along with that, I am changing from using the :latest tag on everything to explicit versions.
Now, it’s a lot of work to check all the GitHub pages for the releases and updating.
Is there some kind of dashboard that ideally would show me (per app) the version I am running vs. the current version from GitHub? (With a link to the release notes, while we are at it…).
Or is my workflow wrong to begin with? (Haven’t looked too deep into something like argocd, maybe that’s the answer?)
Wow, thanks for all the great answers so far. As for why not latest:
- Read a lot online and read multiple times it’s “bad practice”
- Own experience: had latest on an app which crashed and wouldn’t come up again. Got the backup of the persistent volume back and then had the problem that latest at that point is not the same as latest when I spun it up. Actually had no idea which version I was running last and consequently what I would need to pull to fit my backup. In case I have to restore my cluster, this problem is multiplied.
- I run NixOS on everything, so I am clearly biased towards reproducibility.
- I am running Services for family and a fire brigade (nothing mission critical, just support stuff, but still…). Stability is important, as sometimes I do not have the time to immediately react to an issue. I prefer a lazy Sunday morning to update/fix and then leave it alone and stable.
So, probably a combination of latest for low criticality and pinned on critical stuff (e.g. authentication, access, etc.)
It is bad practice because of point 2 and if you have multiple replicas you can probably get different versions running simultaneously (never tried it). Get Rennovate. It creates PRs to increment the version number and it tries to give you the release notes right in the PR.
Just FYI - you’re going to spend far, FAR more time and effort reading release notes and manually upgrading containers than you will letting them run :latest and auto-update and fixing the occasional thing when it breaks. Like, it’s not even remotely close.
Pinning major versions for certain containers that need specific versions makes sense, or containers that regularly have breaking changes that require you to take steps to upgrade, or absolute mission-critical services that can’t handle a little downtime with a failed update a couple times a decade, but for everything else it’s a waste of time.
I always use a version tag, but I don’t spend any time reading release notes for 95% of my containers. I’ll go through and update versions a couple times a year. If something breaks, at least I know that it broke because I updated it and I can troubleshoot then. The main consideration for me is to not accidentally update and then having a surprise problem to deal with.
Renovate bot is the answer. I self host it. Feel free to ask questions
This. Helm charts and renovate. The (frequently) included release notes help ease upgrades. If the charts / apps you deploy publish good release notes, you will get them in the renovate, easing your mind when upgrading.
It’s not perfect. Some don’t publish release notes, or the release notes only include the chart changes and not app changes. But if provided, there’s a link to the source to double check.
Also having something like ArgoCD that allows you to preview chart changes before syncing is very useful.
I generally just use latest for most services. For critical stuff I pin the major version number. Also anything that doesn’t gracefully handle major version updates like Postgres and similar.
If something breaks I fix it, or restore from the nightly backup if I can’t.
When using semantic versioning of anything, it’s an intention to run that specific version. AKA version pinning or locking. Meaning you DON’T want it automatically updating unless you do it manually.
You especially don’t want this happening in a k8s cluster if you intend to run replicas with pulls enabled for obvious reasons.
As for being notified of updates, there are some tools out there for this, but I believe they only check for pulling specific tags, or latest tag. The way container registries work wouldn’t make it obvious what exactly you’d want to update, because there is no concept of tag inheritance. This means if a new tag showed up in a repo, you wouldn’t know if it’s an update to your specific current version of aomething, or just another tag. They don’t work like packages in this sense.
