Updatecli Policy
Warning | This feature is experimental. All feedback is welcome. |
Description
As the number of updatecli policies increases, more and more, we realize that we need the ability to scale updatecli. Somewhere between what we have now, duplicated manifest(s) for each Git repository, and the Autodiscovery feature.
We want to reuse updatecli policies across many projects. We want to write updatecli policies once and reuse them everywhere.
For example:
Enforcing the same Golang version used at the GitHub organization.
Automate custom tooling updates for a GitLab organization.
Reusing the same updatecli manifest but with different parameters based on schedules such as for minor and patch updates every week and major updates every month. _
Policy
An updatecli policy is described by a Policy.yaml file.
An updatecli policy, is a "bundle" composed of "updatecli manifest", "values file", "secrets files". This bundle is identified by a reference such as:
⇒ ghcr.io/updatecli/policies/policies/npm/autodiscovery:latest.
Policy.yaml
| Name | Type | Description | Required |
|---|---|---|---|
| authors | array | Authors is a list of authors of the policy | |
| changelog | string | Changelog is the URL of the policy changelog | |
| description | string | Description is the policy description | |
| documentation | string | Documentation is the URL of the policy documentation | |
| licenses | array | Licenses is the policy license | |
| source | string | Source is the URL of the policy source code | |
| url | string | URL is the URL of the policy source code | |
| vendor | string | Vendor is the policy vendor | |
| version | string | Version is the policy version, it must be semantic versioning compliant without the leading v |
Version
An Updatecli policy is versioned using the semantic versioning specification.
When we publish a policy to a registry, the version is automatically fetched from the version value defined in the Policy.yaml file.
latest
When using a policy, it’s possible to use the version "latest" to always use the latest available version of the policy using semantic versioning rule.
digest
An updatecli policy version is mutable, we can override it. So we can use a digest to pin a specific version of the policy.
ghcr.io/olblak/policies/rancher/docusaurus/kubewarden:0.0.5@sha256:81488900553174be2348b859f88f35c6ff0a6cab7342d8d4142bfec372fddb95
Examples
Updatecli
The repository updatecli/policies contains a list of common Updatecli policies published on GitHub Registry.
Share & Reuse
Important | Currently, updatecli doesn’t handle OCI registry authentication but instead relies on the local docker configuration. Therefore you must first run docker login before any registry operation. |
Share
To share updatecli configuration files we run the following command:
updatecli manifest push --config updatecli/updatecli.d/updatecli.yaml -t ghcr.io/updatecli/policies/golang --policy Policy.yaml .As you can notice ghcr.io/updatecli/policies/policies/npm/autodiscovery:latest looks like a container but isn’t.
It’s an OCI artifact where each layer represents one of the manifest/config/values/secrets files
Using OCI registries for other things than docker/container isn’t a new concept, a lot of projects like Kubewarden, Conftest, or Helm already use OCI registry to store artifacts such as WASM binaries, files, etc.
Reuse
To reuse this policy, run:
updatecli diff ghcr.io/updatecli/policies/policies/npm/autodiscovery:latestShow
To show the content of this policy, run:
updatecli manifest show ghcr.io/updatecli/policies/policies/npm/autodiscovery:latestRemarks
Depending on how we write the policy we can override the default value using environment variables with the Go template function env or just provide a new values.yaml or secrets.yaml
This approach scales better, allows policy versioning, allows retrieving the right set of files, allows signing using cosign, etc.