Our customers trust us with their most precious resource: their information systems. Our job is to keep the underlying systems running, updated, and most importantly, secure.
Project Syn with its Commodore Components is one of the primary weapons in our arsenal to configure and thus protect those systems. Thanks to its GitOps approach, we can ensure that all Kubernetes clusters are always running the latest and (hopefully) most secure version possible.
But just like any other software package, Project Syn brings its complexity: we must keep it safe and sound, which means watching over its container images, its Helm charts, and all of the Commodore Components we use every day.
As you can imagine, juggling so many different software packages is a considerable task; now, think about all of their upstream dependencies (most of them are container images and helm charts, but also Go and Python are a part of the mix). The complexity of the task exponentially increases.
How do we cope with this? Well, as usual, standing on the shoulder of giants. In this case, Renovate.
Renovate has been created to manage this complexity, whether container images, Helm charts, or upstream dependencies. But understandably enough, Renovate per se does not know anything about Commodore Components (at least not yet!), and in particular, it does not know about the Project Syn configuration hierarchy and how to find dependencies within that hierarchy.
So, what’s an Open Source developer to do? We forked Renovate, of course, and adapted it to our needs. How?
- We added the Project Syn configuration hierarchy as a new Manager.
- We reused the existing datasource to detect new versions of our Commodore Components.
Then we configured our own Renovate fork on all the repositories holding our source code and started getting notified via pull requests whenever there was a new dependency version. Voilà!
With this approach, we have been able to automate much work and avoid using outdated software by automatically being notified of new versions. No more forgotten updates!
We also decided to use “golden files” to test our Commodore Components; this, in turn, meant that we could not merge PRs created by Renovate in case of failure. For those cases, we also taught Renovate how to update those golden files if needed.
The pull request “Update dependency ghcr.io/appuio/control-api to v0.8.1 – autoclosed #29” is a live example of this mechanism in action, and you’re most welcome to check it out.