Enabling Auto-Updates¶
Some users may want to enable automatic updates for their applications deployed in OKD, as auto-updates ensure that instances receive the latest security patches and upstream fixes without requiring manual intervention. This feature can simplify maintenance, but it also introduces important risks that owners must fully understand before enabling it.
If auto-updates are not enabled, owners must maintain their deployments by regularly updating the image themselves, monitoring upstream releases, and checking for security vulnerabilities. Especially for internet-exposed application where outdated versions present a significant security risk.
Auto or Manual Updates¶
When configuring your deployments, owners must choose between auto-updates and manual updates:
1. Auto-Updates¶
Every time a new stable Grafana version is released, the deployment automatically rolls out an update to the container image with the new version.
No manual intervention is required to stay up-to-date with the latest version. Suitable for teams that accept the risks of tracking latest and want minimal operational overhead. From a security perspective, auto-updates can be safer as they ensure the deployment always receives the latest security patches and fixes without delay. However, owners should still monitor updates for potential breaking changes.
2. Manual updates¶
In manual update mode, the deployment will not automatically roll out new images. It is critical that owners regularly check for new images, upstream releases, and security vulnerabilities. Owners must manually update their deployments regularly. Since updates are not automatic, failing to upgrade promptly can leave deployments exposed to security risks which is crucial, especially for internet-exposed application.
Configuration¶
Configure image¶
For both automatic updates and manual updates, we use an ImageStream resource. The ImageStream tracks the upstream latest tag of the Grafana image, so that the deployment can stay up-to-date when new Grafana releases are available.
What is an ImageStream?
An ImageStream is an OKD object that tracks container images. It allows us to:
- monitor an external registry for new image versions
- trigger automatic updates of our deployments when a new image is available.
For more information regarding Imagestreams, see the official OKD docs.
The configuration should look like as follows:
spec:
tags:
- name: latest
from:
kind: DockerImage
name: registry.cern.ch/docker.io/grafana/grafana:latest
importPolicy:
scheduled: true # Automatically update whenever there's a new image available upstream
referencePolicy:
type: Source # Makes the deployment reference the external source image
Create the Imagestream with:
NAMESPACE="" # set your namespace
oc apply -n $NAMESPACE -f - <<EOF
apiVersion: image.openshift.io/v1
kind: ImageStream
metadata:
name: grafana-latest
spec:
tags:
- name: latest
from:
kind: DockerImage
name: registry.cern.ch/docker.io/grafana/grafana:latest
referencePolicy:
type: Source
importPolicy:
scheduled: true
EOF
1. Auto-Updates¶
To enable auto-updates, enable the image trigger on the deployment.
In the OKD UI, Edit Deployment and enable the “Auto deploy when new Image is available”:
2. Manual updates¶
If users choose to manage the updates manually, the deployment should have its image trigger disabled, with the 'Auto deploy when new image is available' option turned off in the OKD UI.
When using manual updates:
-
You are responsible for staying up-to-date with the latest Grafana releases.
-
To deploy a new version, trigger a rollout manually:
oc rollout restart deployment <DEPLOYMENT> -n <NAMESPACE>
This approach allows you to control when updates happen and gives you the ability to rollback if a new Grafana release introduces breaking changes: oc rollout undo deployment <DEPLOYMENT> -n <NAMESPACE>
Note: If you want and to avoid potential issues, you can first deploy new versions in a test environment to verify functionality, dashboards and plugins before updating production.