Automate or stagnate: surviving the era of continuous updates

Transcript

1. Automate or stagnate: surviving the era of continuous updates Incontro

   DevOps Italia 14 Marzo 2025 - Bologna

2. About me DevOps Engineer @ Hyland Software Sometimes I get

   stuck in the past Diehard Incontro DevOps participant Reach me at gionn.net

3. The journey of dealing with dependencies

4. The challenge of keeping up with updates • OSS making

   up to 90% of the modern software applications • 80% of application dependencies remain un-upgraded for over a year • 3.6% of dependencies are still vulnerable because they were updated to another insecure version • 500k malicious packages published in the past year (+156% YoY) Source: 2024 State of the Software Supply Chain

5. Why automation matters • Manual updates simply don’t scale •

   Reduce human error • Decrease time to resolution • Enhance security and compliance

6. Common practices for automated updates • Version pinning vs floating

   dependencies • Semantic versioning strategies • Continuous Integration/Testing • Update whenever you can • Dependency management tools (e.g. dependabot, renovate)

7. A real world scenario in Alfresco Alfresco is an open-source

   content management system that helps teams store, manage, and collaborate on documents and workflows. Java-based platform, with a repository core, a bunch of scalable microservices to handle documents transformations, search/indexing, desktop sync and integration with 3rd party components (office365, teams, …) Available in community and enterprise edition.

8. Docker-compose Alfresco deployment tools: compose & helm charts To help

   users easily deploy the Alfresco platform, for every supported version and for both community and enterprise editions (~160 version references): compose.yaml 7.4.N-compose.yaml 7.3.N-compose.yaml 7.2.N-compose.yaml pre-release-compose.yaml community-compose.yaml Umbrella chart(s) values.yaml 7.4.N-values.yaml 7.3.N-values.yaml 7.2.N-values.yaml pre-release-values.yaml community-values.yaml Component charts (~16) repository/values.yaml share/values.yaml search/values.yaml sync/values.yaml ms365/values.yaml …/values.yaml

9. Versioning is hard Please always use semver Makes version sorting

   easy Don’t let a devops cry

10. Before: manual bumping of versions At the end of the

    release cycle we had to: • Have a list of the released components • For each release, understand eventual compatibility restrictions (latest version of X may not be compatible with all the currently supported versions) • Proceed in manually bumping the tag in every compose/values files • Have someone else review it • Hope not having missed something Average time to release: ~1.5 week

11. Now: automated bumps with updatecli • Each repository has a

    bump workflow which sequentially discover new versions and raise a single PR for all the bumps • One configuration manifest to manage compose and helm bumps • One values file to declare compatibility between component versions for each supported version of Alfresco Average time to release: ~4 hours

12. Updatecli Declarative dependency update pipelines. • Fully customizable • Idempotent

    • GitOps enabler https://www.updatecli.io/ Maintainer: Olivier Vernin Language: Go Source Condition Target SCM PR

13. Updatecli available plugins • Source/Condition/Target: Amazon AMI - cargopackage -

    CSV - Docker Digest - Docker Image - Dockerfile - File - Git Branch - Git Tag - Gitea Branch - Gitea Release - Gitea Tag - Github Release - Gitlab Branch - Gitlab Release - Gitlab Tag - Golang - Golang go.mod - Golang module - HCL - Helm Chart - HTTP - Jenkins - JSON - Maven Repository - NPM - Shell - Temurin/Adoptium - Terraform File - Terraform Lock - Terraform Provider - Terraform Registry - TOML - Tool Versions - XML - Yaml • SCM: bitbucket - stash - gitea - gitlab - github - git • Action: bitbucket/pullrequest - gitea/pullrequest - gitlab/mergerequest github/pullrequest - stash/pullrequest Source Condition Target SCM PR

14. PROS • Simplicity • Automation Friendly • Consistency • Security

    • Scalability • New DSL • YAML ❤ • More maintenance CONS

15. Tomcat base image example sources: tomcatVersion: name: Retrieve tomcat latest

    version kind: shell spec: command: ./get-tomcat-version.sh environments: - name: TOMCAT_MAJOR tcnativeTag: name: Get Tomcat Native libs version kind: gittag scmid: tcnativeGitHub spec: versionfilter: kind: semver pattern: "~2" #src: https://github.com/Alfresco/alfresco-docker-base-tomcat scms: tcnativeGitHub: kind: git spec: url: github.com/apache/tomcat-native.git branch: main targets: tomcatJson: name: Bump version in json file kind: json sourceid: tomcatVersion spec: file: tomcat{{ requiredEnv "TOMCAT_MAJOR" }}.json key: tomcat_version actions: tomcatVersion: kind: "github/pullrequest" scmid: "my-repo"

16. Updatecli: covering the gap with automated tools https://www.updatecli.io/docs/core/autodiscovery/ Source Condition

    Target SCM PR Autodiscovery

17. Updatecli: sharing reusable versioned snippets https://www.updatecli.io/docs/core/shareandreuse/ OCI registry Policies Updatecli

    manifest Updatecli manifest Updatecli manifest

18. GitHub Actions integration name: updatecli workflow on: workflow_dispatch: schedule: #

    Run once a day - cron: '0 0 * * *' permissions: contents: write pull-requests: write env: UPDATECLI_GITHUB_TOKEN: ${{ secrets.GH_TKN }} jobs: updatecli: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v2 - name: Install Updatecli in the runner uses: updatecli/updatecli-action@v2 - name: Run Updatecli in Dry Run mode run: updatecli diff - name: Run Updatecli in Apply mode run: | updatecli apply --config updatecli/updatecli.d https://github.com/updatecli/updatecli-action
19. None

20. Thanks! About me: https://gionn.net/about/ Updatecli website: https://www.updatecli.io/ Updatecli sources: https://github.com/updatecli/updatecli/

    Updatecli community: https://matrix.to/#/#Updatecli_community:gitter.im