I frequently update a Docker image using the same tag on Azure Container Registry. I would like to automatically run a rolling update when a new tag is pushed to my ACR, so pods are automatically updated with the latest version of the image.
ACR provides a Webhook feature to automatically call a webhook when a new tag is pushed.
My first approach would be to create webhook in Kubernetes exposed through an ingress and callable from the ACR. The webhook would perfom the rolling update, but it requires to access the Kubernetes API.
Is it possible? Am I in the right direction, or is there a more convenient way to answer my requirement?
Thanks!
Yes, it's possible. If ACR can call a webhook whenever a new image is pushed (even with the same tag), you can call a webhook service in your cluster. The service can then, for example, update an annotation in the PodTemplateSpec of your Deployment, which triggers a rolling update of your Pods.
However, it requires that the imagePullPolicy of the containers is set to Always, as the tag of the image remains unchanged. Otherwise, Kubernetes would think that it's still the same image and would use the one that it has previously pulled.
For access to the Kubernetes API, you can do this with a ServiceAccount to which you assign the necessary Kubernetes API permissions with Roles and RoleBindings. Finally, you assign this ServiceAccount to your Pods through the serviceAccountName field in the PodSpec.