github AlexGustafsson/cupdate v0.16.0
on GitHub

18 hours ago

Thanks to everyone who created feature requests, bug reports and tested fixes. Your help is instrumental to continue to improve Cupdate!

A special thanks to @thespad for helping out with discussing and testing some of the new features.

Features

  • Add grid view layout option to UI
  • Track digests used by the runtime
  • Track changes made to tags like latest and v8
  • Add support for custom registries like Harbor and Zot, as well as authentication towards registries like Docker Hub and GitHub Container Registry

Grid view

Skärmavbild 2025-01-27 kl 17 21 54

A compact grid layout has been added. The layout will fit as many images as possible on one row, adapting to your viewport's width. The chosen layout is stored in the browser's local storage so that it's available the next time you use the UI.

Custom registries

Cupdate now supports custom registries like Harbor and Zot as well as tracking private images from registries like Docker Hub and GitHub Container Registry using a token.

The implementation closely follows the format used by Docker and Kubernetes. To use the feature, you'll need to specify a config file via CUPDATE_REGISTRY_SECRETS: 

{
  "auths": {
    "registry.example.com": {
      "username": "username",
      "password": "password"
    }
  }
}
{
  "auths": {
    "registry.example.com": {
      "auth": "c29tZSB0b2tlbg=="
    }
  }
}
{
  "HttpHeaders": {
    "x-some-special-auth": "letmein"
  }
}

For now, there's no support for insecure registries served without TLS.

Tracking digests

Skärmavbild 2025-01-27 kl 17 39 33

Tags like latest, v8 and v3.0.0 have one thing in common - they all refer to a manfiest containing information about a container image. The manifest is always referenced by its hash sum - its digest. Tags can be changed at any time to point to any digest, but digests will forever uniquely refer to the same manifest. In most cases, the manifests nor the digests themselves contain any information about what "version" of a software it actually contains.

This causes a couple of problems when trying to identify what "version" of a service is actually in use, so that Cupdate can find a newer version. In part, it means that your "latest" might not be the same as mine and that the "latest" today is not the same as yesterday.

Up until now, Cupdate has only supported "well-behaved" image tags that follow anything resembling a semantic version, assuming that they are never overwritten. This works great for tags like v1.2.3 and it works alright for tags like v1.2 and v1 as Cupdate can identify the version in use will be able to promote updates to v1.2.4 and beyond. It doesn't work at all for tags like latest. Tags like v1 and latest are typically overwritten, meaning Cupdate's information would become outdated over time.

With this new feature, Cupdate will try its best to identify the digest used by the underlying container runtime - again, uniquely refering to the specific manifest in use by its digest. When checking for updates, Cupdate will notice if the digest that a tag currently points to differs from the one used locally. This now enables Cupdate to promote you to update alpine:latest and mongo:v8 to a new version because the tags have been overwritten.

Please be aware that due to the limitations of the information made available by container registries and the image manifests themselves, it will be impossible in most cases to present a typical version like v3.0.0 if you use tags like latest, v3 and v3.3. There's simply no technical way of knowing what latest means in your context. As always, the best practice and what works best with Cupdate is to use tags like v3.3.0.

The full version is always shown in the UI when hovering over a version:

image

Improvements and fixes

  • Add a favicon and logo override for Cupdate
  • Improve intuitiveness of full-text search
  • Improve support for references with IPs (v4 and v6) and pinned digests
  • Update data shown on the page without a refresh (when shown the update toast)
  • Make page indexes start at 1
  • Minor UI improvements
    • Fix colors of layout button, use appropriate cursor
    • Remove divider in summary
  • Keep query when going back from an image page
  • Fix Bézier curves not showing in graph view in Firefox
  • Set referrer policy on video elements
  • Fix error with images missing quay vulnerability scans
  • Fix tags being shown in the image name
  • Fix GitHub packages data for packages owned by organizations

Deprecations

  • CUPDATE_KUBERNETES_INCLUDE_OLD_REPLICAS environment variable now does nothing.

Breaking changes

  • References will now contain the digest as well in almost all cases. This means that the reference and latestReference field returned by APIs can look like alpine:v3@sha256:56fa17d2a7e7f168a043a2712e63aed1f8543aeafdcee47c58dcffe38ed51099 as opposed to just alpine:v3. As the reference is the primary key of the database, it also means that all entries of the database will be removed updated over time. No user intervention is required.
  • The Kubernetes dependency graph no longer includes templated resources like a job's pod template, which in turn can have a pod template which in turn depends on an image.
  • Getting old replicas from Kubernetes is no longer supported.
  • Page indexes now start at 1. Specifying page=0 to /api/v1/images will return 400 bad request.

Full Changelog: v0.15.0...v0.16.0

Check out latest releases or
releases around AlexGustafsson/cupdate v0.16.0

Don't miss a new cupdate release

NewReleases is sending notifications on new releases.

Get notifications