Scenario-based encapsulation of Tencent Cloud Container Service API for implementing image updates operations for Deployment and StatefulSet workloads

• Using Tencent Cloud Container Service (TKE) cluster with deployed Deployment or StatefulSet resources
• Tencent Cloud secret_id and secret_key with proper cluster permissions are required. For setup instructions, see doc/access.md

• secret_id Secret ID, see doc/access.md
• secret_key Secret Key
• region Cluster region, format: ap-nanjing. See doc/regions.md
• cluster_id Cluster ID, format: cls-m9miwj4u
• namespace Namespace where the workload is located, e.g., default
• workload_kind Workload type. Supports deployment, statefulset
• workload_name Workload name
• container_names Container names, multiple names separated by ,
• container_images Latest container images to update, multiple images separated by ,
• check_rollout_timeout (Optional) Monitor the pod rollout duration. Unit: minutes, integer. Setting it to 0 skips the waiting period.
• cloud_api_endpoint (Optional) The Tencent Cloud API Endpoint. Defaults to the internal endpoint of Tencent Cloud’s infrastructure. For public network access, it can be configured as tke.tencentcloudapi.com.

After the image is pushed to CNB's Docker registry, TKE workload Pods need authentication information configured to pull the image.

Go to the Docker image repository to create a Deploy Token, making sure to check Artifacts permission:

1. Navigate to your CNB project's Settings → Repository Settings → Deploy Tokens
2. Click "Generate Deploy Token", enter a name and check the read_registry permission
3. Save the generated username and password for creating the K8s Secret

Use the deploy token generated in the previous step to create a kubernetes.io/dockerconfigjson type Secret in the target Namespace:

kubectl create secret docker-registry cnb-registry-secret \
  --docker-server=<CNB_Docker_Registry_Address> \
  --docker-username=<Deploy_Token_Username> \
  --docker-password=<Deploy_Token_Password> \
  -n <Namespace>

Field	Description
<CNB_Docker_Registry_Address>	CNB Docker registry address (e.g., docker.cnb.cool or custom domain)
<Deploy_Token_Username>	Username of the deploy token generated above
<Deploy_Token_Password>	Password of the deploy token generated above
<Namespace>	The Namespace where the workload is located

Specify imagePullSecrets in your workload (Deployment / StatefulSet) YAML:

spec:
  template:
    spec:
      imagePullSecrets:
        - name: cnb-registry-secret # Name of the Secret created in the previous step
      containers:
        - name: my-app
          image: docker.cnb.cool/your-repo/image:tag

💡 If you have workloads in multiple Namespaces that need to pull images from CNB, you need to create the corresponding Secret under each Namespace.

• With correct permissions and configuration, the plugin exits successfully if image update succeeds, otherwise fails. Similar to kubectl set image mechanism
• After updating the image, pod rolling status will be monitored and printed for 10 minutes for pipeline log review, (set the parameter check_rollout_timeout to 0 to skip waiting). This step doesn't affect plugin exit status; final pod rolling results can be viewed in the cluster
• Operating mechanism: Similar to kubectl set image, this plugin doesn't verify if the update image exists or is valid. It directly updates the image field in workload yaml, with K8s handling async scheduling like pod rolling

# Example image update configuration
main:
  push:
    - stages:
      - name: Update image using tke plugin
        image: tencentcom/deploy-to-tke
        settings:
          secret_id: AKID***MpL4
          secret_key: mRH1***wu0C
          region: ap-***
          cluster_id: cls-***
          namespace: default
          workload_kind: deployment
          workload_name: my-***-deployment
          container_names: container-***-1
          # Can use variables like container_images: ${CNB_DOCKER_REGISTRY}/${CNB_REPO_SLUG_LOWERCASE}:${CNB_COMMIT}
          container_images: nginx-***:v1

# End of quick usage

If you don't want to write secret keys in plain text, add a secret information file your_secrets.yaml in your private repository:

# your_secrets.yml
secret_id: AKID***MpL4
secret_key: mRH1***wu0C

Configure .cnb.yml to import environment variables from the above file:

# Update example image
main:
  push:
    - stages:
      - name: Update image using tke plugin
        image: tencentcom/deploy-to-tke
        settingsFrom: https://cnb.cool/***/my-secret-repo/-/blob/main/your_secrets.yaml
        settings:
          region: ap-***
          cluster_id: cls-***
          namespace: default
          workload_kind: deployment
          workload_name: my-***-deployment
          container_names: container-***-1
          container_images: ${CNB_DOCKER_REGISTRY}/${CNB_REPO_SLUG_LOWERCASE}:${CNB_COMMIT}
# End of advanced usage

docker run --rm  \
    -e PLUGIN_SECRET_ID="***" \
    -e PLUGIN_SECRET_KEY="***" \
    -e PLUGIN_REGION="ap-shanghai" \
    -e PLUGIN_CLUSTER_ID="cls-***" \
    -e PLUGIN_NAMESPACE="development" \
    -e PLUGIN_WORKLOAD_KIND="deployment" \
    -e PLUGIN_WORKLOAD_NAME="my-***-deployment" \
    -e PLUGIN_CONTAINER_NAMES="container-***-1,container-***-2" \
    -e PLUGIN_CONTAINER_IMAGES="nginx-***:v1,nginx-***:v2" \
    tencentcom/deploy-to-tke

This plugin has been verified to work with TKE clusters purchased on both Tencent Cloud cloud.tencent.com and Tencent Cloud International www.tencentcloud.com.