Tag container images with major version alone

[maximbaz]

Problem Statement

Right now you are tagging releases with latest and vMAJOR.MINOR.PATCH.
Could you please also tag them with vMAJOR?

This will give us a bit more peace of mind for selfhosted environments, where we can enable auto-update for images tagged (currently) with v1, so that when you eventually release a breaking change, the v1 tag will not pull a breaking change automatically, but will require a manual intervention.

An example of this can be seen e.g. in traefik images, whose tags include (among others) vMAJOR.MINOR.PATCH, vMAJOR.MINOR and vMAJOR.

Solution Brainstorm

No response

[vroldanbet]

This is doable, but I'm curious about the auto-update nature of this setup. Are you using spicedb-operator or running your own SpiceDB deployment? If so, how do you manage migrations, specially multi-stage migrations?

[maximbaz]

I'm at the stage where I don't mind a tiny downtime once in a while, so I'm using a simple docker-compose setup (very similar to what you have in your examples), with watchtower monitoring the specified tags, periodically pulling newer images and restarting containers when there is anything new. If I use latest, then watchtower will pull latest all the time, while if I could use v1 then watchtower will never automatically pull the next major version.

I'm using this approach for a bunch of other projects, but I'm very early on my spicedb journey, so I don't know yet if this is an undesirable approach.

[vroldanbet]

@maximbaz if this is for development, and you are using a setup that calls spicedb migrate head, I see no issue with this. This would become problematic for multi-phase migrations. If running in a Kube cluster and starting to look into productionizing, we recommend using the spicedb-operator, which has the update graph baked into it and knows how to move the cluster through the updates.