Skip to content

[RFC-0003] Implement OCIRepository reconciliation #788

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 25 commits into from
Aug 8, 2022
Merged

[RFC-0003] Implement OCIRepository reconciliation #788

merged 25 commits into from
Aug 8, 2022

Conversation

@stefanprodan
Copy link
Member

@stefanprodan stefanprodan commented Jun 21, 2022
edited
Loading

This PR adds a new kind to the source API and implements the OCIRepository reconciliation as described in the RFC Flux OCI support for Kubernetes manifests.

Authors:

API implementation

  • spec.url
  • spec.ref.digest
  • spec.ref.tag
  • spec.ref.semver
  • spec.provider
  • spec.secretRef
  • spec.serviceAccountName
  • spec.certSecretRef
  • spec.status.artifact.metadata

When the OCI artifact is annotated in the registry, these annotations are reflected in-cluster under spec.status.artifact.metadata . When using flux push artifact the following annotations are used to track the origin Git repository:

  • org.opencontainers.image.source: <GIT-URL>
  • org.opencontainers.image.revision: <GIT-BRANCH|TAG>/<GIT-SHA>

⚠️ Note that spec.verify is not included in this PR. We would like to release OCIRepository without cosign verification, then implement it for both OCIRepository and HelmChart OCI artifacts.

OCI preview

To try out the OCI feature, you can build the Flux CLI that contains this version of source-controller and a version of kustomize-controller that has OCI support:

# checkout the OCI branch
git clone https://github.com/fluxcd/flux2.git
cd flux2
git switch oci

# build Flux
make build
sudo mv ./bin/flux /opt/homebrew/bin/flux

# register the podinfo repo from GHCR
flux create source oci podinfo-oci \
--url oci://ghcr.io/stefanprodan/manifests/podinfo \
--semver 6.x \
--interval 10m

# reconcile podinfo in the default namespace
flux create kustomization podinfo-oci \
--source=OCIRepository/podinfo-oci \
--path="./kustomize" \
--prune=true \
--interval=5m \
--target-namespace=default \
--wait=true

# various OCI commands
flux get sources oci
flux reconcile source oci podinfo-oci
flux suspend source oci podinfo-oci
flux resume source oci podinfo-oci
flux export source oci podinfo-oci
flux delete ks podinfo-oci --silent
flux delete source oci podinfo-oci --silent

To generate your own artifacts, clone podinfo and push the manifests to your own container registry:

# export your GH username
export GH_USER=<username>

# clone podinfo
git clone https://github.com/stefanprodan/podinfo.git
cd podinfo

# check the 6.1.5 release
git checkout 6.1.5

# push 6.1.5 to GHCR
flux push artifact oci://ghcr.io/${GH_USER}/manifests/podinfo:$(git tag --points-at HEAD) \
	--path="./kustomize" \
	--source="$(git config --get remote.origin.url)" \
	--revision="$(git tag --points-at HEAD)/$(git rev-parse HEAD)"

# check the 6.1.6 release
git checkout 6.1.6

# push 6.1.6 to GHCR
flux push artifact oci://ghcr.io/${GH_USER}/manifests/podinfo:$(git tag --points-at HEAD) \
	--path="./kustomize" \
	--source="$(git config --get remote.origin.url)" \
	--revision="$(git tag --points-at HEAD)/$(git rev-parse HEAD)"

# tag 6.1.6 as latest
flux tag artifact oci://ghcr.io/${GH_USER}/manifests/podinfo:6.1.6 --tag latest

@stefanprodan stefanprodan added the area/oci OCI related issues and pull requests label Jun 21, 2022
@stefanprodan stefanprodan force-pushed the oci branch 5 times, most recently from 3594a17 to 2ff461b Compare June 21, 2022 14:33
@stefanprodan stefanprodan changed the title Implement OCIRepository reconciliation [POC] Implement OCIRepository reconciliation Jun 21, 2022
@stefanprodan stefanprodan mentioned this pull request Jun 21, 2022
Merged
@stefanprodan stefanprodan force-pushed the oci branch 2 times, most recently from 778f6d5 to 37a7bc5 Compare June 21, 2022 18:46
@rashedkvm
Copy link
Member

rashedkvm commented Jun 22, 2022
edited
Loading

Installed Controller Preview and ran test CR for bundle image package. Test succeeded.

---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: OCIRepository
metadata:
  name: sample-app
  namespace: default
spec:
  interval: 1m
  url: rkamaldocker/sample-app
  ref:
    tag: 1.0.0

Extracted tar - looks good

# curl http://source-controller.flux-system.svc.cluster.local./ocirepository/default/sample-app/2db7841074d483b2f3fde931988962b529c7fdf5d1e6928d2b70b723410e5b81.tar.gz -o oci-test/sample-app.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  193k  100  193k    0     0  94.4M      0 --:--:-- --:--:-- --:--:-- 94.4M
# cd oci-test
# tar -xf sample-app.tar.gz
# ls -a
.  ..  .git  .github  .gitignore  .mvn	LICENSE  README.md  Tiltfile  accelerator.yaml	catalog  config  mvnw  mvnw.cmd  pom.xml  sample-app.tar.gz  src
#

kingdonb pushed a commit to kingdonb/tailscale-k8s that referenced this pull request Jun 22, 2022
add OCIRepository for testing
1b4bbcc 
https://cloud-native.slack.com/archives/C02JQ9GLP26/p1655891456182639
fluxcd/flux2#2856
fluxcd/source-controller#788
fluxcd/kustomize-controller#684

Signed-off-by: Kingdon Barrett <[email protected]>
@rashedkvm
Copy link
Member

rashedkvm commented Jun 26, 2022
edited
Loading

@stefanprodan Seeing issue with the multi-layer image by CNB buildpack. Please try the following:

---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: OCIRepository
metadata:
  name: petclinic
  namespace: default
spec:
  interval: 15m
  url: scothis/petclinic
  ref:
    tag: latest

Error status condition

  - lastTransitionTime: "2022-06-26T03:51:23Z"
    message: tar file entry bin/bzcmp contained unsupported file type Lrwxrwxrwx
    observedGeneration: 1
    reason: OCIOperationFailed
    status: "False"
    type: Ready

Both docker and crane client validates this image

~ crane validate --remote scothis/petclinic:latest
PASS: scothis/petclinic:latest

Can you try pulling the image scothis/petclinic:latest with the modified Flux CLI? Thanks!

@stefanprodan
Copy link
Member Author

stefanprodan commented Jun 27, 2022

tar file entry bin/bzcmp contained unsupported file type Lrwxrwxrwx

@rashedkvm this is expected, we only support regular files https://github.com/fluxcd/pkg/blob/76f30cf3b1d1b2503a5202b2a96d9faeb25623a2/untar/untar.go#L60 To make this work with Flux you need to use spec.ignore and include only the files with Kubernetes manifest.

@kingdonb kingdonb mentioned this pull request Jul 1, 2022
Closed
darkowlzz
darkowlzz reviewed Jul 4, 2022
View reviewed changes
Copy link
Contributor

@darkowlzz darkowlzz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Went through it just to get familiar with the implementation.
Overall, looks good to me. Left a few minor comments.

@stefanprodan stefanprodan force-pushed the oci branch 10 times, most recently from 28def20 to 0c40eb2 Compare July 5, 2022 12:36
@pjbgf pjbgf added this to the GA milestone Jul 8, 2022
@stefanprodan stefanprodan changed the title [POC] Implement OCIRepository reconciliation [RFC-0003] Implement OCIRepository reconciliation Jul 8, 2022
darkowlzz
darkowlzz reviewed Aug 3, 2022
View reviewed changes
darkowlzz
darkowlzz reviewed Aug 4, 2022
View reviewed changes
pjbgf
pjbgf reviewed Aug 4, 2022
View reviewed changes
Copy link
Member

@pjbgf pjbgf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some small nits...

darkowlzz
darkowlzz reviewed Aug 4, 2022
View reviewed changes
@stefanprodan
API docs improvements
1966411 
Co-authored-by: Paulo Gomes <[email protected]>
Signed-off-by: Stefan Prodan <[email protected]>
@stefanprodan stefanprodan force-pushed the oci branch 5 times, most recently from a67c3f2 to 7ead18d Compare August 5, 2022 10:18
@stefanprodan
Add OCI failure reasons to API
1a59935 
Signed-off-by: Stefan Prodan <[email protected]>
darkowlzz
darkowlzz reviewed Aug 5, 2022
View reviewed changes
darkowlzz
darkowlzz reviewed Aug 5, 2022
View reviewed changes
darkowlzz
darkowlzz approved these changes Aug 8, 2022
View reviewed changes
Copy link
Contributor

@darkowlzz darkowlzz left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!
I've tested and verified that the OCI registry auto-login works for AWS, Azure and GCP.

pjbgf
pjbgf approved these changes Aug 8, 2022
View reviewed changes
Copy link
Member

@pjbgf pjbgf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@stefanprodan stefanprodan merged commit 1db1626 into main Aug 8, 2022
@stefanprodan stefanprodan deleted the oci branch August 8, 2022 12:59
@rashedkvm rashedkvm mentioned this pull request Sep 1, 2022
Closed
6 tasks
@stefanprodan stefanprodan mentioned this pull request Sep 22, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pjbgf pjbgf pjbgf approved these changes

@hiddeco hiddeco Awaiting requested review from hiddeco

+2 more reviewers

@rashedkvm rashedkvm rashedkvm left review comments

@darkowlzz darkowlzz darkowlzz approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

area/oci OCI related issues and pull requests

Projects

None yet

Milestone

Helm GA

Development

Successfully merging this pull request may close these issues.

7 participants

@stefanprodan @rashedkvm @darkowlzz @pjbgf @hiddeco @somtochiama