Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

doc: adds expectations with regards to pulling using OCI #5307

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

ricardomaraschini
Copy link
Contributor

Description

this commit adds a new section to the adr on oci pulls where we lay down the expectations when it comes to pulling artifacts through oci.

such expectations are written as an example workflow of what should be supported.

Fixes #5143

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update

this commit adds a new section to the adr on oci pulls where we lay down
the expectations when it comes to pulling artifacts through oci.

such expectations are written as an example workflow of what should be
supported.

Signed-off-by: Ricardo Maraschini <[email protected]>
add missing language specifiers to the markdown code section.

Signed-off-by: Ricardo Maraschini <[email protected]>
Copy link
Member

@twz123 twz123 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, that's a good starting point. I was thinking about some sort of "specification" though. It's not clear how k0s will select the artifact to download, given only the OCI name and tag, nor how k0s will figure out the file name to use. If we specify these things explicitly, there's less room for ambiguity and "specification by implementation". It will also help when discussing certain design aspects:

For example, regarding artifact selection, I think it would make perfect sense to support platform filtering, so that you can distribute different artifacts for different platforms under the same name, just as you can with multi-arch images.

Regarding file name determination, ORAS chooses to set the org.opencontainers.image.title annotation to the file name specified on the command line. This is a pragmatic choice, but an implementation detail of ORAS, since this annotation is for the "human-readable title of the image", according to the OCI spec.

It wouldn't be too unreasonable to not use the file name from the OCI manifests, but just require it to be provided in the k0s config, depending on whether that file name is something that should be decided at "k0s config time" or at "artifact push time". This way, we could completely eliminate the annotation processing mentioned above. This extends to other file system properties as well, such as permissions, ownership, maybe even file times.

#### Expected workflow

This feature supports pulling both the k0s binary and the k0s air-gap bundle.
Each repository tag should host only one artifact. To remotely host an artifact
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What should happen if there are multiple artifacts?

@@ -110,6 +110,39 @@ secretRef:
name: artifacts-token-based-auth
```

#### Expected workflow

This feature supports pulling both the k0s binary and the k0s air-gap bundle.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Downloading executables raises the question of how to manage the executable bit of the downloaded files.


```yaml
url: oci://registry.company.com/k0s/binary:v1.31.1
sha256: <sha-for-the-binary>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Big question: Is this the digest of the image or the digest of the embedded binary?

When dealing with OCI artifacts, it would seem more natural to be the digest of the image (or image index) itself.

If it is the latter, this means that as long as the published artifact also uses SHA-256 as its digest algorithm (I have yet to see an image that doesn't), we would have an accurate way of figuring out which artifact to pick out of the image index. The downside would be that this would make multi-platform downloads with the same name impossible.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

ADR 1: Spec out OCI artifact format for downloads
2 participants