Selectively replace the org when moving images

[carolynvs]

What does this change

Don't use a string replace because when the same text is used in the org
and the image name and the registry, it can end up changing more text
than it should.

Don't replace the org when there isn't one present. Some registries
embed the org in the domain, e.g. getporter.azurecr.io, in which case
the path of the tag is the name of the bundle, and we shouldn't be
appending that to the images.

What issue does it fix

Closes #1040

Notes for the reviewer

Put any questions or notes for the reviewer here.

Checklist

• Unit Tests
• Documentation (working on that now)
• Schema (porter.yaml) - Not Impacted

[carolynvs]

Should we have the same logic for renaming images between porter publish --archive and porter copy? This PR was fixing a bug in porter publish --archive and when I went to compare what porter copy does so that I could document them on the website (which is implemented in cnab-to-oci) I realized that they do different things... It seems confusing and honestly probably not what any user wants.

Here's what they do today:

Archive

• porter publish --archive whalegap.tgz --tag example.com/org2/whalegap:v0.1.0.
  • localhost:5000/org1/whalegap:v0.1.0 -> example.com/org2/whalegap:v0.1.0
  • localhost:5000/org1/whalegap-installer -> example.com/org2/whalegap-installer
  • nginx -> example.com/org2/nginx

Copy

• porter copy --source localhost:5000/org1/whalegap:v0.1.0 --destination example.com/org2/whalegap:v0.1.0.
  • localhost:5000/org1/whalegap-installer -> example.com/org2/whalegap/whalegap-installer
  • nginx -> example.com/org2/whalegap/nginx

The key difference is that images are tagged under not only the org but the name of the bundle.

I wish I could find the original issue where we discussed how the image relocation works in cnab-to-oci and why it puts things where it does. Can anyone find it?

[vdice]

Interesting. porter publish --archive seems like the "right" approach to publishing/copying, from one org to another -- no extra "namespacing" on the resulting images. Is it porter copy that delegates to the cnab-to-oci library? Maybe we can engage discussion with the maintainers and/or at the next CNAB meeting to learn about the reasoning/design.

[squillace]

Interesting. porter publish --archive seems like the "right" approach to publishing/copying, from one org to another -- no extra "namespacing" on the resulting images. Is it porter copy that delegates to the cnab-to-oci library? Maybe we can engage discussion with the maintainers and/or at the next CNAB meeting to learn about the reasoning/design.

Yeah, the problem with the installer under the bundle name is that we are now imposing some "order" on the tagging without any plan for why this is necessary. If I do a porter publish now, my installer is on its own, not hierarchical with bundle. Why do I care? The bundle.json and porter do the tracking for me, and I can go look through them if necessary by tag specifically.

I'm with Vaughn: the porter publish --archive behavior seems logical. QUESTION: what happens when a nested installer is used with porter public --archive? Is the nesting recapitulated? That is, if a source bundle is org/bundle and a source installer is org/bundle/installer is that hierarchy preserved when porter publish --archive is called? It should be, but if it isn't, it is wrong to insert a bundle into a structure that did not have it previously because, as you say, it's "arbitrary" which means users will need to know it before they understand it.

[carolynvs]

if a source bundle is org/bundle and a source installer is org/bundle/installer is that hierarchy preserved when porter publish --archive is called?

I just tested your scenario with a custom invocation image that uses bundle/installer instead of bundle-installer

porter publish --archive --tag example.com/neworg/apache:v0.1.0

• localhost:5000/myorg/apache/installer -> example.com/neworg/apache/installer

[carolynvs]

Is it porter copy that delegates to the cnab-to-oci library? Maybe we can engage discussion with the maintainers and/or at the next CNAB meeting to learn about the reasoning/design.

Yes, porter copy uses cnab-to-oci. I can't seem to find where a decision was made to namespace under the bundle name. That logic happens from this code:

https://github.com/cnabio/cnab-to-oci/blob/c9599a06b976f4cd5f505092292776caa924b549/remotes/fixup.go#L202

@radu-matei Do you have a link to why cnab-to-oci behaves this way? Where images referenced by a bundle, when copied to another registry are put under newregistry/ORG/BUNDLENAME/IMAGENAME, instead of newregistry/ORG/IMAGENAME?

[radu-matei]

cnab-to-oci [uses an OCI index])(https://github.com/cnabio/cnab-to-oci/#selection-of-oci-index) to represent a bundle in the registry - specifically, the bundle descriptor (bundle.json), the invocation image, and component images are part of the said index.

However, an index can only reference objects that are part of the same repository - this will eventually enable registries to treat all artifacts in the index as a whole (from vulnerability scanning to garbage collection).
(There is an ongoing discussion in the OCI community about allowing manifests to reference foreign objects, and it could enable this scenario, but the discussion is not advanced enough to continue that discussion).

So technically, because cnab-to-oci publishes an index, it cannot publish the images referenced in the bundle under newregistry/ORG/IMAGENAME.
(There is an open question as to whether it should tag the individual images from newregistry/ORG/BUNDLENAME/IMAGENAME though.)

Ultimately, cnab-to-oci ensures your bundle and referenced artifacts are available in the same repository - so if a user has access to the bundle, they also have access to pulling the images.

[carolynvs]

In the cnab meeting yesterday we decided to fix just the bug here, and document what each command is doing under the hood, and what resulting repositories are created.

[carolynvs]

I've updated https://deploy-preview-1047--porter.netlify.app/distribute-bundles/#image-references-after-publishing to clarify how images are renamed during publish normally and the intermediate artifacts generated during a porter publish --archive.

[radu-matei]

I don't really follow what is the action a bundle author should take from this.
Is this part not covered by relocation maps?

[carolynvs]

There is another PR where I've been working on building up docs for how to actually use the relocation map properly in your bundle. For example just populating the images section isn't enough, you also then have to use helm charts that understand image digests (not tags which they all use) and then actually use the relocation map to get the final location of your images. This is something that porter helps with.

That PR is being held up by this bug at the moment. So I can explain more and then link to that once this is merged. I'll make a note of it on that PR?

[radu-matei]

Maybe link this section of the OCI specification?

[radu-matei]

While accurate for scenarios where users are only interested in the bundle alone, as we saw in the airgapped environments meeting, having the images in their own repositories could be a valid use case for a subset of users.

So rather than a side effect, we could potentially see this as a feature.

[carolynvs]

I'll change to "can be ignored" because for the purpose of the bundle, they are not used and we need to make that clear but yeah they could use it if they wanted to.

[radu-matei]

I have a few very small comments, but overall, the document does a great job explaining the current behaviour of the two commands.

Thanks!

[vdice]

Only optional grammatical suggestions. LGTM. Great clarification in added docs.