-
Notifications
You must be signed in to change notification settings - Fork 199
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Selectively replace the org when moving images #1047
Conversation
Don't use a string replace because when the same text is used in the org and the image name and the registry, it can end up changing more text than it should. Don't replace the org when there isn't one present. Some registries embed the org in the domain, e.g. getporter.azurecr.io, in which case the path of the tag is the name of the bundle, and we shouldn't be appending that to the images.
Should we have the same logic for renaming images between Here's what they do today: Archive
Copy
The key difference is that images are tagged under not only the org but the name of the bundle. I wish I could find the original issue where we discussed how the image relocation works in cnab-to-oci and why it puts things where it does. Can anyone find it? |
Interesting. |
Yeah, the problem with the installer under the bundle name is that we are now imposing some "order" on the tagging without any plan for why this is necessary. If I do a porter publish now, my installer is on its own, not hierarchical with bundle. Why do I care? The bundle.json and porter do the tracking for me, and I can go look through them if necessary by tag specifically. I'm with Vaughn: the porter publish --archive behavior seems logical. QUESTION: what happens when a nested installer is used with porter public --archive? Is the nesting recapitulated? That is, if a source bundle is org/bundle and a source installer is org/bundle/installer is that hierarchy preserved when |
I just tested your scenario with a custom invocation image that uses
|
Yes, porter copy uses cnab-to-oci. I can't seem to find where a decision was made to namespace under the bundle name. That logic happens from this code: @radu-matei Do you have a link to why cnab-to-oci behaves this way? Where images referenced by a bundle, when copied to another registry are put under |
However, an index can only reference objects that are part of the same repository - this will eventually enable registries to treat all artifacts in the index as a whole (from vulnerability scanning to garbage collection). So technically, because Ultimately, |
In the cnab meeting yesterday we decided to fix just the bug here, and document what each command is doing under the hood, and what resulting repositories are created. |
* Document the intermediate artifacts created by porter publish --archive creates. * Clarify the documentation around how images are named when published.
I've updated https://deploy-preview-1047--porter.netlify.app/distribute-bundles/#image-references-after-publishing to clarify how images are renamed during publish normally and the intermediate artifacts generated during a |
docs/content/distribute-bundles.md
Outdated
@@ -90,7 +95,18 @@ porter publish -a mybunz1.1.tgz --tag getporter/megabundle:1.1.0 | |||
|
|||
## Image References After Publishing | |||
|
|||
When a bundle is published, the images that it will use are copied into the location of the published bundle. This simplifies access control and management of artifacts in the repository. Consider the following `porter.yaml` snippet: | |||
When a bundle is published, all images [referenced][image-map] by the bundle are | |||
published **inside** bundle repository. Bundles should be written to use the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't really follow what is the action a bundle author should take from this.
Is this part not covered by relocation maps?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is another PR where I've been working on building up docs for how to actually use the relocation map properly in your bundle. For example just populating the images
section isn't enough, you also then have to use helm charts that understand image digests (not tags which they all use) and then actually use the relocation map to get the final location of your images. This is something that porter helps with.
That PR is being held up by this bug at the moment. So I can explain more and then link to that once this is merged. I'll make a note of it on that PR?
docs/content/distribute-bundles.md
Outdated
* REGISTRY/ORG/BUNDLE@**REFERENCED_IMAGE_1_DIGEST** | ||
* REGISTRY/ORG/BUNDLE@**REFERENCED_IMAGE_2_DIGEST** | ||
|
||
NOTE: Digest refers to the the repository digest (not the image id). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe link this section of the OCI specification?
process and they are not used by the final bundle. | ||
|
||
Using the example above, the following repositories are created and should be | ||
ignored: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While accurate for scenarios where users are only interested in the bundle alone, as we saw in the airgapped environments meeting, having the images in their own repositories could be a valid use case for a subset of users.
So rather than a side effect, we could potentially see this as a feature.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll change to "can be ignored" because for the purpose of the bundle, they are not used and we need to make that clear but yeah they could use it if they wanted to.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have a few very small comments, but overall, the document does a great job explaining the current behaviour of the two commands.
Thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Only optional grammatical suggestions. LGTM. Great clarification in added docs.
Co-authored-by: Vaughn Dice <vadice@microsoft.com>
What does this change
Don't use a string replace because when the same text is used in the org
and the image name and the registry, it can end up changing more text
than it should.
Don't replace the org when there isn't one present. Some registries
embed the org in the domain, e.g. getporter.azurecr.io, in which case
the path of the tag is the name of the bundle, and we shouldn't be
appending that to the images.
What issue does it fix
Closes #1040
Notes for the reviewer
Put any questions or notes for the reviewer here.
Checklist