-
Notifications
You must be signed in to change notification settings - Fork 173
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proposal to converge helm repositories with docker registries #55
Conversation
Signed-off-by: Steve Lasker <stevenlasker@hotmail.com>
aceec19
to
6661a67
Compare
@SteveLasker lots of interesting stuff here. Need to take some time to comment on the various topics. The biggest thing here that seems to conflict with the current approach is that this might prevent somebody from hosting a static Helm chart repository. How can somebody host a static repository with this model? What happens to the repository index? (index.yaml/index.json) cc @technosophos @jdolitsky @ankushchadha @elioengcomp @ljnelson @bacongobbler @jainishshah17 @saracen @DarthFennec @mattfarina |
At first glance it sounds challenging, given the differences in the package composition, indexing mechanism, API specification and native client supported features. I went through the proposal and I think they are positive from the client side perspective in terms of establishing a standard way to handle both docker images and helm charts. However, I'm struggling to see why one would like to merge them on the server side. It seems to me that this would make things more complicated to manage. @SteveLasker and @jdolitsky can you elaborate more on the benefits that an initiative like this could provide? |
@SteveLasker thanks for the PR and thoughts. As @jdolitsky noted, it's going to take me a few days to work through this. My first five thoughts, without reading it through and processing it are:
I'll give the proposals a good read through. |
Hey @mattfarina @elioengcomp;
I should also add, this is my first time attempting to propose, discuss and make changes to an existing OSS project. So, I'm navigating this the best way I know. If there are better ways, please let me know. I know there's discussions on a Helm Summit next quarter. I'm hoping to continue this discussion, framing a goal and figuring out what we need to achieve to meet those goals. Then review again at the Helm Summit. |
App Registry was pretty much a prototype of this idea. Our goal was that distribution of Helm charts would simply become another mimetype specified in an OCI-like JSON manifest. App Registry didn't really pick up traction because the lack of backwards compatibility with the existing Helm repository model. We had discussions about what the scope of work on the registry side of Helm v3 would be and it seemed like that the ultimate decision was that making a change like this is far too radical. I'm gladly in favor of anything similar minded to this, but I also understand the desired to maintain backwards compatibility and easily be able to serve static repositories. |
that was the intent of the AppRegistry, it does not only mimic the 'docker' push/pull ux but also aim to follow the OCI spec, so that any existing container-registry can easily implement it to store helm chart. Quay.io integrated it
I could detail more or demo it, if it helps to discuss from a concrete example. |
Hi Jimmy, Antoine, Are either of you planning to be at DockerConEU or KubeCon NA? Perhaps we can meet, or is there another channel to discuss further? |
I'll be at KubeCon NA in December. I'm also always on the Kubernetes slack. |
@SteveLasker @jzelinskie I wanted to pass on a few thoughts as things are continuing in the background:
|
I've digged dicussions and presentations from the past two years:
|
@@ -0,0 +1,14 @@ | |||
# Proposal 7 - Helm Chart Cache |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that this topic is valid regardless of which direction we go as it relates to Docker convergence.
We should remove this and open it as its own proposal. People would benefit from this.
Please also see related issue #54
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
there are several items here. Happy to split up and converge with other proposals, like #54 as it makes sense. Perhaps to discuss on the call today to figure out specific next steps.
|
||
1. [Maintain semantic versioning](#proposal-8-1) | ||
2. Align with : notation to differentiate domains (.), namespaces (/) and file name extensions. | ||
3. Maintain "latest" concept, which also aligns with the docker manifest concept to have two tags equate tot the same chart. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Typo? ...two tags equate tot the same...
-> ...two tags equate to the same
## Helm References | ||
|
||
Proposal aligns Helm Charts with the same referencing scheme: | ||
- [**login url**] / [**namespace**] / [**chart**] : [**version/tag**] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cc @jzelinskie
We made some changes around that. For production usually it's not recommended to use mutable tags,
In example, v1.1.0
could refer to different sha overtime. Usually the recommendation is to directly use the sha256, to guaranty which software-version is getting pulled.
To simplify this process, and push best practices,
We tried a slightly different UX than docker:
- We introduced the concept of
channels
, a channel is a pointer to a sha and it can move over time: e.gbeta
,stable
,latest
,master
,dev
.....
Since a channel is 'nearly' a current docker tag, the command line is the same, using:
[**login url**] / [**namespace**] / [**chart**] : [**channel**]
e.g: https://quay.io/application/charts/ghost?tab=releases, the channel 'stable' is currently pointing to v1.0.1
helm registry pull quay.io/charts/ghost:stable
Pull package: charts/ghost...
./charts_ghost_1.0.1
- A tag/version is immutable and can be seen as an alias to the sha256. It's more convinent to remember but as 'safe' as using the sha.
The user refer to an immutable version/tag with@
:
helm registry pull quay.io/charts/ghost@1.0.1
This command is equivalent to:
helm registry pull quay.io/charts/ghost@sha256:35d3ec4fd61914383be8e94d3fe8a74fc24b2e2baedf87042b13d033e674290c
wdyt ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Channels are a very interesting concept, specifically as chart owners wish to flight updates to a specific version, and they provide a preview for what's coming.
The value I see for mutable tags(versions) is the ability to get security updates to a specific version without direct intervention:
- I deploy version 1 of a thing
- Version 2 of the thing is made available. By calling it version 2, it's presumed to be breaking changes, and I (as the developer/ops person) should opt into version 2
- A security flaw is found in sub-particle-a that both Version 1 and 2 reference in their charts.
- The security fix is flighted to the preview channel for both version 1 & 2
- After approval, thing: version 1 and thing:2 are updated.
- My company is watching changes to version 1, and quickly takes the update, tests it, and deploys the updated "stable" version.
In the above example, the thing owners were able to flight a security fix to version 1 & 2. The users of thing:1 were able to get updates, without having to involve development teams to make specific changes.
The great thing about additional channels is an org can also run automated tests on the preview channel. If any errors occur, they can automate reporting of issues.
If i reference a sha directly, I'm always bound to that very specific version, with no ability to move forward for automated patching. I wrote about this here: https://stevelasker.blog/2018/03/01/docker-tagging-best-practices-for-tagging-and-versioning-docker-images/
I think channels and stable tags are better together, but not mutual exclusive.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The value I see for mutable tags(versions) is the ability to get security updates to a specific version without direct intervention:
That exactly the purpose of the channel, and was automatic upgrade was the main focus this feature. You can of course use channels like version/tags, or 'allow' mutable tags (explicitly allow force push) but default/recommended usage would be:
channel: mutable
tag: non-mutable
Automatic upgrades should be opt-in, not a side effect.
-
I deploy channel
1-stable
of a thing (points to the version/tag1.2.0
) -
Version 2 of the thing is made available. By calling it version/tag
2.0.0
, it's presumed to be breaking changes, and I (as the developer/ops person) should opt into channel2-stable
-
A security flaw is found in sub-particle-a that both Version
1.2.0
and2.0.0
reference in their charts.
The security fix is flighted to both channels1-beta
&2-beta
, -
After approval, version/tags
1.2.1
and2.0.1
are pushed, channels1-stable
is updated to points to1.2.1
, and channel2-beta
is updated to2.0.1
-
My company is watching changes to version
1-stable
, and quickly takes the update, tests it, and deploys the updated "stable" version.
In term of use experience
The chart maintainer it is doing:
- Release the security fix in the beta channels
# Push 1.2.1 to the beta channel
$ helm registry push quay.io/myorg --channel 1-beta
>>> Release '1.2.1' added to the '1-beta' channel
# Push 2.0.1 to the beta channel
$ helm registry push quay.io/myorg --channel 2-beta
>>> Release '2.0.1' added to the '2-beta' channel
- Review channels:
$ helm registry channel quay.io/myorg/thing
channel release
--------- ---------
1-stable 1.2.0
1-beta 1.2.1
2-stable 2.0.0
2-beta 2.0.1
- Once confirmed / approved, promote from
beta
tostable
$ helm registry push quay.io/myorg --channel 1-stable
>>> Release '1.2.1' added to the '1-stable' channel
$ helm registry push quay.io/myorg --channel 2-stable
>>> Release '2.0.1' added to the '2-stable' channel
For the application use the experience is either:
- manually pull versions
helm registry install quay.io/org/thing@v1.2.1
- Trust the channels and get automatic latest versions
helm registry install quay.io/org/thing:1-stable
At least, we should be able to 'protect' a tag from being 'force' pushed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see where your going. It's basically a more explicit way to opt into updates for a stable tag.
The thing that strikes me with this is:
- customers are already struggling with stable and unique tags
- they don't seem to be understanding the wave of problems ahead of them for patching containers
- when I tell them about it, they either think containers aren't as great as they hoped (looking backwards), or they get it and love the ability to patch, test, then deploy a container
- channels adds yet another concept they are struggling to keep up with
- how can we get this into distribution across all registries so it's a common thing. Unless it's common, I struggle with it getting great adoption
I do like the expectations. Just struggle with getting it to common usage.
Is this something we can layer in, as customers feel the pain?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
channels adds yet another concept they are struggling to keep up with
We can completely layer that, and not even talk about channels to begin with.
Channels are not a key feature, nor required to use a registry, then it should not be a big deal if vendor don't adopt it at the same time.
I'm bringing that early, because it could change the cli UX.
With app-registry, after several iteration we landed with:
helm pull domain/org/app:channel
helm pull domain/org/app@tag
helm pull domain/org/app@sha256
If we delay channels for let's say12 months, and everyone is using the syntax:
helm pull domain/org/app:tag
it will be impossible to switch to :channel
/ @tag
.
So the only question to answer early is:
- how users will pull or deploy from a channel via the CLI ?
helm pull domain/org/app --channel beta
helm pull domain/org/app+beta
helm pull domain/org/app:beta # lookup for the tag beta first , then for the channel
....
ps:
About customers, we presented it saying: "you can subscribe to stable/beta/alpha channels and get automatic upgrades or... continue to manually manage versions". This looked much more like a step forward than backward in term of maintenance and operations.
|
||
1. [Maintain semantic versioning](#proposal-8-1) | ||
2. Align with : notation to differentiate domains (.), namespaces (/) and file name extensions. | ||
3. Maintain "latest" concept, which also aligns with the docker manifest concept to have two tags equate tot the same chart. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See the comment about 'channels'. We enforced the semver for 'tags/version', and let a free-form for channels'
Hi @SteveLasker The proposal is very interesting, a common auth flow simplifies UX but there are 4 broad categories that need to be addressed - A) There are valid use cases where the helm chart doesn't belong in a docker registry - B) Release Cadence C) Chart Neutrality - This proposal can potentially encourage charts to be written in a way that it is cloud provider dependent. It will be hard for users to expect the same chart to run on all cloud providers and even on-prem. Hybrid becomes complicated. D) Version - It is not a good idea to use dynamic version 'latest' as a helm chart version. Users are very selective in terms of what they want to deploy in production. |
I like the idea of making Helm repositories feel more like Docker repositories, but I don't think there is any reason to require Helm charts and Docker images to be hosted in the same repo. If a provider wants to use one registry for both thats fine, but that shouldn't be an expectation. If we want to transition completely to a new repo format for Helm 3, we would need a pretty detailed spec pretty soon. We would like to get input from the major cloud providers on the spec and then allow time for all of them to provide support for this by the time Helm 3 is released. That sounds like a very challenging timeline. |
Hi Morten, |
Its not clear to me from this description if the docker registry needs to be enhanced to support charts. Is that a requirement, or are the charts stored in OCI format in the registry so that any normal registry will work unmodified? It would be kind of useful to be able to use docker pull/push / skopeo to copy around the charts too... |
Incorporated a bunch of the recent conversations, including KubeCon and the OCI proposals. https://github.com/helm/community/blob/3689b3202e35361274241dc4ec188e1e6f1a2e53/proposals/helm-repo-container-registry-convergence/readme.md |
Hi @SteveLasker! Helm 3 has since been released. I don't imagine we'll be merging this into the "Helm 3 proposals" any time soon because Helm 3 has already been released with experimental OCI support. Therefore I'm going ahead and closing this. Please feel free to carry on conversation over in the helm ticket queue. If there's documentation in here that could prove useful, please feel free to propose it over to the helm-www repo as supporting documentation. https://helm.sh/docs/topics/registries/ Thanks! |
@jdolitsky discussion on convergence of helm repos and container registries for Helm 3