Propose convention for storing operator bundle

[tkashem]

This enhancement proposes standards and conventions for storing
operator manifests and metadata as conatiner images.

[ashcrow]

On first pass this looks pretty reasonable to me. I do notice that while OCI containers are referenced the majority of the examples rely on the docker command. I assume the custom and docker media-types are interchangeable.

In terms of the format version in use, how would one figure that out? Would there be a specific label associated with the formats version that someone would use skopeo inspect or the like to check?

[deads2k]

/assign @jwforres

[deads2k]

which is authoritative if they do not match?

[tkashem]

Ideally, we would like to have these annotations defined in one place. In case of a mismatch, the annotations.yaml file is authoritative because on-cluster operator-registry ( component of olm ) that relies on these annotations has access to the yaml file only.

The potential use case for the LABELS is - an external off-cluster tool can inspect the image to check the type of bundle image without downloading the content.

I will add this info to the proposal.

[njhale]

@tkashem I think we should add the reasoning for why OLM doesn't just use the labels itself. As I understand it, there are certain rules around how OpenShift components interact with container images, and that precludes inspecting images directly -- does that sound correct?

[deads2k]

typo: inside

[tkashem]

will be fixed in the next push.

[deads2k]

Can you describe what you would do with this? It doesn't look like a straight apply of the directory content. It is simply free-form?

[tkashem]

In this example, I have used the format used by operator-registry - https://github.com/operator-framework/operator-registry#manifest-format. This is the format olm uses to package operator manifests today. The directory content in this case is not directly kubectl applyable. While the operator is being installed, olm manipulates the content before applying it to the cluster.

I think, we can also package content in the operator bundle image that are straight apply.

[deads2k]

In this example, I have used the format used by operator-registry - https://github.com/operator-framework/operator-registry#manifest-format. This is the format olm uses to package operator manifests today. The directory content in this case is not directly kubectl applyable. While the operator is being installed, olm manipulates the content before applying it to the cluster.

I think, we can also package content in the operator bundle image that are straight apply.

please include a link for reference.

[ecordell]

The directory content in this case is not directly kubectl applyable

The content should be kubectl applyable, right?

[jewzaam]

It would be great if it supported arbitrary resources. A challenge SRE has faced developing operators for managing OSD is how to get all required resources installed. We have a limited set of resources we can include in a grpc bundle today. Resources off the top of my head that we can't bundle but need to deploy w/ the operator: Service, ServiceMonitor, PrometheusRule

[deads2k]

can you link out to the channel and package you're describing?

[jwforres]

This also doesn't explain what the index is - or link to something that explains the index concept. I'd be fine linking to another enhancement proposal PR for now if that is where we describe the index.

[tkashem]

can you link out to the channel and package you're describing?

• https://github.com/operator-framework/operator-lifecycle-manager/blob/master/doc/design/how-to-update-operators.md
• https://github.com/operator-framework/operator-lifecycle-manager#discovery-catalogs-and-automated-upgrades
• https://github.com/operator-framework/operator-lifecycle-manager/blob/master/doc/design/architecture.md#catalog-registry-design

I will add the links to the proposal also.

This also doesn't explain what the index is - or link to something that explains the index concept. I'd be fine linking to another enhancement proposal PR for now if that is where we describe the index.

Enhancement proposal that covers index - #24.

We still have some open questions whether channel and package definitions should be included inside the operator bundle image.

[jwforres]

Is this a good opportunity for us to switch to an operator framework based API domain, operators.operatorframework.io or something. Ideas?

[tkashem]

operators.operatorframework.io sounds good to me. I am happy to update the proposal with this new domain.

At some point, we need to plan to version our APIs to be consistent across?

[jwforres]

This also doesn't explain what the index is - or link to something that explains the index concept. I'd be fine linking to another enhancement proposal PR for now if that is where we describe the index.

[jwforres]

What component would watch for this Operator resource and translate this into a running operator.

[tkashem]

This example shows how a user can run the operator using olm. This is being covered here - #28.

[ecordell]

@tkashem I think it would also be useful to write out manual application by pulling the bundle image locally, unpacking it, and applying to the cluster.

[njhale]

@tkashem I think we can scope this section to just what @ecordell said as "install w/ bundle image using Operator" is covered by #28

[jwforres]

Do we have existing values for this --type flag today? If so what are they? I'm not convinced that operator-registry is the right thing to put here, but I'm missing some context to say what might be better.

[tkashem]

https://github.com/operator-framework/operator-registry#manifest-format - operator registry bundle format is what olm uses today to pack/unpack operators. We wanted to take an incremental approach:

• Quick win: package operator-registry into the bundle image, this gets us off of app-registry with relatively less efforts and sooner.
• Long term: We can focus our efforts on a different format where operator metadata and manifests are separately defined and stored. csv is decomposed into plain kube manifests. We can also focus on adding support for other packaging format like helm.

The values for --type can be - operator-registry, plain ( straight apply kube manifets ), helm.

[tkashem]

In terms of the format version in use, how would one figure that out? Would there be a specific label associated with the formats version that someone would use skopeo inspect or the like to check?

Good point, we can use operators.coreos.com.bundle.mediatype=bundle+v1 or a new label operators.coreos.com.bundle.version.

[ecordell]

If we merge this proposal are we committing to the operator-framework cli name?

[tkashem]

No, it's just an example. :) It's an open question whether we have a new cli, or use operator-sdk or operator-registry.

[estroz]

Suggested change

	* The value `metadada` implies that this bundle has operator metadata only.
	* The value `metadata` implies that this bundle has operator metadata only.

[estroz]

Suggested change

	* The value `manifests+metadata` implies that this bundle contains both operator metadata and manifets.
	* The value `manifests+metadata` implies that this bundle contains both operator metadata and manifests.

[ralphbean]

Suggested change

	* Define a convention for storing operator manifetss and metadata with container image.
	* Define a convention for storing operator manifests and metadata with container image.

[mhrivnak]

What's the reason for this requirement?

[tkashem]

I removed it, so unpacking the bundle content will now involve going through each image layer and extracting it.

[mhrivnak]

Why not add this to operator-sdk?

[ecordell]

It will be - we're building the libraries and tooling so that operator-sdk can just wrap them. I believe this is just a strawman, but we'll likely have an entry point outside of sdk as well.

[mhrivnak]

As stated above, these images do not and cannot run, so consider rewording this. You could just leave it at "As an operator author I want to validate an operator bundle image."

[tkashem]

it's a typo, it should be I can ensure my operator runs as expected on a cluster.

[mhrivnak]

s/shoud/should/

[mhrivnak]

s/apropriate/appropriate/

[mhrivnak]

Do CSVs still include the "placeholder" namespace? This seems to assume that's not a problem in this example.

[ecordell]

We have a separate effort to enable "directly applying CSVs" that this section assumes is already in place.

But I think the example probably should include a namespace flag?

[mhrivnak]

What's the use case for having a bundle with only one or the other? It seems like not a lot of data; why not "bundle" it together all the time and not worry about this difference?

[tkashem]

The spec keeps room for separation, on the other hand our implementation which is already in progress "bundles" all of manifests/metadata together.

[mhrivnak]

If there's not a direct need for this now, I suggest leaving it out of the initial implementation. I'm sure you will version the format you're creating, and if this turns out to be a valuable distinction, you can add it in a later version.

Otherwise, this adds a fair amount of complexity that may not be worthwhile.

[njhale]

I think this falls under the inspect portion of the Build, Push, Pull Operator Bundle story. It's necessary if a user wants to identify a bundle image before pulling its layers.

[shawn-hurley]

I agree with Michael, this is not something that we need to be focusing on.

[njhale]

... on a container format ...

Would "on an OCI-compliant format" be more clear?

[njhale]

Suggested change

	* Define a convention for storing operator manifests and metadata with container image.
	* Define a convention for storing operator manifests and metadata with a container image.

[njhale]

Suggested change

	We delineate the operator metadata from the operator manifests. The operator manifests refers to a set of kubernetes manifest(s) the defines the deployment and RBAC model of the operator. The operator metadata on the other hand are, but not limited to:
	We delineate operator metadata from operator manifests. We define _operator manifests_ as a set of kubernetes manifests that compose an operator's deployment (`Deployment`, RBAC, etc), and _operator metadata_ as including:

[njhale]

Suggested change

	* For an operator The metadata can be downloaded independently of the manifest.
	* An operator's metadata can be downloaded independently of its manifests.

[njhale]

I think this falls under the inspect portion of the Build, Push, Pull Operator Bundle story. It's necessary if a user wants to identify a bundle image before pulling its layers.

[njhale]

Are we sure that manifests and metadata will always be of the same mediatype?

[njhale]

Can we call out kustomize too?

[njhale]

What registry version would --type=registry use, the latest the tool is privy to? Should we always require the proposed version suffix (+<v>)?

[njhale]

Suggested change

	As an operator author I want to run my operator directly from the bundle image. Once an operator is packaged into a bundle image, we want to give the author ability to run it using `olm` directly from the bundle image.
	As an operator author I want to install my operator directly using only its bundle image.

[njhale]

@tkashem I think we can scope this section to just what @ecordell said as "install w/ bundle image using Operator" is covered by #28

[mhrivnak]

Did you consider putting the metadata into a LABEL on the image? That would simplify retrieval of metadata from a bundle. That approach was used successfully with APBs.

[shawn-hurley]

Have we considered that this is included in the operator image in a well-defined place?

Seems to me the only issue would be the SHA that is used in the deployment manifest but could OLM/Index Image replace that?

[ecordell]

As discussed off-line - this is a feature we could build as part of the index in the future, but it would make it harder to audit images that are running on-cluster. We should be able to layer it on to the current proposal easily, but we need to weigh building that vs. the UX of understanding what's actually running on your cluster.

[ecordell]

@mhrivnak Labels would be ideal, but we need the metadata on-cluster, and we won't have access to the actual (docker v2-2) manifest on-cluster.

There's nothing stopping us from replicating the metadata into labels, much like we're doing for the media types here, as need arises.

[shawn-hurley]

Does this indicate that we will have to write the ability to deploy with these types? Can we say that these are potential types and not implement them until later? I think that we just focus on registry for now.

[ecordell]

/approve
/lgtm

The remaining issues will be addressed in a followup PR.

[shawn-hurley]

/lgtm

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ecordell, shawn-hurley, tkashem

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [ecordell,shawn-hurley]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment