New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add RFC for Image Watcher #1114
Conversation
Sorry, I will review this after releasing v0.9.0. |
Nop, take a look it at your convenience. |
docs/rfcs/0001-image-watcher.md
Outdated
passwordFile: /etc/piped-secret/dockerhub-pass | ||
``` | ||
|
||
We define the information about image tag underneath `.pipe/` directory: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What happens when multiple piped
s handling the same configuration repository?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I feel like no problem even in that case. Image Watcher does just sync the tag in Git with one in Container Registry. If multiple Piped push to the Git repo, only one push will be successful.
And I'd say the case of using multiple Piped for the single repo is an edge case, but what do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Depends on the way Piped commits the changes. If it directly pushes the change to the specified branch, it is ok for handling the pushing error. If it pushes the change via PR, the conflicted pull requests will remain.
Alternatively, we can update the piped configuration to watch only the specified files in the .piped
directory.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess we can consider it is the user's responsibility to ensure that one image is watched by one Piped, but how about you?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I totally agree that it should be done by the user, yes their responsibility.
Just want to make sure we can provide a way for them to get it right.
For the use case at our company, the AB... team is going to store all configuration in a single repository, and I guess they will have at least 4 pipeds handling that repo. All of them run separately and loading the same .pipe
directory.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, that's more conventional.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, I now found you specify .pipe/imagewatcher.yaml
as an excluded file. Does it mean to ignore/load the entire repository instead of specifying a specific application?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It means the including/excluding can be done at the image-watcher file level, not the app/manifest-path level.
For a big repository, if they want more control on multiple pipeds they should split into multiple image-watcher files inside the .pipe
directory.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let me tell you the case I consider.
Let's say that multiple environment settings are in the same repository:
repo-root
├── dev/
├── prod/
Each piped should only monitor images for their environment.
dev piped should be:
apiVersion: pipecd.dev/v1beta1
kind: Piped
spec:
...
repositories:
- repoId: foo
remote: git@github.com:nakabonne/foo.git
branch: master
imageProviders:
- name: my-dockerhub
type: DOCKERHUB
interval: 5m
config:
username: user
passwordFile: /etc/piped-secret/dockerhub-pass
# Optional
imageWatcher:
- repoId: foo
includes:
- dev/
prod piped config should be:
``yaml
apiVersion: pipecd.dev/v1beta1
kind: Piped
spec:
...
repositories:
- repoId: foo
remote: git@github.com:nakabonne/foo.git
branch: master
imageProviders:
- name: my-dockerhub
type: DOCKERHUB
interval: 5m
config:
username: user
passwordFile: /etc/piped-secret/dockerhub-pass
# Optional
imageWatcher:
- repoId: foo
includes:
- prod/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For a big repository, if they want more control on multiple pipeds they should split into multiple image-watcher files inside the .pipe directory.
That makes sense!
docs/rfcs/0001-image-watcher.md
Outdated
|
||
### Architecture | ||
`Image Provider` pulls respectively periodically. | ||
`Image Watcher` pulls from the git repo, compares respectively and pushes the one with differences. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we have a description of the interaction between piped and Git?
Does it push the changes directly to the specified branch or through a pull request?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm thinking about pushing directly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think so too. Because pull request is not a primitive feature of Git. It depends on the Git hosting service such as GitHub, GitLab, BitBucket...
Can we have a sentence to clarify that thing?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah exactly, I'd happy to make it clear.
docs/rfcs/0001-image-watcher.md
Outdated
passwordFile: /etc/piped-secret/dockerhub-pass | ||
``` | ||
|
||
We define the information about image tag underneath `.pipe/` directory: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Depends on the way Piped commits the changes. If it directly pushes the change to the specified branch, it is ok for handling the pushing error. If it pushes the change via PR, the conflicted pull requests will remain.
Alternatively, we can update the piped configuration to watch only the specified files in the .piped
directory.
docs/rfcs/0001-image-watcher.md
Outdated
|
||
# Unresolved questions | ||
|
||
- How to update template. Currently considering using https://github.com/vmware-tanzu/carvel-ytt |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As far as I know, the main target of carvel-ytt
is providing a tool for end-user, not a library for developers. So importing its go-package maybe not a good choice. They can make any change to those packages in the future.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was attempting to execute it as a child process of piped, but anyway still not enough investigation at all.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Rather than keeping unresolved questions as is, should we merge this RFC after investigating enough?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was attempting to execute it as a child process of piped, but anyway still not enough investigation at all.
If possible, we should avoid running those tools by using cmd
. Because it requires installing the tool beside our piped binary. The user should install only a single piped
to use.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Rather than keeping unresolved questions as is, should we merge this RFC after investigating enough?
I am not sure but I think the Unresolved Questions
section is for storing the questions that still not be resolved after our discussion here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I got it. I will glad to investigate more 👍
docs/rfcs/0001-image-watcher.md
Outdated
provider: my-dockerhub | ||
``` | ||
|
||
# Unresolved questions |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any thoughts about dealing with the rate limit from the container registry?
(caching, grouping, or triggering by CI event...)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, that's what I'm most worried about. The rate limit per second may be reached when there are a bunch of target images for a single Image Provider.
I know it's a terrible way but I'm going to call time.Sleep()
at the end of each pull for now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The above snippet is in the branch to be deleted after merged, so it will be invisible.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does any provider have a watch
API or something like that?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As far as I investigate, no. Most providers implement the Docker Registry API that has just simple APIs.
It could be a frequent problem, so I'm going to investigate further to see if there's anything else we can do to help.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for your investigation.
Actually, these were what I thought.
- At the initial phase, we do polling as usual.
- In the next phase, we provide a FAKE container registry at our control-plane and add a new kind of IMAGE_PROVIDER for the Piped to use. So for the big projects, they can
- use our CLI to send metadata about newly created images to our FAKE container registry
- change their pipeds to our IMAGE_PROVIDER kind
(Out FAKE container registry only contains the metadata of the images)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wow, what a brilliant idea! For the large teams, they use the CLI tool in CI or something like that when their pushing is complete, doesn't it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay, I'd be happy to work on the initial phase ;)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And make the RFC clear what each step does.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, they use our CLI to publish the metadata for their newly created images.
For example, from their CI after pushing the image:
pipecd cli push-image --image=abc:v1.0.0 --api-key=key
@nghialv All unresolved problems have been gone out. Could you do the last check? |
docs/rfcs/0001-image-watcher.md
Outdated
Piped periodically compares the image tags defined in git with the latest tags stored in the container registry, and then pushes them to git if there are any deviations. | ||
|
||
### Usage | ||
Note: Where, we call the client that accesses the container registry to `Image Provider`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, what does this mean?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, it means "Where Image Provider
is the client that accesses the container registry". So I'll change to it.
docs/rfcs/0001-image-watcher.md
Outdated
- .pipe/imagewatcher-dev.yaml | ||
``` | ||
|
||
Adding an ImageWatcher file at `.pipe/` directory to define what image should be watched and what file should be updated: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: "Adding one or more ImageWatcher files"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
/lgtm |
Fixed done. |
/approve |
Thank you. |
No, thank YOU! |
**What this PR does / why we need it**: Base implementation of #1114. Sorry for the huge patch. I'd be happy to work on tiny issues respectively after this. **Which issue(s) this PR fixes**: Fixes # **Does this PR introduce a user-facing change?**: <!-- If no, just write "NONE" in the release-note block below. --> ```release-note NONE ``` This PR was merged by Kapetanios.
What this PR does / why we need it:
I'd be happy to consider another way to display architecture if it's a problem to include in this repo.
Which issue(s) this PR fixes:
For #69
Does this PR introduce a user-facing change?: