Add RFC for Image Watcher #1114
Conversation
|
Code coverage for golang is |
|
Sorry, I will review this after releasing v0.9.0. |
|
Nop, take a look it at your convenience. |
docs/rfcs/0001-image-watcher.md
Outdated
| passwordFile: /etc/piped-secret/dockerhub-pass | ||
| ``` | ||
|
|
||
| We define the information about image tag underneath `.pipe/` directory: |
There was a problem hiding this comment.
What happens when multiple pipeds handling the same configuration repository?
There was a problem hiding this comment.
I feel like no problem even in that case. Image Watcher does just sync the tag in Git with one in Container Registry. If multiple Piped push to the Git repo, only one push will be successful.
And I'd say the case of using multiple Piped for the single repo is an edge case, but what do you think?
There was a problem hiding this comment.
Depends on the way Piped commits the changes. If it directly pushes the change to the specified branch, it is ok for handling the pushing error. If it pushes the change via PR, the conflicted pull requests will remain.
Alternatively, we can update the piped configuration to watch only the specified files in the .piped directory.
There was a problem hiding this comment.
I guess we can consider it is the user's responsibility to ensure that one image is watched by one Piped, but how about you?
There was a problem hiding this comment.
Yes, I totally agree that it should be done by the user, yes their responsibility.
Just want to make sure we can provide a way for them to get it right.
For the use case at our company, the AB... team is going to store all configuration in a single repository, and I guess they will have at least 4 pipeds handling that repo. All of them run separately and loading the same .pipe directory.
There was a problem hiding this comment.
Looks good, that's more conventional.
There was a problem hiding this comment.
Ah, I now found you specify .pipe/imagewatcher.yaml as an excluded file. Does it mean to ignore/load the entire repository instead of specifying a specific application?
There was a problem hiding this comment.
It means the including/excluding can be done at the image-watcher file level, not the app/manifest-path level.
For a big repository, if they want more control on multiple pipeds they should split into multiple image-watcher files inside the .pipe directory.
There was a problem hiding this comment.
Let me tell you the case I consider.
Let's say that multiple environment settings are in the same repository:
repo-root
├── dev/
├── prod/
Each piped should only monitor images for their environment.
dev piped should be:
apiVersion: pipecd.dev/v1beta1
kind: Piped
spec:
...
repositories:
- repoId: foo
remote: git@github.com:nakabonne/foo.git
branch: master
imageProviders:
- name: my-dockerhub
type: DOCKERHUB
interval: 5m
config:
username: user
passwordFile: /etc/piped-secret/dockerhub-pass
# Optional
imageWatcher:
- repoId: foo
includes:
- dev/prod piped config should be:
``yaml
apiVersion: pipecd.dev/v1beta1
kind: Piped
spec:
...
repositories:
- repoId: foo
remote: git@github.com:nakabonne/foo.git
branch: master
imageProviders:
- name: my-dockerhub
type: DOCKERHUB
interval: 5m
config:
username: user
passwordFile: /etc/piped-secret/dockerhub-pass
# Optional
imageWatcher:
- repoId: foo
includes:
- prod/There was a problem hiding this comment.
For a big repository, if they want more control on multiple pipeds they should split into multiple image-watcher files inside the .pipe directory.
That makes sense!
docs/rfcs/0001-image-watcher.md
Outdated
|
|
||
| ### Architecture | ||
| `Image Provider` pulls respectively periodically. | ||
| `Image Watcher` pulls from the git repo, compares respectively and pushes the one with differences. |
There was a problem hiding this comment.
Can we have a description of the interaction between piped and Git?
Does it push the changes directly to the specified branch or through a pull request?
There was a problem hiding this comment.
I'm thinking about pushing directly.
There was a problem hiding this comment.
I think so too. Because pull request is not a primitive feature of Git. It depends on the Git hosting service such as GitHub, GitLab, BitBucket...
Can we have a sentence to clarify that thing?
There was a problem hiding this comment.
Yeah exactly, I'd happy to make it clear.
docs/rfcs/0001-image-watcher.md
Outdated
| passwordFile: /etc/piped-secret/dockerhub-pass | ||
| ``` | ||
|
|
||
| We define the information about image tag underneath `.pipe/` directory: |
There was a problem hiding this comment.
Depends on the way Piped commits the changes. If it directly pushes the change to the specified branch, it is ok for handling the pushing error. If it pushes the change via PR, the conflicted pull requests will remain.
Alternatively, we can update the piped configuration to watch only the specified files in the .piped directory.
docs/rfcs/0001-image-watcher.md
Outdated
|
|
||
| # Unresolved questions | ||
|
|
||
| - How to update template. Currently considering using https://github.com/vmware-tanzu/carvel-ytt |
There was a problem hiding this comment.
As far as I know, the main target of carvel-ytt is providing a tool for end-user, not a library for developers. So importing its go-package maybe not a good choice. They can make any change to those packages in the future.
There was a problem hiding this comment.
I was attempting to execute it as a child process of piped, but anyway still not enough investigation at all.
There was a problem hiding this comment.
Rather than keeping unresolved questions as is, should we merge this RFC after investigating enough?
There was a problem hiding this comment.
I was attempting to execute it as a child process of piped, but anyway still not enough investigation at all.
If possible, we should avoid running those tools by using cmd. Because it requires installing the tool beside our piped binary. The user should install only a single piped to use.
There was a problem hiding this comment.
Rather than keeping unresolved questions as is, should we merge this RFC after investigating enough?
I am not sure but I think the Unresolved Questions section is for storing the questions that still not be resolved after our discussion here.
There was a problem hiding this comment.
I got it. I will glad to investigate more 👍
docs/rfcs/0001-image-watcher.md
Outdated
| provider: my-dockerhub | ||
| ``` | ||
|
|
||
| # Unresolved questions |
There was a problem hiding this comment.
Any thoughts about dealing with the rate limit from the container registry?
(caching, grouping, or triggering by CI event...)
There was a problem hiding this comment.
Yeah, that's what I'm most worried about. The rate limit per second may be reached when there are a bunch of target images for a single Image Provider.
I know it's a terrible way but I'm going to call time.Sleep() at the end of each pull for now.
There was a problem hiding this comment.
The above snippet is in the branch to be deleted after merged, so it will be invisible.
There was a problem hiding this comment.
Does any provider have a watch API or something like that?
There was a problem hiding this comment.
As far as I investigate, no. Most providers implement the Docker Registry API that has just simple APIs.
It could be a frequent problem, so I'm going to investigate further to see if there's anything else we can do to help.
There was a problem hiding this comment.
Thanks for your investigation.
Actually, these were what I thought.
- At the initial phase, we do polling as usual.
- In the next phase, we provide a FAKE container registry at our control-plane and add a new kind of IMAGE_PROVIDER for the Piped to use. So for the big projects, they can
- use our CLI to send metadata about newly created images to our FAKE container registry
- change their pipeds to our IMAGE_PROVIDER kind
(Out FAKE container registry only contains the metadata of the images)
There was a problem hiding this comment.
Wow, what a brilliant idea! For the large teams, they use the CLI tool in CI or something like that when their pushing is complete, doesn't it?
There was a problem hiding this comment.
Okay, I'd be happy to work on the initial phase ;)
There was a problem hiding this comment.
And make the RFC clear what each step does.
There was a problem hiding this comment.
Yes, they use our CLI to publish the metadata for their newly created images.
For example, from their CI after pushing the image:
pipecd cli push-image --image=abc:v1.0.0 --api-key=key
|
Code coverage for golang is |
|
Code coverage for golang is |
|
Code coverage for golang is |
|
@nghialv All unresolved problems have been gone out. Could you do the last check? |
|
Code coverage for golang is |
docs/rfcs/0001-image-watcher.md
Outdated
| Piped periodically compares the image tags defined in git with the latest tags stored in the container registry, and then pushes them to git if there are any deviations. | ||
|
|
||
| ### Usage | ||
| Note: Where, we call the client that accesses the container registry to `Image Provider`. |
There was a problem hiding this comment.
Sorry, it means "Where Image Provider is the client that accesses the container registry". So I'll change to it.
docs/rfcs/0001-image-watcher.md
Outdated
| - .pipe/imagewatcher-dev.yaml | ||
| ``` | ||
|
|
||
| Adding an ImageWatcher file at `.pipe/` directory to define what image should be watched and what file should be updated: |
There was a problem hiding this comment.
nit: "Adding one or more ImageWatcher files"
|
/lgtm |
|
Fixed done. |
|
/approve |
|
This pull request is APPROVED by Approvers can cancel the approval by writing |
|
Thank you. |
|
No, thank YOU! |
**What this PR does / why we need it**: Base implementation of #1114. Sorry for the huge patch. I'd be happy to work on tiny issues respectively after this. **Which issue(s) this PR fixes**: Fixes # **Does this PR introduce a user-facing change?**: <!-- If no, just write "NONE" in the release-note block below. --> ```release-note NONE ``` This PR was merged by Kapetanios.
What this PR does / why we need it:
I'd be happy to consider another way to display architecture if it's a problem to include in this repo.
Which issue(s) this PR fixes:
For #69
Does this PR introduce a user-facing change?: