[RFC-0003] Add commands for managing OCI artifacts #2856

stefanprodan · 2022-06-21T09:48:30Z

This PR adds commands to the Flux CLI for managing OCI artifacts as described in the RFC Flux OCI support for Kubernetes manifests.

OCI artifact commands

$ flux push artifact oci://ghcr.io/org/repository/app-config:v0.0.1 \
	--path="./manifests" \
	--source="$(git config --get remote.origin.url)" \
	--revision="$(git branch --show-current)/$(git rev-parse HEAD)"

$ flux tag artifact oci://ghcr.io/org/repository/app-config:v0.0.1 --tag latest --tag production

$ flux list artifacts oci://ghcr.io/org/repository/app-config

$ flux pull artifact oci://ghcr.io/org/repository/app-config:latest --output ./tmp

$ flux build artifact --path ./manifests --output ./tmp/artifact.tgz

For authentication purposes, all flux <verb> artifact commands are using the ~/.docker/config.json config file and the Docker credential helpers.

The artifacts create with flux push artifact are annotated with the standard OCI annotation keys:

org.opencontainers.image.source
org.opencontainers.image.revision
org.opencontainers.image.created

OCI repository commands

$ flux create source oci podinfo-oci \
--url oci://ghcr.io/stefanprodan/manifests/podinfo \
--tag 6.1.6 \
--interval 10m

$ flux create kustomization podinfo-oci \
--source=OCIRepository/podinfo-oci \
--path="./kustomize" \
--prune=true \
--interval=5m \
--target-namespace=default \
--wait=true

$ flux get sources oci
$ flux reconcile source oci podinfo-oci
$ flux suspend source oci podinfo-oci
$ flux resume source oci podinfo-oci
$ flux export source oci podinfo-oci
$ flux delete ks podinfo-oci --silent
$ flux delete source oci podinfo-oci --silent

internal/oci/build.go

https://cloud-native.slack.com/archives/C02JQ9GLP26/p1655891456182639 fluxcd/flux2#2856 fluxcd/source-controller#788 fluxcd/kustomize-controller#684 Signed-off-by: Kingdon Barrett <kingdon@weave.works>

internal/oci/meta.go

Signed-off-by: Somtochi Onyekwere <somtochionyekwere@gmail.com>

Fixup docs string to match pull command Signed-off-by: Kingdon Barrett <kingdon@weave.works>

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>

action/README.md

kingdonb · 2022-08-09T17:47:35Z

I will look for somewhere better to put this information, but so as to not lose it for now, since I have written it out, I'll put it here:

Link to the docs that show how to create the free-standing "manifests" package repo and associate it with upstreams that can write OCI artifacts in actions runners from a separate repo.

The best way I know how to do this today is (kludgy, hope there is a better way)

Create a GITHUB_TOKEN (PAT) with packages:write and use docker login and flux push to push a first tag, implicitly creating the package repo. Then go to the page for the package which you can find on your GitHub profile, and set the visibility if needed and the permissions there, to allow actions to write from the source repository, as so:

Each manifests/podinfo or manifests/... is a separate package repo in GitHub, so you can keep these permissions isolated and granular, rather than free-for-all "everybody write into this bucket" approach.

You still need to set permissions.packages: write as above also. We should explain why this is needed in this example and why it is not needed in the following example, since it's not clear without any comment, or at least point to the docs that explain, here is my impression of why:

Pushes to a branch do not confer "write packages" permission by default in the GitHub permission model, because branches are not releases. Pushes to a tag do confer those permissions because tags are used for releasing.

action/README.md

cmd/flux/build_artifact.go

cmd/flux/create_secret_oci.go

cmd/flux/create_source_oci.go

cmd/flux/delete_source_oci.go

cmd/flux/get_source_oci.go

cmd/flux/list.go

cmd/flux/pull_artifact.go

cmd/flux/resume_source_oci.go

cmd/flux/suspend_source_oci.go

cmd/flux/tag.go

cmd/flux/tag_artifact.go

cmd/flux/push_artifact.go

Co-authored-by: Kingdon Barrett <kingdon@weave.works> Co-authored-by: Sunny <darkowlzz@protonmail.com> Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>

* Added support for OCIRepositories to `flux trace` * Changed indentation to compensate new, longer field name "Source Revision" * Added unit tests for the new output closes #2970 Signed-off-by: Max Jonas Werner <max@e13.dev>

Make `flux trace` work with OCIRepository

darkowlzz

LGTM!

stefanprodan added the area/oci OCI related issues and pull requests label Jun 21, 2022

stefanprodan mentioned this pull request Jun 21, 2022

[RFC-0003] Implement OCIRepository reconciliation fluxcd/source-controller#788

Merged

9 tasks

stefanprodan changed the title ~~Add commands for managing OCI artifacts~~ [POC] Add commands for managing OCI artifacts Jun 21, 2022

stefanprodan mentioned this pull request Jun 21, 2022

[RFC-0003] Add support for OCIRepository sources fluxcd/kustomize-controller#684

Merged

stefanprodan force-pushed the oci branch 4 times, most recently from f855a04 to 1ace162 Compare June 22, 2022 10:16

souleb reviewed Jun 22, 2022

View reviewed changes

internal/oci/build.go Outdated Show resolved Hide resolved

stefanprodan force-pushed the oci branch from 1ace162 to 37b1b26 Compare June 22, 2022 11:38

stefanprodan force-pushed the oci branch from 1969e6e to 0c89b8d Compare June 23, 2022 06:47

pjbgf added this to the GA milestone Jun 30, 2022

kingdonb mentioned this pull request Jul 1, 2022

Feature: Support for Flux OCI features weaveworks/vscode-gitops-tools#309

Closed

stefanprodan force-pushed the oci branch 3 times, most recently from 11a860b to 45abb12 Compare July 7, 2022 13:50

stefanprodan changed the title ~~[POC] Add commands for managing OCI artifacts~~ [RFC-0003] Add commands for managing OCI artifacts Jul 8, 2022

stefanprodan force-pushed the oci branch 4 times, most recently from 60129ec to 0957710 Compare July 8, 2022 14:46

hiddeco reviewed Jul 11, 2022

View reviewed changes

internal/oci/meta.go Outdated Show resolved Hide resolved

stefanprodan force-pushed the oci branch from 51d2c6b to 2b1cc62 Compare July 13, 2022 11:57

stefanprodan mentioned this pull request Jul 15, 2022

Implement flux create secret oci #2910

Closed

stefanprodan mentioned this pull request Aug 1, 2022

Prepare for v0.32 release #2948

Closed

6 tasks

This was referenced Aug 2, 2022

Add Flux OCI support weaveworks/vscode-gitops-tools#358

Closed

v6.1.24 - no more hugs kingdonb/podinfo#30

Merged

stefanprodan force-pushed the oci branch from 278ac23 to 968e422 Compare August 3, 2022 08:12

kingdonb mentioned this pull request Aug 4, 2022

Feature request: Support for file-path in kustomization-crds #2930

Closed

somtochiama and others added 7 commits August 9, 2022 12:44

Update cli description

fe4b659

Signed-off-by: Somtochi Onyekwere <somtochionyekwere@gmail.com>

Fix cli description

fcd38c9

Signed-off-by: Somtochi Onyekwere <somtochionyekwere@gmail.com>

Add link to kubectl repo

41aac68

Signed-off-by: Somtochi Onyekwere <somtochionyekwere@gmail.com>

Pull artifact not push artifact

69e26ca

Fixup docs string to match pull command Signed-off-by: Kingdon Barrett <kingdon@weave.works>

Add OCI provider arg

08401f6

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>

Use fluxcd/pkg/oci/client

7c7e76f

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>

Update controllers with OCI support

ac9b3d1

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>

stefanprodan force-pushed the oci branch from e5299c9 to ac9b3d1 Compare August 9, 2022 09:45

stefanprodan added 2 commits August 9, 2022 13:27

Improve artifact commands docs

d4718f6

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>

Add examples for pushing artifacts with GH Actions

d4c5a13

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>

stefanprodan force-pushed the oci branch from de82f94 to d4c5a13 Compare August 9, 2022 10:51