-
Notifications
You must be signed in to change notification settings - Fork 190
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
#1151 Add documentation for OCI feature in Apps & Marketplace Section #1171
base: main
Are you sure you want to change the base?
#1151 Add documentation for OCI feature in Apps & Marketplace Section #1171
Conversation
I'm going to open this up for review, but I'm reluctant to create the release branch yet, as 2.9 is several months from now. Added the DO NOT MERGE label and have to to remember to point this to the 2.9 branch at a more appropriate time. |
I edited most of the draft provided, but the last section needs more instructions.
Where in the UI do they go to perform these steps? Thank you! |
The CRD that is linked to the OCI Helm registry is `ClusterRepo`. | ||
|
||
[Screenshot of the ClusterRepo YAML]<!-- Engineers - Can we get this screenshot? Thank you! --> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I left this part in, but it feels like we need a little more content here to explain the relevance of mentioning it in this section vs somewhere else, and what users can use that information for.
1. **oci://\<registry-host\>/**: Every chart in the registry becomes available for installation, regardless of namespace or tag. | ||
1. **oci://\<registry-host\>/\<namespace\>**: Every chart in the specified namespace within the registry becomes available for installation. | ||
1. **oci://\<registry-host\>/\<namespace\>/\<chart-name\>**: Only the specified chart and any associated tags or versions of that chart become available for installation. | ||
1. **oci://\<registry-host\>/\<namespace\>/\<chart-name\>:\<tag\>**: Only the chart with the specified tag becomes available for installation. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I opted not to format these as code snippets, so the backslashes are required as escape characters for the angle brackets.
docs/how-to-guides/new-user-guides/helm-charts-in-rancher/oci-registries.md
Outdated
Show resolved
Hide resolved
@martyav Thank you for this PR. There has been some modification requested for this feature. So, I complete those modifications and get back to you. |
@rohitsakala do you have any updates on this? |
@rohitsakala checking in again, do you have any updates? |
@martyav Yes, I do have to update the docs. I have sent the PR to product team for playing. Once they have given me the approval, I will update the docs and inform. Maybe in max 2 weeks. |
…151-add-documentation-for-oci-feature-in-apps-and-marketplace-section
...oned_docs/version-2.9/how-to-guides/new-user-guides/helm-charts-in-rancher/oci-registries.md
Outdated
Show resolved
Hide resolved
...oned_docs/version-2.9/how-to-guides/new-user-guides/helm-charts-in-rancher/oci-registries.md
Outdated
Show resolved
Hide resolved
...oned_docs/version-2.9/how-to-guides/new-user-guides/helm-charts-in-rancher/oci-registries.md
Outdated
Show resolved
Hide resolved
|
||
Rancher supports BasicAuth for OCI registries. You must create a [**BasicAuth** Kubernetes secret](https://kubernetes.io/docs/concepts/configuration/secret/#basic-authentication-secret). You can also [create the secret through the Rancher UI](../kubernetes-resources-setup/secrets.md). | ||
|
||
Rancher 2.9.0 also adds the `spec.insecurePlainHttp` field, which allows insecure connections to OCI registries. When this field is set to `true`, Rancher connects to the OCI endpoint without performing an SSL check. This works exactly the same as how the `spec.insecurePlainHttp` field works in [ORAS CLI](https://oras.land/docs/commands/use_oras_cli), since Rancher uses the ORAS library. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you replace this point with this section ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you mean "Explanation of fields"? It seems like we should explain those fields in context with the steps they are related to. "There are more fields that the user can define". Where do these fields appear and how can the user define them? Do they all appear on the same screen where the user sets up authentication?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@martyav These fields appear while creating the OCI-based Helm repository, basically in the same page where the user will be inputting the name, OCI URL etc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, I added the explanations as part of the step-by-step instructions, in order of where they appear in the UI
...oned_docs/version-2.9/how-to-guides/new-user-guides/helm-charts-in-rancher/oci-registries.md
Outdated
Show resolved
Hide resolved
...oned_docs/version-2.9/how-to-guides/new-user-guides/helm-charts-in-rancher/oci-registries.md
Outdated
Show resolved
Hide resolved
...oned_docs/version-2.9/how-to-guides/new-user-guides/helm-charts-in-rancher/oci-registries.md
Outdated
Show resolved
Hide resolved
...oned_docs/version-2.9/how-to-guides/new-user-guides/helm-charts-in-rancher/oci-registries.md
Outdated
Show resolved
Hide resolved
...oned_docs/version-2.9/how-to-guides/new-user-guides/helm-charts-in-rancher/oci-registries.md
Outdated
Show resolved
Hide resolved
...oned_docs/version-2.9/how-to-guides/new-user-guides/helm-charts-in-rancher/oci-registries.md
Outdated
Show resolved
Hide resolved
1. Click **Apps > Charts**. | ||
1. Select the OCI repository from the dropdown. | ||
|
||
## Refresh an OCI Registry |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you add this section as well ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Rate limiting section added
...oned_docs/version-2.9/how-to-guides/new-user-guides/helm-charts-in-rancher/oci-registries.md
Outdated
Show resolved
Hide resolved
|
||
## Troubleshooting OCI-based Helm Registries <!-- Unedited draft --> | ||
|
||
To view logs, enable the debug option of rancher |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To enhance logging information from the operations, enable the debug option while deploying Rancher.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This section has now been edited and the link has been added
...oned_docs/version-2.9/how-to-guides/new-user-guides/helm-charts-in-rancher/oci-registries.md
Outdated
Show resolved
Hide resolved
@rohitsakala I made a number of edits addressing suggestions. However, there are still three things unresolved:
|
...oned_docs/version-2.9/how-to-guides/new-user-guides/helm-charts-in-rancher/oci-registries.md
Outdated
Show resolved
Hide resolved
|
||
If you have a OCI-based Helm chart repository which doesn't implement the `Retry-After` header, or which behaves differently than Dockerhub, provide your response values with the `ExponentialBackOff` field. | ||
|
||
For example, if you have an OCI-based Helm chart repository that doesn't send a HTTP header, but you know that it allows 50 requests in 24 hours, you can provide a `MinWait` value of 86400 seconds, a `MaxWait` of 90000 seconds, and a `Maxretry` of `1`. <!-- I'm not sure what these two sentences from the draft mean? --> This would allow adding the Helm repository complete but it would take 24 hours if Rancher gets rate limited. There is no user intervention needed here.<!-- end --> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So let me explain it more clearly here
- User adds Dockerhub to the OCI based Helm Repository
- Rancher gets ratelimited.
- User knows that Dockerhub allows 50 requests in 24 hours of time window.
- Rancher doesn't know this information about 50 requests in 24 hours.
- But the user knows it through dockerhub documentation
- User can enter ExponentailBackOff values as MinWait: 86400 seconds (24 hours), MaxWait : 90000 seconds, MaxRetry: 1
- Since the user has entered the values, Rancher when its gets throttled or ratelimited will wait for 24 hours before making a new request. This new request will pass since Dockerhub will renew the 50 requests since 24 hours have been passed.
- Now, for 24 hours, the repository will not be in Active state. Only, when the Rancher completes 24 hour waiting and makes a call to get information, it will change to active state.
Let me know at which point it is unclear.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! Updating and adding to next commit
I replied to all your queries in the respective comments. Let me know if you have any more doubts. |
…151-add-documentation-for-oci-feature-in-apps-and-marketplace-section
1. Click **☰ > Cluster Management**. | ||
2. Find the name of the cluster whose repositories you want to access. Click **Explore** at the end of the cluster's row. | ||
3. In the left navigation bar, select **Apps > Repositories**. | ||
4. Click **Create**. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we add a screenshot here, similar to this one in the extension doc in step 3.3?
|
||
:::note | ||
|
||
You can use the **OCI URL** field to finetune how many charts from the registry are availabe for installation on Rancher. More generic endpoints target more charts, as the following examples demonstrate: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need to add this section? AFAIK, this is standard for every oci registry, not something specific to Rancher.
@rohitsakala keep me honest here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes this is standard but I thought users can look here into Rancher documentation at one place while they are adding the OCI based helm repository
7. Set up authentication. Select **Basicauth** from the authentication field and enter a username and password as required. Otherwise, create or select an **Authentication** secret. See [Authentication](#authentication-for-oci-based-helm-chart-repositories) for a full description. | ||
8. (optional) Enter a base64 encoded DER certificate in the **CA Cert Bundle** field. This field is for cases where you have a private OCI-based Helm chart repository and need Rancher to trust its certificates. | ||
9. (optional) To allow insecure connections without performing an SSL check, select **Skip TLS Verification**. To force Rancher to use HTTP instead of HTTPS to send requests to the repsoitory, select **Insecure Plain Http**. See [Authentication](#authentication-for-oci-based-helm-chart-repositories) for more details. | ||
10. (optional) If you know that your repository may respond with status code `429 Too Many Requests` (for example, if your repository is on DockerHub), fill out the fields under **Exponential Back Off**: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
10. (optional) If you know that your repository may respond with status code `429 Too Many Requests` (for example, if your repository is on DockerHub), fill out the fields under **Exponential Back Off**: | |
10. (optional) If your repository has a rate-limiting policy and may respond with status code `429 Too Many Requests` (for example, if your repository is on DockerHub), you may want to fill out the fields under **Exponential Back Off**: |
8. (optional) Enter a base64 encoded DER certificate in the **CA Cert Bundle** field. This field is for cases where you have a private OCI-based Helm chart repository and need Rancher to trust its certificates. | ||
9. (optional) To allow insecure connections without performing an SSL check, select **Skip TLS Verification**. To force Rancher to use HTTP instead of HTTPS to send requests to the repsoitory, select **Insecure Plain Http**. See [Authentication](#authentication-for-oci-based-helm-chart-repositories) for more details. | ||
10. (optional) If you know that your repository may respond with status code `429 Too Many Requests` (for example, if your repository is on DockerHub), fill out the fields under **Exponential Back Off**: | ||
1. **Min Wait**: The default is 1 second. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
1. **Min Wait**: The default is 1 second. | |
1. **Min Wait**: The minimum duration in seconds that Rancher should wait before retrying. The default is 1 second. |
9. (optional) To allow insecure connections without performing an SSL check, select **Skip TLS Verification**. To force Rancher to use HTTP instead of HTTPS to send requests to the repsoitory, select **Insecure Plain Http**. See [Authentication](#authentication-for-oci-based-helm-chart-repositories) for more details. | ||
10. (optional) If you know that your repository may respond with status code `429 Too Many Requests` (for example, if your repository is on DockerHub), fill out the fields under **Exponential Back Off**: | ||
1. **Min Wait**: The default is 1 second. | ||
1. **Max Wait**: The default is 1 second. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
1. **Max Wait**: The default is 1 second. | |
1. **Max Wait**: The maximum duration in seconds that Rancher should wait before retrying. The default is 5 second. |
The default value is 5 seconds
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
rename the file to oci-repositories.md
|
||
7. Set up authentication. Select **Basicauth** from the authentication field and enter a username and password as required. Otherwise, create or select an **Authentication** secret. See [Authentication](#authentication-for-oci-based-helm-chart-repositories) for a full description. | ||
8. (optional) Enter a base64 encoded DER certificate in the **CA Cert Bundle** field. This field is for cases where you have a private OCI-based Helm chart repository and need Rancher to trust its certificates. | ||
9. (optional) To allow insecure connections without performing an SSL check, select **Skip TLS Verification**. To force Rancher to use HTTP instead of HTTPS to send requests to the repsoitory, select **Insecure Plain Http**. See [Authentication](#authentication-for-oci-based-helm-chart-repositories) for more details. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See Authentication for more details.
is not required here.
7. Set up authentication. Select **Basicauth** from the authentication field and enter a username and password as required. Otherwise, create or select an **Authentication** secret. See [Authentication](#authentication-for-oci-based-helm-chart-repositories) for a full description. | ||
8. (optional) Enter a base64 encoded DER certificate in the **CA Cert Bundle** field. This field is for cases where you have a private OCI-based Helm chart repository and need Rancher to trust its certificates. | ||
9. (optional) To allow insecure connections without performing an SSL check, select **Skip TLS Verification**. To force Rancher to use HTTP instead of HTTPS to send requests to the repsoitory, select **Insecure Plain Http**. See [Authentication](#authentication-for-oci-based-helm-chart-repositories) for more details. | ||
10. (optional) If you know that your repository may respond with status code `429 Too Many Requests` (for example, if your repository is on DockerHub), fill out the fields under **Exponential Back Off**: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remove the example of Dockerhub. For dockerhub,adding exponentailBackoff values has no use since Rancher automatically waits for 6 hours that dockerhub sends as a header.
|
||
Rancher supports BasicAuth for OCI registries. You must create a [**BasicAuth** Kubernetes secret](https://kubernetes.io/docs/concepts/configuration/secret/#basic-authentication-secret). You can also [create the secret through the Rancher UI](../kubernetes-resources-setup/secrets.md). | ||
|
||
Rancher 2.9.0 also adds the `spec.insecurePlainHttp` field, which forces Rancher to use HTTP instead of HTTPS to send requests. This works exactly the same as the `spec.insecurePlainHttp` field in [ORAS CLI](https://oras.land/docs/commands/use_oras_cli), since Rancher uses the ORAS library. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Rancher 2.9.0 also adds the `spec.insecurePlainHttp` field, which forces Rancher to use HTTP instead of HTTPS to send requests. This works exactly the same as the `spec.insecurePlainHttp` field in [ORAS CLI](https://oras.land/docs/commands/use_oras_cli), since Rancher uses the ORAS library. |
|
||
Rancher 2.9.0 also adds the `spec.insecurePlainHttp` field, which forces Rancher to use HTTP instead of HTTPS to send requests. This works exactly the same as the `spec.insecurePlainHttp` field in [ORAS CLI](https://oras.land/docs/commands/use_oras_cli), since Rancher uses the ORAS library. | ||
|
||
The CRD that is linked to the OCI Helm registry is `ClusterRepo`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The CRD that is linked to the OCI Helm registry is `ClusterRepo`. | |
The CRD that is linked to the OCI based Helm repository is `ClusterRepo`. |
1. Click **Apps > Charts**. | ||
1. Select the OCI-based Helm chart repository from the dropdown. | ||
|
||
## Refresh an OCI-Based Helm Chart Registry |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
## Refresh an OCI-Based Helm Chart Registry | |
## Refresh an OCI-Based Helm Chart Repository |
Fixes #1151
Reminders
See the README for more details on how to work with the Rancher docs.
Verify if changes pertain to other versions of Rancher. If they do, finalize the edits on one version of the page, then apply the edits to the other versions.
If the pull request is dependent on an upcoming release, make sure to target the release branch instead of
main
.Description
From the issue:
Comments