MZOCI - Make Zarf OCI (Take #2) #1423
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
✅ Deploy Preview for zarf-docs canceled.
|
Merging into a feature branch for OCI package stuffs
Upon a successful unarchive, delete the `tar.zst` that is no longer needed when using `zarf tools archiver decompress <package> <dest> --decompress-all`. ... Before behavior: ``` ocipkg/ ├── components │ ├── keyval │ │ └── manifests │ │ └── k3s │ │ ├── hornstash-deploy.yaml │ │ └── zarf-service.yaml │ └── keyval.tar.zst ├── images.tar ├── sboms │ ├── compare.html │ ├── registry.gitlab.com_buzzdeploy_apps_horn-stash_main-amd64.json │ └── sbom-viewer-registry.gitlab.com_buzzdeploy_apps_horn-stash_main-amd64.html ├── zarf-1135963779 └── zarf.yaml ``` After: ``` ocipkg/ ├── components │ └── keyval │ └── manifests │ └── k3s │ ├── hornstash-deploy.yaml │ └── zarf-service.yaml ├── images.tar ├── sboms │ ├── compare.html │ ├── registry.gitlab.com_buzzdeploy_apps_horn-stash_main-amd64.json │ └── sbom-viewer-registry.gitlab.com_buzzdeploy_apps_horn-stash_main-amd64.html ├── zarf-1135963779 └── zarf.yaml ``` Fixes # - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) - [ ] Test, docs, adr added or updated as needed - [ ] [Contributor Guide Steps](https://github.com/defenseunicorns/zarf/blob/main/CONTRIBUTING.md#developer-workflow) followed
## Description ### 💲 `zarf package publish` This PR adds a new `zarf package publish` command. This command will publish a fully built (via `zarf package create`) Zarf package to an OCI compliant registry using the oras library. The command's usage is based off of how Helm's `helm push` command operates and has many of the same restrictions. <https://v3.helm.sh/docs/topics/registries/#the-push-subcommand> ``` $ zarf package publish [PATH_TO_TAR] [REGISTRY_URL] $ zarf package publish zarf-package-strimzi.tar oci://localhost:666/defenseunicorns ``` #### CLI Syntax restrictions: - The OCI URL _must_ start with `oci://` - A basename/version _cannot_ be provided, as it is derived from information present in the built `zarf.yaml` where it _must_ be set. - The command may return an error, permission denied, if the repository does not exist, ie `defenseunicorns/strimzi` as an example on Docker Hub. - A `zarf tools registry login` must be done prior as this will inherit the credentials from docker's cred system (defaultly located at `~/.docker`), or users can create a Docker compatible `config.json` and point its directory: ```sh # example symlinking podman $ mkdir ~/.docker/ $ ln -s $XDG_RUNTIME_DIR/containers/auth.json ~/.docker/config.json $ zarf package publish <...> ``` ### 💲 `zarf package deploy oci://` This PR also adds a new `deploy oci://` feature. This command uses the existing `deploy` system, but does some slightly different behavior from `sget://`. oras is used to pull the package layer by layer to the temp directory. There is no need to unarchive, as the package is already in an uncompressed state. The temp path is then used by the packager to deploy the package as though it is a local package. Usage is denoted in the following example: ``` $ zarf package deploy oci://REGISTRY/NAMESPACE/NAME:VERSION $ zarf package deploy oci://docker.io/defenseunicorns/strimzi:v0.24.0-arm64 $ zarf package deploy oci://localhost:666/strimzi:v0.24.0-arm64 --insecure ``` ### 💲 `zarf package inspect oci://` This PR also adds a new `inspect oci://` feature. ``` $ zarf package inspect oci://docker.io/defenseunicorns/strimzi tags: - v0.23.5-14-arm64 latest: tag: v0.23.5-14-arm64 descriptor: mediaType: application/vnd.oci.image.manifest.v1+json digest: sha256:340f489a105e476f846203e6844b2738f2924fc608522711761a21b176d6b67f size: 41817 ``` ## Related Issue Relates to #1298 Fixes #381 Fixes #823 Blocked by #1331 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide Steps](https://github.com/defenseunicorns/zarf/blob/main/CONTRIBUTING.md#developer-workflow) followed --------- Co-authored-by: Wayne Starr <[email protected]> Co-authored-by: Wayne Starr <[email protected]>
**Work Remaining:** - [x] Find a good way to test backwards compatibility - backwards compatibility for this features is implicitly tested within `27_cosign_deploy_test.go` as that is deploying an older zarf package that still has the images in an `images.tar` tarball when deploying the `zarf-hello-world` games package. - [x] Look into improving the progress bar spinner when pulling the images when building a package - [x] Clean up some places where I got lazy with error handling (dogsledding errors from functions)
… windows bug fix related to the following issue: golang/go#51442
Signed-off-by: Jon Perry <[email protected]>
Signed-off-by: razzle <[email protected]>
…operly closed Signed-off-by: razzle <[email protected]>
Racer159
requested changes
Mar 14, 2023
Signed-off-by: razzle <[email protected]>
Signed-off-by: Jon Perry <[email protected]>
Racer159
approved these changes
Mar 15, 2023
bburky
reviewed
Mar 15, 2023
| func addImageNameAnnotation(ociPath string, digestToTag map[string]string) error { | ||
| indexPath := filepath.Join(ociPath, "index.json") | ||
|
|
||
| // Add an 'org.opencontainers.image.base.name' annotation so we can figure out what the image tag/digest shasum will be during deploy time |
There was a problem hiding this comment.
The intended purpose of org.opencontainers.image.base.name is a base image, like a Dockerfile FROM. This is sort of a misuse of this annotation. The digest here is the same image the base. See the Pre-Defined Annotation Keys in the image spec
I think org.opencontainers.image.ref.name is more appropriate. The image layout specification says it's usually only a tag (not a full image name), but also says there is "no semantic restriction". This is annotation is usually used in the image layout index.json.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
maybe this time I wont blow up the whole branch... maybe...
Related Issue
Relates to #1298
Fixes #1319
Fixes #1326
Fixes #1324
Fixes #1322
Fixes #1325
Type of change
Checklist before merging