From 16d3180e42d20be8191f2c89bab43dbe654b0f83 Mon Sep 17 00:00:00 2001 From: Stefan Prodan Date: Mon, 22 Aug 2022 15:44:07 +0300 Subject: [PATCH 1/3] [RFC-0003] OCI select layer by media type Signed-off-by: Stefan Prodan --- rfcs/0003-kubernetes-oci/README.md | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/rfcs/0003-kubernetes-oci/README.md b/rfcs/0003-kubernetes-oci/README.md index 16ef3887f7..b8321e6f71 100644 --- a/rfcs/0003-kubernetes-oci/README.md +++ b/rfcs/0003-kubernetes-oci/README.md @@ -4,7 +4,7 @@ **Creation date:** 2022-03-31 -**Last update:** 2022-08-11 +**Last update:** 2022-08-22 ## Summary @@ -134,6 +134,18 @@ spec: name: cosign-key ``` +### Layer selection + +By default, Flux assumes that the first layer of the OCI artifact contains the Kubernetes configuration. +For multi-layer artifacts created by other tools than Flux CLI, users can specify the media type of the layer +which contains the tarball with Kubernetes manifests. + +```yaml +spec: + layerSelector: + mediaType: "application/vnd.cncf.flux.content.v1.tar+gzip" +``` + ### Pull artifacts from private repositories For authentication purposes, Flux users can choose between supplying static credentials with Kubernetes secrets From db0920ba32d8e2777936d16f63aca231ef9548c1 Mon Sep 17 00:00:00 2001 From: Stefan Prodan Date: Mon, 22 Aug 2022 16:02:03 +0300 Subject: [PATCH 2/3] Clarify the layer selection behaviour Co-authored-by: Hidde Beydals Signed-off-by: Stefan Prodan --- rfcs/0003-kubernetes-oci/README.md | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/rfcs/0003-kubernetes-oci/README.md b/rfcs/0003-kubernetes-oci/README.md index b8321e6f71..a1cb08de29 100644 --- a/rfcs/0003-kubernetes-oci/README.md +++ b/rfcs/0003-kubernetes-oci/README.md @@ -137,15 +137,24 @@ spec: ### Layer selection By default, Flux assumes that the first layer of the OCI artifact contains the Kubernetes configuration. -For multi-layer artifacts created by other tools than Flux CLI, users can specify the media type of the layer +For multi-layer artifacts created by other tools than Flux CLI +(e.g. [oras](https://github.com/oras-project/oras), +[crane](https://github.com/google/go-containerregistry/tree/main/cmd/crane)), +users can specify the [media type](https://github.com/opencontainers/image-spec/blob/v1.0.2/media-types.md) of the layer which contains the tarball with Kubernetes manifests. ```yaml spec: layerSelector: - mediaType: "application/vnd.cncf.flux.content.v1.tar+gzip" + mediaType: "application/deployment.content.v1.tar+gzip" ``` +If the layer selector matches more than one layer, +the first layer matching the specified media type will be used. +Note that Flux requires that the OCI layer is +[compressed](https://github.com/opencontainers/image-spec/blob/v1.0.2/layer.md#gzip-media-types) +in the `tar+gzip` format. + ### Pull artifacts from private repositories For authentication purposes, Flux users can choose between supplying static credentials with Kubernetes secrets From 463d241a911d9d3738384a8807e29134943545d6 Mon Sep 17 00:00:00 2001 From: Stefan Prodan Date: Tue, 23 Aug 2022 16:03:24 +0300 Subject: [PATCH 3/3] Update TODOs for RFC-0003 Signed-off-by: Stefan Prodan --- rfcs/0003-kubernetes-oci/README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rfcs/0003-kubernetes-oci/README.md b/rfcs/0003-kubernetes-oci/README.md index a1cb08de29..7fcd940a2e 100644 --- a/rfcs/0003-kubernetes-oci/README.md +++ b/rfcs/0003-kubernetes-oci/README.md @@ -459,4 +459,5 @@ The feature is enabled by default. ### TODOs -* Add support for verifying the OCI artifacts with cosign +* [Add support for verifying the OCI artifacts with cosign](https://github.com/fluxcd/source-controller/issues/863) +* [Select layer by OCI media type](https://github.com/fluxcd/source-controller/pull/871)