Implement automatic distribution updates from OCI artifacts #33
Conversation
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
stefanprodan
added
enhancement
stefanprodan
force-pushed
the
distro-artifact
branch
2 times, most recently
from
33373a5
to
09e1350
Compare
| curl -sLO https://github.com/controlplaneio-fluxcd/distribution/archive/refs/heads/main.tar.gz | ||
| tar xzf main.tar.gz -C "${DEST_DIR}" | ||
|
|
||
| mkdir -p "${IMG_DIR}" |
There was a problem hiding this comment.
maybe should add a check here?
There was a problem hiding this comment.
-p will not create the dir if it exists.
| // e.g. 'oci://ghcr.io/controlplaneio-fluxcd/flux-operator-manifests:latest'. | ||
| // +kubebuilder:validation:Pattern="^oci://.*$" | ||
| // +optional | ||
| Artifact string `json:"artifact,omitempty"` |
There was a problem hiding this comment.
can we name it maybe artifactURL?
There was a problem hiding this comment.
I did consider this but given that we use registry and not registryURL, for consistency I chose to not have the URL suffix.
stefanprodan
force-pushed
the
distro-artifact
branch
2 times, most recently
from
e134caf
to
a2fd0f2
Compare
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
stefanprodan
force-pushed
the
distro-artifact
branch
from
a2fd0f2
to
98ba38b
Compare
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
| ctxPull, cancel := context.WithTimeout(context.Background(), 30*time.Second) | ||
| defer cancel() | ||
|
|
||
| artifactDigest, err := builder.PullArtifact(ctxPull, artifactURL, tmpDir) |
There was a problem hiding this comment.
If I got it correctly, at every reconciliation we fetch the manifests and don't store it locally. What do you think about storing the artifact and its manifest digest, at each reconciliation, we would first fetch the manifest and compare the digest with local version before attempting to fetch the blob?
There was a problem hiding this comment.
Yes we could have a similar storage & auth implementation as SC in a followup PR. I'm also considering using the layer caching I implemented in Timoni which is more close to how OverlayFS works in OCI registries.
This PR adds a new optional filed named
.spec.distribution.artifactto the FluxInstance API. When specified, the operator will pull the artifact from the registry on a regular interval to determine the latest Flux version available including CVE patches and hotfixes.Using this feature, CNCF Flux users can keep Flux up-to-date without having to update the operator every time there is a new Flux version available.
For enterprise customers, this feature allows for automated updates of CVE patches to fixed versions and semver ranges without having to update the operator.