Single layer OCI Artifact ADR

[frewilhelm]

Closes #90

[Skarlso]

which was unfortunately rejected.

Technically, it wasn't rejected. The timeline was a lot longer than we would have liked. But it wasn't rejected. :)

[frewilhelm]

Fair point. I'll adjust this

[frewilhelm]

However, I thought the idea of a generic artifact-source was rejected, since this would mean new security audits for customers etc.pp

[fabianburth]

determine whether a new reconcilation is necessary?

[frewilhelm]

Wouldn't a "normal" digest field be enough? I don't understand the prefix LastReconciled....

[Skarlso]

If digest is different than LastReconciledDigest it means that there was an error in between. Digest not always == LastReconciledDigest. LastReconciledDigest marks the last SUCCESSFULLY reconciled digest.

[frewilhelm]

i see, thank you!

[frewilhelm]

however, this field is part of the status. I would only expect successfully reconciled digests in the status. Honestly, I don't think this field is worth a discussion. We should store the digest in the status. The fieldname is irrelevant

[jakobmoellerdev]

Good job here on the proposal overall. Im mostly concerned that some of the options seem to be presented with points I couldnt follow up on. Nevertheless Im assuming that taking over the snapshot implementation (with heavy adjustments) is an acceptable solution

[jakobmoellerdev]

Why do we need to store an OCM identity?

[frewilhelm]

As far as I understood it, the identity is used to create the OCI repository (==name) for the resource. Then, e.g. IsCached() is used to check if an OCI repository (with manifest) is already created or not (see code). However, I think that IsCached() only checks if the OCI repository exists using the identity. It does not validate if it is still the same. For that, we must compare the digest (which would mean that we have to download the resource again to calculate and compare the digest). I am not so happy about this^^.

@Skarlso did I get that right?

[frewilhelm]

wait a second.. this does not explain why it is stored in the SnapshotSpec. Will take a look again

[frewilhelm]

In most cases the identity is used to generate the OCI repository name (again). However, there are some other cases, e.g.:

• Get the ComponentResourceVersion and ComponentVersion from the snapshot (the functions have 0 calls)
• The Mutation reconciler needs the identity. Speculation - I guess to get the snapshot object by identity for mutations (=localization/configuration)
• The FluxDeployer uses the identity to check the HelmChartVersion

I will take a look while implementing the snapshot for v2 and try to omit it if possible

[jakobmoellerdev]

Even though I have some trouble with the argumentation in places this Design looks mostly good formally. The decision here can be accepted.

[jakobmoellerdev]

Suggested change

	Arguments (meeting notes from 26.11.2024):
	Arguments:

[jakobmoellerdev]

This is only true for the development responsibility. One can argue that running an OCI registry in production is tricky too.

[jakobmoellerdev]

Why is this field necessary (maybe similar discussion as above on LastReconciledDigest?)

[jakobmoellerdev]

This transformation was the main reason the new controller architecture was developed in the first place. IMO you will need to further explain how a user is now expected to interact with the Artifact.

[jakobmoellerdev]

For example, I am now wondering how the e2e flow will look like. Having the OCIRepository indirection in there, how do we get users to look into the right CRs for debugging? How would a deployment look like (roughly)?

[jakobmoellerdev]

This is not a real con because we have to change code anyways. IMO this should be the goto if the only disadvantage here is that we have to develop something, after all thats why we are here. Im looking for Design Cons here, not Effort Cons.

[jakobmoellerdev]

I think the true Con here is that it offers no benefit over the existing implementation

[jakobmoellerdev]

Image size on a registry that is optionally deployed and used for development is not a real concern imo

[ikhandamirov]

is not a real concern

Sure. That is why the decision is still for zot. I'd keep the point in the document, because that is a fact. But in case you insist, I can also remove it.

[jakobmoellerdev]

Image size has nothing to do with zot or not. A fact that is irrelevant for a decision does not need to be tracked.

Its like saying "zot offers docker compatibility, but only with a flag", sure its a fact, but its not relevant to the decision.

[ikhandamirov]

Your judgement about the relevance of certain pieces of information is based on assumptions, which are only known to you. Would be good, if you could share, what you think the decision criteria are, for choosing between zot and registry:2. Btw., in different talks with team members both the size and the compatibility flag were mentioned at least as potentially relevant.

[jakobmoellerdev]

This is not true, most people will look at integrating a registry of their choice (e.g. from a cloud provider) into their workflows instead of maintaining their own if given the choice.

[ikhandamirov]

:) Please see this comment by @jakobmoellerdev :
#92 (comment)

[jakobmoellerdev]

Considering that most people need to operate a registry than and the majority would not have experience maintaining a production grade stable oci registry as a service, my assumption would be that this should not be the default and not advertised until we feel confident.

This is exactly the same point. If you tell people they need an OCI registry, they will look at a service and integrate that instead of maintaining their own...

[jakobmoellerdev]

For me, this is not about people not being able to run their own registry. Its the fact that they can just integrate any external registry of their choice.

[ikhandamirov]

Are we talking past each other? The question in the document is, if we want to force the users to bring their own registry. Your initial argument (I btw. agree with) is that this is not convenient for most people, and we should offer a default registry. Now you are saying that most people wouldn't need a default, but "will look at integrating a registry of their choice".

[fabianburth]

How do they provide GC? AFAIK, the OCI GC is only for dangling blobs which would only be relevant for failed operations, right?

[fabianburth]

Suggested change

	- We will need an abstraction that handles OCI registries anyway
	- We will need an abstraction that handles OCI registries anyway to convert resources into a flux consumable format (= single layer oci artifact)

[fabianburth]

I don't think that statement alone can be used as an argument. What are the implications of not having the entity represented?

[fabianburth]

Shouldn't the loss of the extensibility of the the architecture provided by a common interface (artifact / snapshot) be listed as a con? I mean, we essentially tried to convince flux create separate cr's deliberately to allow this extensibility.

[fabianburth]

Well, this is not really true. Conceptually, you also only require a transformer (just as in option 2). The actual difference is that in option 2, your transformer does not have to do that much anymore, because your resource is already available in a flux compatible format (as a single layer oci artifact). So, your transformer is only on kubernetes cr level.
The actual con is that we'd have to maintain the storage server (copied from flux) AND additionally, the oci implementation from option 2, because that's what the transformer would have to do, still.

[fabianburth]

twice the same point?

[fabianburth]

The registry is supposed to store deployment descriptions (helm/kustomize/k8s manifests) and related files (for localization and configuration), so docker images should not really be an issue, right?
Or do we also plan that the users can use the registry to store the images for this environment (e.g. in combination with the replication controller)?

[ikhandamirov]

No such plans at the moment. So, not an issue. Just taking a note of a potential limitation for the future.