[EP] Remote Artifacts

[otaviof]

Enhancement proposal describing the concept of Remote Artifacts, and how this new concept will be expressed in Build operator. Related to #97.

[HeavyWombat]

I like the idea, especially for maybe large external assets you do not want or cannot have in a Git repository.

[SaschaSchwarze0]

Should we maybe consider extending the source section instead ?

apiVersion: build.dev/v1alpha1
kind: Build
metadata:
  name: nexus-jar
spec:
  sources
    # A source of type=git must only exist once or be absent
    - type: git
      url: [email protected]:SCHWARZS/test-project.git
      revision: sascha-test
      credentials:
        name: ibm-github
    # A source of type=http can exist multiple times
    - type: http
      url: https://nexus.company.com/app/main.jar
      path: classpath/main.jar # Not sure if I would allow values that do not start with ${workspace} here but instead always have that as prefix
    # Credentials support for whatever we want, start with basic auth only, client-cert maybe in the future, we will need to determine it based on how the secret looks
    - type: http
      url: https://restricted.server.com/lib.jar
      credentials:
        name: restricted-server
      path: classpath/lib.jar
    # A source of type=http can have an optional extract flag set to true which means that path is interpreted as a directory instead of a file and the file content is extracted (TBD: can we autodetect the file type or do we need to make extract an enum or add another compressiontype parameter?)
    - type: http
      url: https://www.myserver.com/sources.zip
      extract: true
      path: sources

This would be an extensible mechanism. In the future we might support other types (loading from maybe some configmap where the cli placed the local sources).

[qu1queee]

we can introduce glue-code to autodetect the type based on the url, keeping the whole spec.source as simple as it is now.

[SaschaSchwarze0]

I think that would be hard. An HTTPS URL can be a public Git repository (especially as we do not require the .git suffix at the moment), a SubVersion repository, a plain file and probably more.

[otaviof]

I think given the distinction for types of data, one being VCS and the other remote artifacts, I think they should be described in different logical blocks. So, we also have a clear separation between those two concerts.

[SaschaSchwarze0]

@otaviof a VCS resource is also remote. There is "just" a different protocol to download them.

[adambkaplan]

This would be an extensible mechanism. In the future we might support other types (loading from maybe some configmap where the cli placed the local sources).

ConfigMap is certainly a valid use case, though with a cli upload I see PersistentVolume/PVC being a more likely result.

Another thing we should clarify is that "sources" are things that are intended to be present in the resulting image. There is a separate use case for "volume" support (like caches), in which case the data present in the volume is not included in the resulting container image.

[adambkaplan]

...
spec:
  sources
    # A source of type=git must only exist once or be absent
    - type: git
      url: [email protected]:SCHWARZS/test-project.git
      revision: sascha-test
      credentials:
        name: ibm-github

Wouldn't we want to employ the discriminator pattern?

spec:
  sources:
  - name: git
    type: Git
    git:
      url: ...
...

(note that type: Git may not be required, apimachinery can fill it in).

[qu1queee]

Same line of thought, I see a VCS as yet another remote artifact. I´m not able to understand the distinction.

[otaviof]

Please consider latest commit, I'm adding a initial .spec.sources support with your inputs.

[qu1queee]

@otaviof thanks, I took a look.

http: settings for http, namely path (optional);

Is the new field from above required? we already have something call contextDir, can this serve the same purpose?

@adambkaplan @SaschaSchwarze0 @otaviof I have some concerns around spec.sources. First of all I think introducing a type is a nice way to distinguish the different assets(remote files, git,etc). I´m struggling to understand the value of moving from of a map(spec.source) into a list(spec.sources). My rational is:

• This proposal does not explains the use cases on why a list is needed
• This will break the current API
• spec.source is for me one of the structs that is very simple to understand, and I would like to keep it this way. Adding support for a list of sources is going to add complexity on that API level.
• supporting spec.sources will introduce some code complexity when generating the Taskrun. It would be good to highlight those and decide if it worth the effort.

@sbose78 probably we want your feedback also. Also, do we have some good references on how Build v1 did it(shouldnt bias us)?, but it will help to understand the rational there.

[qu1queee]

checking soon..(just in case someone was wondering)

[qu1queee]

Added some comments, I think I have doubts on:

• concepts you define here. Mainly referring to "remote artifacts support", because we already do this( git repos)
• Seems is not clear how to implement this, either via a new ClusterBuildStrategy or an extension of spec.source, I will prefer the second one.
• The retrieval of the external artifact proposes a "wget" binary, I think we should propose a golang implementation of http get or reuse something from tekton
• Is not clear how would an "artifact" be able to run. There should be a dependency call "base image for the artifact support", this is not mentioned here.

I love the idea, this is a great future, but still a lot of details to properly define.

[qu1queee]

we can introduce glue-code to autodetect the type based on the url, keeping the whole spec.source as simple as it is now.

[qu1queee]

The "download" looks critical. We get this for free from tekton, Wouldn´t it make more sense to do this natively with "golang" or to see if Tekton have already something for us? e.g. they do not use a "git" binary for pulling, they have their own git pkg

[otaviof]

I understand what Tekton does for the VCS (source-code), but what would it do for remote artifacts? Could we use Tekton to download them as well?

[SaschaSchwarze0]

Ideally there would be a Tekton resource handling things like plain HTTP(S) download. But, I think there is not one.

[adambkaplan]

It does not appear such a resource type exists. If we accept this proposal, I recommend submitting a TEP to see if we can get upstream Tekton buy-in.

[qu1queee]

I was mainly referring to do a native implementation in go, I would like to avoid introducing extra binaries dependencies in the code. We might not need Tekton at all.

[qu1queee]

I think we all agree this is not enforcing the usage of wget and that another more native implementation(e.g. tekton way) might be reused. Can we mention this somewhere?

[zhangtbj]

Can we leverage the Tekton source to enable storage or something first?:
https://github.com/tektoncd/pipeline/blob/master/docs/resources.md#resource-types

I think wget is a little weak. How about the private resource (with auth) or ftp?

[gabemontero]

PipelineResources at this time are most likely not going to get out of alpha stage. There has been a fair amount of consternation and churn around how exactly how to move forward, though.

But minimally I would not advise a PipelineResource styled path.

That said, if I had to pick, I'd say "custom tasks" might be the most likely path along the "tekton resource" angle. Also, submitting something "similar" but different most likely would get the response of "look at custom tasks".

See https://github.com/tektoncd/community/blob/master/teps/0002-custom-tasks.md for details.

[gabemontero]

there is also a "specializing task" which has some literature around it but no TEP as of yet

[sbose78]

Yeah, a specific resource in upstream Tekton would be a hard sell at the moment given the direction PipelineResources is taking.

[adambkaplan]

In general, I like the idea of moving from one source to allowing multiple sources, where git and http (the remote artifact) are one of many types of sources.

However, in allowing this complexity we need to keep the simple cases simple. We can't require a significant amount of extra configuration for a user to create a simple build from source using kaniko, s2i, buildpacks, etc. Example - I would expect a build as follows to "just work":

apiVersion: build.dev/v1alpha1
kind: Build
metadata:
  name: simple
spec:
  sources:
    - name: src
      type: Git
      git:
        url: https://github.com/shipwright-io/build.git
...

[adambkaplan]

This would be an extensible mechanism. In the future we might support other types (loading from maybe some configmap where the cli placed the local sources).

ConfigMap is certainly a valid use case, though with a cli upload I see PersistentVolume/PVC being a more likely result.

Another thing we should clarify is that "sources" are things that are intended to be present in the resulting image. There is a separate use case for "volume" support (like caches), in which case the data present in the volume is not included in the resulting container image.

[adambkaplan]

It does not appear such a resource type exists. If we accept this proposal, I recommend submitting a TEP to see if we can get upstream Tekton buy-in.

[qu1queee]

@otaviof sorry for my late reply, I drop you some updates on my initial comments.

[zhangtbj]

In general, I like the idea of moving from one source to allowing multiple sources, where git and http (the remote artifact) are one of many types of sources.

However, in allowing this complexity we need to keep the simple cases simple. We can't require a significant amount of extra configuration for a user to create a simple build from source using kaniko, s2i, buildpacks, etc. Example - I would expect a build as follows to "just work":

apiVersion: build.dev/v1alpha1
kind: Build
metadata:
  name: simple
spec:
  sources:
    - name: src
      type: Git
      git:
        url: https://github.com/shipwright-io/build.git
...

I have two questions about the type of source.
Like this Git type, we already know it is a Git, do we still need:

      git:
        url: https://github.com/shipwright-io/build.git

to mention the git again? I think we can simplify to use url directly:

  sources:
    - name: src
      type: git
      url: https://github.com/shipwright-io/build.git

For http, I think it is similar:

  sources:
    - name: license-file
      type: http
      url: https://licenses.company.com/customer-id/license.tar
      http:
        path: $(workspace)/licenses/license.tar

It is already the http type, but still have another http for path, I think it is a little duplicate, it is better that show as:

  sources:
    - name: license-file
      type: http
      url: https://licenses.company.com/customer-id/license.tar
      path: $(workspace)/licenses/license.tar

[coreydaley]

I feel like name is superfluous here, what is the point of having it?

[adambkaplan]

This is so we can use the merge patch strategy. Otherwise kubectl apply will default to overwriting everything in the sources array.

https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/#notes-on-the-strategic-merge-patch

[coreydaley]

What is path for here? Is this the local path that the file will be downloaded to? Why is it only available for the "http" type? Seems like path should be a top level element.

[otaviof]

I've amended to explain .path is a inner attribute, please consider latest changes.

[coreydaley]

Could we eliminate revision and just use standard git paths that reference a revision in the url?

[otaviof]

I'm rewording this to mention it stays as original.

[coreydaley]

Can you expand upon this fields usage?

[otaviof]

I'm moving the field to the new "Alternatives" section at the end.

[coreydaley]

I would prefer to see us use pure golang for the downloading instead of an external tool such as wget, i don't like having to rely on os provided tools.

[SaschaSchwarze0]

I like idea from Corey. We will eventually face a Build which has a longer list of sources. For all these sources beside the git source (which we will probably want to continue to handle using Tekton's Git resource), I envision one Task step implemented by ourselves using Golang. Within our code we can then do optimizations like parallel downloads for different sources and also can handle and report errors in a better way than by invoking an external command.

[otaviof]

I also like the idea of creating or own tool for that purpose. However, I see wget as a simple starting point, on which we could potentially develop our own tool in parallel.

So, how about get started with wget and evaluate the new tooling on its own track?

[qu1queee]

I raised the same concern on some comments ago, I do not see why we need to rely on a binary. #419 (comment)

[adambkaplan]

I think we can agree that we can implement the downloader, regardless of whether we build our own in go vs. "buy" it (by using a fixed container image with wget). IMO deciding which approach to take is beyond what is necessary to mark this EP as "implementable".

[sbose78]

In order to avoid completely breaking existing API usage with spec.source, do we want to support both spec.source and spec.sources for a couple of minor releases where the controller would look for spec.source and populate spec.sources. Eventually, we drop the git-specific spec.source altogether ?

[sbose78]

the operator needs to generate wget commands with arguments in order to download the

The buildrun controller needs to generate a TaskRun step that would generate the wget command to download the artifacts specified

[otaviof]

Thanks, that's a good addition. Please consider latest commit 01ace39.

[sbose78]

Could you use a more realistic example like a jar artifact in all examples, please?

[otaviof]

Same as in here.

[sbose78]

Could you use a more realistic example like a jar artifact in all examples, please?

[otaviof]

Same as in here.

[sbose78]

Could you use a more realistic example like a jar artifact in all examples, please?

[otaviof]

The initial text was using a Jar file, but it wind up in questions about the dependency management itself. So, moved that to a simpler thing, a license file.

[otaviof]

Please note a more Java like example is kept here.

[coreydaley]

I am wondering if sources really makes sense here. I think of source as a git repository or something to that affect. Maybe this should be something more along the lines of dependencies like you would list in a maven file?

[SaschaSchwarze0]

My vote is for inputs which would be a symmetric naming together with the output image that we already have in the Build.

[otaviof]

@SaschaSchwarze0 are you okay with sources and the path ahead to unify them later on?

[SaschaSchwarze0]

@SaschaSchwarze0 are you okay with sources and the path ahead to unify them later on?

I am okay with sources, yes. (But I doubt we would ever change this in the future. ;-) )

[qu1queee]

I´m concerned more than one person is not fully buying the spec.sources , what are the implications for this EP to move into spec.inputs rather than spec.sources, it will also keep the API clean for now. And in another EP we will deal with multiple gits, where we can tackle that modifications to spec.source.

[otaviof]

I'm okay to use .spec.inputs for this purpose. Do we have objections on .spec.inputs?

[qu1queee]

not from my side :)

[otaviof]

@sbose78, @adambkaplan, @gabemontero, @coreydaley would you object to use .spect.inputs instead?

[coreydaley]

I like the idea, especially for maybe large external assets you do not want or cannot have in a Git repository.

If additional large files is the case, wouldn't we support whatever system their source code uses to manage dependencies such as maven, bundler, go mod, etc?

As far as other types of large assets go, I think that they would be using something like a third party object store such as S3 for images, videos, and other binary downloads.

[qu1queee]

@otaviof does this requires to mention the support for both spec.source and spec.sources for a couple of minor releases? From my side I can merge this after that is documented, but I also see @sbose78 drop some request for changes, pls take a look.

[otaviof]

@otaviof does this requires to mention the support for both spec.source and spec.sources for a couple of minor releases? From my side I can merge this after that is documented, but I also see @sbose78 drop some request for changes, pls take a look.

I'm pushing changes mentioning .spec.source and .spec.sources side-by-side. And, I would like to bring this EP on today's community meeting, I would like to bring multiple Git repositories back to discussion. Thanks.

[SaschaSchwarze0]

A question around the BuildSource. Within the Build's spec.sources, it is used to from one source entry to reference an external definition. Based on that, may expectation would be that the external build source would only contain a single spec like this:

---
apiVersion: build.dev/v1alpha1
kind: BuildSource
metadata:
  name: license-file
spec:
  type: http
  url: https://licenses.company.com/customer-id/license.tar
  http:
    path: $(workspace)/licenses/license.tar

Should we have multiple entries with their own name in the BuildSource, then we'll have to define how this is merged with the other entries in the Build's sources.

[otaviof]

I think here we may benefit from a slice of entries. Given that we may be downloading a number of dependencies from a single external source, and we can bundle together in this slice fashion. It also keeps aligned with Build resource where it will be available as a array/slice as well.

[adambkaplan]

Volumes feature has been captured in #478.

[adambkaplan]

@otaviof a few requested changes from my latest pass at the draft.

We've had a lot of lengthy conversations on this EP. I'd like us to turn to the core decision - whether or not we agree the design as laid out in this proposal is implementable.

[adambkaplan]

This is so we can use the merge patch strategy. Otherwise kubectl apply will default to overwriting everything in the sources array.

https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/#notes-on-the-strategic-merge-patch

[adambkaplan]

This should be placed in an "Alternatives" section at the bottom of the proposal. I believe we decided that we are not going to pursue this approach.

Leaving this in the main body confuses what is in the proposal vs. out. See the proposal template for guidance:

https://github.com/shipwright-io/build/blob/master/docs/proposals/guidelines/proposal-template.md

[otaviof]

Following the template, the standalone CRD alternative design was moved into a section at the end.

[adambkaplan]

I think we can agree that we can implement the downloader, regardless of whether we build our own in go vs. "buy" it (by using a fixed container image with wget). IMO deciding which approach to take is beyond what is necessary to mark this EP as "implementable".

[adambkaplan]

This references the original CRD style of declaring a downloaded resource, which IIRC we are not pursuing. Please update.

[otaviof]

Moved to the new "Alternatives" section, please consider.

[qu1queee]

@otaviof pls correct me if I´m wrong, but here the example is based on the assumption that we support a new BuildSource CRD. If we do not have the BuildSource CRD in place, then we will still need to have

• A Build instance to define the git source code
• Two BuildRuns, each one overriding the spec.sources for each logo type

is the above correct?

[otaviof]

Yes, correct @qu1queee. The example was made to illustrate both scenarios at once, but it might have been too much leaning towards the "Alternative" scenario.

[qu1queee]

ok, thanks

[qu1queee]

/lgtm

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: qu1queee

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [qu1queee]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[qu1queee]

I have no further comments on this EP; therefore approving, thanks @otaviof for addressing each of my questions