-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
1d550af
commit 98efb0e
Showing
1 changed file
with
65 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,65 @@ | ||
| # Tape is for packaging applications | ||
|
|
||
| Tape is a tool that allows software authors to package their entire applications as self-contained (taped) OCI images | ||
| that can be deployed to a Kubernetes cluster. A taped OCI image contains all application components and configuration | ||
| required to run them. | ||
|
|
||
| ## Why Tape might be useful? | ||
|
|
||
| It addresses complexity of managing and deploying Kubernetes configuration by using OCI for distribution. | ||
|
|
||
| ## How does Tape work? | ||
|
|
||
| Tape can parse a direcotry with Kubernetes configuration and find all cannonical references to application images. | ||
| If an image reference contains a digest, Tape will use it, otherwise it resolves it by making a registry API call. | ||
| For each of the images, Tape searches of all well-known related tags, such as external signatures, attestations and | ||
| SBOMs. Tape will make a copy of every application image and any tags related to it to a registry the user has specified. | ||
| Once images are copied, it updates manifests with new references and bundles the result in an OCI artefact pushed to | ||
| the same repo in the registry. | ||
|
|
||
| Copying of all application images and referencing by digest is performed in order to ensure the application and its | ||
| configuration are tightly coupled together in ordet to provide a single link in the supply chain as well as a single | ||
| point of distribution and access control for the whole application. | ||
|
|
||
| Tape also checks VCS provinence of manifests, so if any manifest files are checked in Git, Tape will attest to what | ||
| Git repository each file came from, all of revision metadata and whether it's been modified or not. | ||
| Additionally, Tape attests to all key steps that it performs, e.g. original images references it detects and manifest | ||
| checksums. It stores the attestations using using in-toto format in an OCI artefact. | ||
|
|
||
| ## Usage | ||
|
|
||
| Tape has following commands: | ||
|
|
||
| - `tape images` - examine a given set of manifests before packaging them | ||
| - `tape package`- package the application and push resulting self-contained image to a registry | ||
|
|
||
| ## Roadmap & FAQ | ||
|
|
||
| ### What configuration formats does Tape support, does it support any kind of templating? | ||
|
|
||
| Presently, it supports plain JSON and YAML manifest. In the future the goal is to accomondate for a varity of popular | ||
| options that can accommondate for tempalating, e.g. CUE, Helm and scripting languages, so that environment-specific | ||
| paramenters can be specified at runtime. It may also support build-time parameters as well as basic runtime overrides, | ||
| e.g. for namespaces and labels. | ||
|
|
||
| ### What kind of applications can Tape package? | ||
|
|
||
| Tape doesn't infer an opinion to how the application is sturcured, namely what it consist or does't consist of. It doesn't | ||
| presnet any application defintion format, it operates on plain Kubernetes manifests found in a directory. | ||
|
|
||
| ### Does Tape provide SBOMs? | ||
|
|
||
| It doesn't create new SBOMs at the moment, but it may cater for this use-case in the future. | ||
|
|
||
|
|
||
| ## Acknowledgements & Prior Art | ||
|
|
||
| What Tape does is very much in the spirit of Docker images, but it extends the idea by shifting the perspecive to configuration | ||
| as an entrypoint to a map of dependencies. | ||
|
|
||
| It's not a novelty to package configuration in OCI, there exist many examples of this practice, however it's not been widely | ||
| standartise. Tape's abition is to comoditise the model and abstract configuration tooling, so that end-users don't need to | ||
| think wheather a particular app needs to be deployed with Helm, Kustomize or something else. | ||
|
|
||
| Tape was directly inspired by `flux push artefact`. Incidentally, it also resambles some of aspects of CNAB, but it is much | ||
| smaller in scope. |