Add source API spec proposal

2020-04-09 11:51:03 +03:00 · 2020-04-09 11:51:03 +03:00 · b4b85029fb
parent 96c7ad502c
commit b4b85029fb
4 changed files with 289 additions and 0 deletions
--- a/docs/spec/README.md
+++ b/docs/spec/README.md
@ -0,0 +1,52 @@
 # Source Controller Proposal
 ## Context
 The desired state of a cluster is made out of Kubernetes objects, these objects are expressed in `.yaml` format and 
 are applied on the cluster by operators running inside the cluster. An operator's role is to fetch the Kubernetes
 objects, run transformations on them and reconcile the cluster state with the resulting manifest.
 For an operator to acquire the resources that make up the desired state it needs to understand the communication 
 protocol and the authentication scheme, verify the authenticity of a source and deal with rate limits and retries.
 In the FluxCD organization there are currently two operators that perform such operations. Both Flux and 
 Helm Operator connect to Git repositories to fetch Kubernetes objects, they need to maintain an up-to-date mirror 
 of one or several repos. Besides Git, Helm Operator needs to connect to Helm repositories hosted on public or 
 private HTTPS servers.
 ## Motivation
 Each Flux or Helm Operator instance maintains its own Git repository mirror even if all of them
 point to the same source. If the Git repository host becomes unavailable, the cluster state will diverge from the last
 know desired state since the operators will stop the reconciliation due to pull errors. 
 Decoupling the Kubernetes objects acquisition from the reconciliation process with an in-cluster 
 source manager would make Flux and Helm Operator resilient to outbound connectivity issues and would
 simplify the state machine(s) that these controllers operate.
 Managing the source operations in a dedicated controller could allow Flux to compose the desire state of a cluster
 from multiple source.
 Further more the manifests transformation process could be performed by 3rd party tools
 (e.g. kustomize, jk, tanka, cue run by Tekton pipelines or Kubernetes Jobs)
 that would output the final state of the Kubernetes objects into an artifacts repository maintained by the source controller.
 ## Goals
 The main goal is to define a set of Kubernetes objects that cluster admins and various automated operators
 can interact with to offload the sources (e.g. Git and Helm repositories)
 registration, authentication and resource fetching to a dedicated controller.
 The controller implementation will watch for source objects in a cluster and act on them.
 The actions performed by the source controller could be:
 * validate source definitions
 * authenticate to sources and validate authenticity
 * detect source changes based on update policies (semver)
 * fetch resources on-demand and on-a-schedule
 * package the fetched resources into a well known format (tar.gz)
 * store the artifacts locally
 * make the artifacts addressable by their source identifier (sha, version, ts)
 * make the artifacts available in-cluster to interested 3rd parties
 * notify interested 3rd parties of source changes and availability (status conditions, events, hooks)
 ## API Specification
 * [v1alpha1](v1alpha1/README.md)
--- a/docs/spec/v1alpha1/README.md
+++ b/docs/spec/v1alpha1/README.md
@ -0,0 +1,10 @@
 # source.fluxcd.io/v1alpha1
 The is the v1alpha1 API specification for defining the desired state sources of Kubernetes clusters.
 Source kinds:
 * [GitRepository](gitrepositories.md)
 * [HelmRepository](helmrepositories.md)
 Implementations:
 * source-controller [v0.0.1-alpha.1](https://github.com/fluxcd/source-controller/releases)
--- a/docs/spec/v1alpha1/gitrepositories.md
+++ b/docs/spec/v1alpha1/gitrepositories.md
@ -0,0 +1,212 @@
 # Git Repositories
 The `GitReposiory` API defines a source for artifacts coming from Git. 
 ## Specification
 Git repository spec:
 ```go
 // GitRepositorySpec defines the desired state of GitRepository
 type GitRepositorySpec struct {
 	// +kubebuilder:validation:Pattern="^(http|https|ssh)://"
 	// The repository URL, can be a HTTP or SSH address.
 	Url string `json:"url"`
 	// The secret name containing the Git credentials
 	// +optional
 	SecretRef *v1.LocalObjectReference `json:"secretRef,omitempty"`
 	// The git reference to checkout and monitor for changes.
 	// +optional
 	Reference *GitRepositoryRef `json:"ref,omitempty"`
 	// The interval at which to check for repository updates.
 	Interval metav1.Duration `json:"interval"`
 }
 // GitRepositoryRef defines the git ref used for pull and checkout operations
 type GitRepositoryRef struct {
 	// The git branch to checkout, defaults to ('master').
 	// +optional
 	Branch string `json:"branch"`
 	// The git tag to checkout, takes precedence over branch.
 	// +optional
 	Tag string `json:"tag"`
 	// The git tag semver expression, takes precedence over tag.
 	// +optional
 	SemVer string `json:"semver"`
 }
 ```
 Git repository status:
 ```go
 // GitRepositoryStatus defines the observed state of GitRepository
 type GitRepositoryStatus struct {
 	// +optional
 	Conditions []RepositoryCondition `json:"conditions,omitempty"`
 	// LastUpdateTime is the timestamp corresponding to the last status
 	// change of this repository.
 	// +optional
 	LastUpdateTime *metav1.Time `json:"lastUpdateTime,omitempty"`
 	// URI for the artifacts of the last successful repository sync.
 	// +optional
 	Artifacts string `json:"artifacts,omitempty"`
 }
 ```
 Git repository status conditions:
 ```go
 // RepositoryCondition contains condition information for a repository
 type RepositoryCondition struct {
 	// Type of the condition, currently ('Ready').
 	Type RepositoryConditionType `json:"type"`
 	// Status of the condition, one of ('True', 'False', 'Unknown').
 	Status corev1.ConditionStatus `json:"status"`
 	// LastTransitionTime is the timestamp corresponding to the last status
 	// change of this condition.
 	// +optional
 	LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
 	// Reason is a brief machine readable explanation for the condition's last
 	// transition.
 	// +optional
 	Reason string `json:"reason,omitempty"`
 	// Message is a human readable description of the details of the last
 	// transition, complementing reason.
 	// +optional
 	Message string `json:"message,omitempty"`
 }
 // RepositoryConditionType represents an repository condition value
 type RepositoryConditionType string
 const (
 	// RepositoryConditionReady represents the fact that a given repository condition
 	// is in ready state.
 	RepositoryConditionReady RepositoryConditionType = "Ready"
 )
 ```
 ## Spec examples
 Public repository:
 ```yaml
 apiVersion: source.fluxcd.io/v1alpha1
 kind: GitRepository
 metadata:
  name: podinfo
  namespace: default
  annotations:
    # force sync trigger
    source.fluxcd.io/syncAt: "2020-04-06T15:39:52+03:00"
 spec:
  interval: 1m
  url: https://github.com/stefanprodan/podinfo
  ref:
    branch: master
    tag: "3.2.0"
    semver: ">= 3.2.0 <3.3.0"
 ```
 HTTPS authentication:
 ```yaml
 apiVersion: source.fluxcd.io/v1alpha1
 kind: GitRepository
 metadata:
  name: podinfo
  namespace: default
 spec:
  url: https://github.com/stefanprodan/podinfo
  secretRef:
    name: https-credentials
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: https-credentials
  namespace: default
 type: Opaque
 data:
  username: <BASE64> 
  password: <BASE64> 
 ```
 SSH authentication:
 ```yaml
 apiVersion: source.fluxcd.io/v1alpha1
 kind: GitRepository
 metadata:
  name: podinfo
  namespace: default
 spec:
  url: ssh://git@github.com:stefanprodan/podinfo
  secretRef:
    name: ssh-credentials
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: ssh-credentials
  namespace: default
 type: Opaque
 data:
  identity: <BASE64> 
  identity.pub: <BASE64> 
  know_hosts: <BASE64> 
 ```
 Example of generating the SSH credentials secret:
 ```bash
 ssh-keygen -q -N "" -f ./identity
 ssh-keyscan github.com > ./know_hosts
 kubectl create secret generic ssh-credentials \
    --from-file=./identity \
    --from-file=./identity.pub \
    --from-file=./know_hosts
 ```
 ## Status examples
 Successful sync:
 ```yaml
 status:
  artifacts: http://source-controller.source-system/repositories/podinfo-default/5e747d3e088cd7a34ace4abc8cf7f3c3696e402f.tar.gz
  conditions:
  - lastTransitionTime: "2020-04-07T06:59:23Z"
    message: 'Fetched artifacts are available at
      /data/repositories/podinfo-default/5e747d3e088cd7a34ace4abc8cf7f3c3696e402f.tar.gz'
    reason: GitCloneSucceed
    status: "True"
    type: Ready
  lastUpdateTime: "2020-04-07T06:59:23Z"
 ```
 Failed sync:
 ```yaml
 status:
  conditions:
  - lastTransitionTime: "2020-04-06T06:48:59Z"
    message: 'git clone error ssh: handshake failed: ssh: unable to authenticate,
      attempted methods [none publickey], no supported methods remain'
    reason: GitCloneFailed
    status: "False"
    type: Ready
 ```
--- a/docs/spec/v1alpha1/helmrepositories.md
+++ b/docs/spec/v1alpha1/helmrepositories.md
@ -0,0 +1,15 @@
 # Helm Repositories
 The `HelmReposiory` and `HelmChart` API defines a source for artifacts coming from Helm repositories.
 ## Specification
 TODO
 ## Spec examples
 TODO
 ## Status examples
 TODO