github.com/SamarSidharth/kpt@v0.0.0-20231122062228-c7d747ae3ace/site/guides/porch-user-guide.md (about)

     1  # Porch User Guide
     2  
     3  This document is focused on using Porch via the `kpt` CLI.
     4  
     5  Installation of Porch, including prerequisites, is covered in a
     6  [dedicated document](guides/porch-installation.md).
     7  
     8  ## Prerequisites
     9  
    10  To use Porch, you will need:
    11  
    12  * [`kpt`](https://kpt.dev)
    13  * [`gcloud`](https://cloud.google.com/sdk/gcloud) (if running on GKE)
    14  * [`kubectl`](https://kubernetes.io/docs/tasks/tools/#kubectl)
    15  
    16  Make sure that your `kubectl` context is set up for `kubectl` to interact with the
    17  correct Kubernetes instance (see
    18  [installation instructions](guides/porch-installation.md) or
    19  the [running-locally](https://github.com/GoogleContainerTools/kpt/blob/main/porch/docs/running-locally.md) guide for details).
    20  
    21  To check whether `kubectl` is configured with your Porch cluster (or local instance), run:
    22  
    23  ```sh
    24  kubectl api-resources | grep porch
    25  ```
    26  
    27  You should see the following four resourceds listed:
    28  
    29  ```
    30  repositories                  config.porch.kpt.dev/v1alpha1          true         Repository
    31  packagerevisionresources      porch.kpt.dev/v1alpha1                 true         PackageRevisionResources
    32  packagerevisions              porch.kpt.dev/v1alpha1                 true         PackageRevision
    33  functions                     porch.kpt.dev/v1alpha1                 true         Function
    34  ```
    35  
    36  ## Porch Resources
    37  
    38  Porch server manages the following resources:
    39  
    40  1. `repositories`: a repository (Git or OCI) can be registered with Porch to support
    41     discovery or management of KRM configuration packages in those repositories,
    42     or discovery of KRM functions in those repositories.
    43  2. `packagerevisions`: a specific revision of a KRM configuration package
    44     managed by Porch in one of the registered repositories. This resource
    45     represents a _metadata view_ of the KRM configuration package.
    46  3. `packagerevisionresources`: this resource represents the contents of the
    47     configuration package (KRM resources contained in the package)
    48  4. `functions`: function resource represents a KRM function discovered in a repository
    49     registered with Porch. Functions are only supported with OCI repositories.
    50  
    51  Note that `packagerevisions` and `packagerevisionresources` represent different
    52  _views_ of the same underlying KRM configuration package. `packagerevisions`
    53  represents the package metadata, and `packagerevisionresources` represents the
    54  package content. The matching resources share the same `name` (as well as API
    55  group and version: `porch.kpt.dev/v1alpha1`) and differ in resource kind
    56  (`PackageRevision` and `PackageRevisionResources` respectively).
    57  
    58  ## Repository Registration
    59  
    60  To use Porch with a Git repository, you will need:
    61  
    62  * A Git repository for your blueprints.
    63  * A [Personal Access Token](https://github.com/settings/tokens) (when using
    64    GitHub repository) for Porch to authenticate with the repository. Porch requires
    65    the 'repo' scope.
    66  * Or Basic Auth credentials for Porch to authenticate with the repository.
    67  
    68  To use Porch with an OCI repository
    69  ([Artifact Registry](https://console.cloud.google.com/artifacts) or
    70  [Google Container Registry](https://cloud.google.com/container-registry)), first
    71  make sure to:
    72  * Enable [workload identity](guides/porch-installation.md#workload-identity) for Porch
    73  * Assign appropriate roles to the Porch workload identity service account
    74    (`iam.gke.io/gcp-service-account=porch-server@$(GCP_PROJECT_ID).iam.gserviceaccount.com`)
    75    to have appropriate level of access to your OCI repository.
    76  
    77  Use the `kpt alpha repo register` command to register your repository with Porch:
    78  
    79  ```sh
    80  # Register a Git repository:
    81  
    82  GITHUB_USERNAME=<your github username>
    83  GITHUB_TOKEN=<GitHub Personal Access Token>
    84  
    85  $ kpt alpha repo register \
    86    --namespace default \
    87    --repo-basic-username=${GITHUB_USERNAME} \
    88    --repo-basic-password=${GITHUB_TOKEN} \
    89    https://github.com/${GITHUB_USERNAME}/blueprints.git
    90  ```
    91  
    92  All command line flags supported:
    93  
    94  * `--directory` - Directory within the repository where to look for packages.
    95  * `--branch` - Branch in the repository where finalized packages are committed.
    96    (defaults to `main`)
    97  * `--name` - Name of the package repository Kubernetes resource. If unspecified,
    98    will default to the name portion (last segment) of the repository URL
    99    (`blueprint` in the example above)
   100  * `--description` - Brief description of the package repository.
   101  * `--deployment` - Boolean value; If specified, repository is a deployment
   102    repository; published packages in a deployment repository are considered
   103    deployment-ready.
   104  * `--repo-basic-username` - Username for repository authentication using basic auth.
   105  * `--repo-basic-password` - Password for repository authentication using basic auth.
   106  
   107  Additionally, common `kubectl` command line flags for controlling aspects of
   108  interaction with the Kubernetes apiserver, logging, and more (this is true for
   109  all `kpt` CLI commands which interact with Porch).
   110  
   111  Use the `kpt alpha repo get` command to query registered repositories:
   112  
   113  ```sh
   114  # Query registered repositories
   115  $ kpt alpha repo get
   116  
   117  NAME         TYPE  CONTENT  DEPLOYMENT  READY  ADDRESS
   118  blueprints   git   Package              True   https://github.com/platkrm/blueprints.git
   119  deployments  git   Package  true        True   https://github.com/platkrm/deployments.git
   120  ```
   121  
   122  The `kpt alpha <group> get` commands support common `kubectl`
   123  [flags](https://kubernetes.io/docs/reference/kubectl/cheatsheet/#formatting-output)
   124  to format output, for example `kpt alpha repo get --output=yaml`.
   125  
   126  The command `kpt alpha repo unregister` can be used to unregister a repository:
   127  
   128  ```sh
   129  # Unregister a repository
   130  $ kpt alpha repo unregister deployments --namespace default
   131  ```
   132  
   133  ## Package Discovery And Introspection
   134  
   135  The `kpt alpha rpkg` command group contains commands for interacting with
   136  packages managed by the Package Orchestration service. the `r` prefix used
   137  in the command group name stands for 'remote'.
   138  
   139  The `kpt alpha rpkg get` command list the packages in registered repositories:
   140  
   141  ```sh
   142  # List package revisions in registered repositories
   143  $ kpt alpha rpkg get
   144  
   145  NAME                                                 PACKAGE  WORKSPACENAME  REVISION  LATEST  LIFECYCLE  REPOSITORY
   146  blueprints-0349d71330b89ee48ac85167598ef23021fd0484  basens   main           main      false   Published  blueprints
   147  blueprints-2e47615fda05664491f72c58b8ab658683afa036  basens   v1             v1        true    Published  blueprints
   148  blueprints-7e2fe44bfdbb744d49bdaaaeac596200102c5f7c  istions  main           main      false   Published  blueprints
   149  blueprints-ac6e872be4a4a3476922deca58cca3183b16a5f7  istions  v1             v1        false   Published  blueprints
   150  blueprints-421a5b5e43b03bc697d96f471929efc6ba3f54b3  istions  v2             v2        true    Published  blueprints
   151  ...
   152  ```
   153  
   154  The `LATEST` column indicates whether the package revision is the latest among
   155  the revisions of the same package. In the output above, `v2` is the latest
   156  revision of `istions` package and `v1` is the latest revision of `basens`
   157  package.
   158  
   159  The `LIFECYCLE` column indicates the lifecycle stage of the package revision,
   160  one of: `Published`, `Draft` or `Proposed`.
   161  
   162  The `REVISION` column indicates the revision of the package. Revisions are
   163  assigned when a package is `Published` and starts at `v1`.
   164  
   165  The `WORKSPACENAME` column indicates the workspace name of the package. The
   166  workspace name is assigned when a draft revision is created and is used as the
   167  branch name for proposed and draft package revisions. The workspace name must be
   168  must be unique among package revisions in the same package.
   169  
   170  *Note* on package revision names. Packages exist in a hierarchical directory
   171  structure maintained by the underlying repository such as git, or in a
   172  filesystem bundle of OCI images. The hierarchical, filesystem-compatible names
   173  of packages do not satisfy the Kubernetes naming
   174  [constraints](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
   175  Therefore, the names of the Kubernetes resources representing package revisions
   176  are computed as a hash.
   177  
   178  Simple filtering of package revisions by name (substring) and revision (exact
   179  match) is supported by the CLI using `--name` and `--revision` flags:
   180  
   181  ```sh
   182  # List package with `istio` in the package name, and `v2` revision
   183  $ kpt alpha rpkg get --name istio --revision=v2
   184  
   185  NAME                                                 PACKAGE  WORKSPACENAME  REVISION  LATEST  LIFECYCLE  REPOSITORY
   186  blueprints-421a5b5e43b03bc697d96f471929efc6ba3f54b3  istions  v2             v2        true    Published  blueprints
   187  ```
   188  
   189  The common `kubectl` flags that control output format are available as well:
   190  
   191  ```sh
   192  # Get the package revision in YAML format
   193  $ kpt alpha rpkg get blueprints-421a5b5e43b03bc697d96f471929efc6ba3f54b3 -ndefault -oyaml
   194  
   195  apiVersion: porch.kpt.dev/v1alpha1
   196  kind: PackageRevision
   197  metadata:
   198    labels:
   199      kpt.dev/latest-revision: "true"
   200    name: blueprints-421a5b5e43b03bc697d96f471929efc6ba3f54b3
   201    namespace: default
   202  spec:
   203    lifecycle: Published
   204    packageName: istions
   205    repository: blueprints
   206    revision: v2
   207    workspaceName: v2
   208  ...
   209  ```
   210  
   211  The `kpt alpha rpkg pull` command can be used to read the package resources.
   212  
   213  The command can be used to print the package revision resources as
   214  `ResourceList` to `stdout`, which enables
   215  [chaining](https://kpt.dev/book/04-using-functions/02-imperative-function-execution?id=chaining-functions-using-the-unix-pipe)
   216  evaluation of functions on the package revision pulled from the Package
   217  Orchestration server.
   218  
   219  ```sh
   220  # Pull package revision resources, output as ResourceList to stdout
   221  $ kpt alpha rpkg pull blueprints-421a5b5e43b03bc697d96f471929efc6ba3f54b3 -ndefault
   222  
   223  apiVersion: config.kubernetes.io/v1
   224  kind: ResourceList
   225  items:
   226  - apiVersion: kpt.dev/v1
   227    kind: Kptfile
   228    metadata:
   229      name: istions
   230  ...
   231  ```
   232  
   233  Or, the package contents can be saved on local disk for direct introspection
   234  or editing:
   235  
   236  ```sh
   237  # Pull package revision resources, save to local disk into `./istions` directory
   238  $ kpt alpha rpkg pull blueprints-421a5b5e43b03bc697d96f471929efc6ba3f54b3 ./istions -ndefault
   239  
   240  # Explore the package contents
   241  $ find istions
   242  
   243  istions
   244  istions/istions.yaml
   245  istions/README.md
   246  istions/Kptfile
   247  istions/package-context.yaml
   248  ...
   249  ```
   250  
   251  ## Authoring Packages
   252  
   253  Several commands in the `kpt alpha rpkg` group support package authoring:
   254  
   255  * `init` - Initializes a new package revision in the target repository.
   256  * `clone` - Creates a clone of a source package in the target repository.
   257  * `copy` - Creates a new package revision from an existing one.
   258  * `push` - Pushes package resources into a remote package.
   259  * `del` - Deletes one or more packages in registered repositories.
   260  
   261  
   262  The `kpt alpha rpkg init` command can be used to initialize a new package
   263  revision. Porch server will create and initialize a new package (as a draft)
   264  and save it in the specified repository.
   265  
   266  ```sh
   267  # Initialize a new (empty) package revision:
   268  $ kpt alpha rpkg init new-package --repository=deployments --workspace=v1 -ndefault
   269  
   270  deployments-c32b851b591b860efda29ba0e006725c8c1f7764 created
   271  
   272  # List the available package revisions.
   273  $ kpt alpha rpkg get
   274  
   275  NAME                                                  PACKAGE      WORKSPACENAME  REVISION  LATEST  LIFECYCLE  REPOSITORY
   276  deployments-c32b851b591b860efda29ba0e006725c8c1f7764  new-package  v1                       false   Draft      deployments
   277  ...
   278  ```
   279  
   280  The new package is created in the `Draft` lifecycle stage. This is true also for
   281  all commands that create new package revision (`init`, `clone` and `copy`).
   282  
   283  Additional flags supported by the `kpt alpha rpkg init` command are:
   284  
   285  * `--repository` - Repository in which the package will be created.
   286  * `--workspace` - Workspace of the new package.
   287  * `--description` -  Short description of the package.
   288  * `--keywords` - List of keywords for the package.
   289  * `--site` - Link to page with information about the package.
   290  
   291  
   292  Use `kpt alpha rpkg clone` command to create a _downstream_ package by cloning
   293  an _upstream_ package:
   294  
   295  ```sh
   296  # Clone an upstream package to create a downstream package
   297  $ kpt alpha rpkg clone blueprints-421a5b5e43b03bc697d96f471929efc6ba3f54b3 istions-clone \
   298    --repository=deployments -ndefault
   299  deployments-11ca1db650fa4bfa33deeb7f488fbdc50cdb3b82 created
   300  
   301  # Confirm the package revision was created
   302  kpt alpha rpkg get deployments-11ca1db650fa4bfa33deeb7f488fbdc50cdb3b82 -ndefault
   303  NAME                                                   PACKAGE         WORKSPACENAME   REVISION   LATEST   LIFECYCLE   REPOSITORY
   304  deployments-11ca1db650fa4bfa33deeb7f488fbdc50cdb3b82   istions-clone   v1                         false    Draft       deployments
   305  ```
   306  
   307  `kpt alpha rpkg clone` can also be used to clone packages that are in
   308  repositories not registered with Porch, for example:
   309  
   310  ```sh
   311  # Clone a package from Git repository directly (repository is not registered)
   312  $ kpt alpha rpkg clone \
   313    https://github.com/GoogleCloudPlatform/blueprints.git cloned-bucket \
   314    --directory=catalog/bucket \
   315    --ref=main \
   316    --repository=deployments \
   317    --namespace=default
   318  deployments-e06c2f6ec1afdd8c7d977fcf204e4d543778ddac created
   319  
   320  # Confirm the package revision was created
   321  kpt alpha rpkg get deployments-e06c2f6ec1afdd8c7d977fcf204e4d543778ddac -ndefault
   322  NAME                                                   PACKAGE         WORKSPACENAME   REVISION   LATEST   LIFECYCLE   REPOSITORY
   323  deployments-e06c2f6ec1afdd8c7d977fcf204e4d543778ddac   cloned-bucket   v1                         false    Draft       deployments
   324  ```
   325  
   326  The flags supported by the `kpt alpha rpkg clone` command are:
   327  
   328  * `--directory` - Directory within the upstream repository where the upstream
   329    package is located.
   330  * `--ref` - Ref in the upstream repository where the upstream package is
   331    located. This can be a branch, tag, or SHA.
   332  * `--repository` - Repository to which package will be cloned (downstream
   333    repository).
   334  * `--workspace` - Workspace to assign to the downstream package.
   335  * `--strategy` - Update strategy that should be used when updating this package;
   336    one of: `resource-merge`, `fast-forward`, `force-delete-replace`.
   337  
   338  
   339  The `kpt alpha rpkg copy` command can be used to create a new revision of an
   340  existing package. It is a means to modifying an already published package
   341  revision.
   342  
   343  ```sh
   344  # Create a new revision of an existing package
   345  $ kpt alpha rpkg copy \
   346    blueprints-421a5b5e43b03bc697d96f471929efc6ba3f54b3 \
   347    --workspace=v3 -ndefault
   348  
   349  # Confirm the package revision was created
   350  $ kpt alpha rpkg get blueprints-bf11228f80de09f1a5dd9374dc92ebde3b503689 -ndefault
   351  NAME                                                  PACKAGE   WORKSPACENAME   REVISION   LATEST   LIFECYCLE   REPOSITORY
   352  blueprints-bf11228f80de09f1a5dd9374dc92ebde3b503689   istions   v3                         false    Draft       blueprints
   353  ```
   354  
   355  The `kpt alpha rpkg push` command can be used to update the resources (package
   356  contents) of a package _draft_:
   357  
   358  ```sh
   359  # Pull package draft contents into a local directory
   360  $ kpt alpha rpkg pull \
   361    deployments-c32b851b591b860efda29ba0e006725c8c1f7764 ./new-package -ndefault
   362  
   363  # Make edits using your favorite YAML editor, for example adding a new resource
   364  $ cat <<EOF > ./new-package/config-map.yaml
   365  apiVersion: v1
   366  kind: ConfigMap
   367  metadata:
   368    name: example-config-map
   369  data:
   370    color: orange
   371  EOF
   372  
   373  # Push the updated contents to the Package Orchestration server, updating the
   374  # package contents.
   375  $ kpt alpha rpkg push \
   376    deployments-c32b851b591b860efda29ba0e006725c8c1f7764 ./new-package -ndefault
   377  
   378  # Confirm that the remote package now includes the new ConfigMap resource
   379  $ kpt alpha rpkg pull deployments-c32b851b591b860efda29ba0e006725c8c1f7764 -ndefault
   380  
   381  apiVersion: config.kubernetes.io/v1
   382  kind: ResourceList
   383  items:
   384  ...
   385  - apiVersion: v1
   386    kind: ConfigMap
   387    metadata:
   388      name: example-config-map
   389    data:
   390      color: orange
   391  ...
   392  ```
   393  
   394  Package revision can be deleted using `kpt alpha rpkg del` command:
   395  
   396  ```sh
   397  # Delete package revision
   398  $ kpt alpha rpkg del blueprints-bf11228f80de09f1a5dd9374dc92ebde3b503689 -ndefault
   399  
   400  blueprints-bf11228f80de09f1a5dd9374dc92ebde3b503689 deleted
   401  ```
   402  
   403  ## Package Lifecycle and Approval Flow
   404  
   405  Authoring is performed on the package revisions in the _Draft_ lifecycle stage.
   406  Before a package can be deployed or cloned, it must be _Published_. The approval
   407  flow is the process by which the package is advanced from _Draft_ state through
   408  _Proposed_ state and finally to _Published_ lifecycle stage.
   409  
   410  The commands used to manage package lifecycle stages include:
   411  
   412  * `propose` - Proposes to finalize a package revision draft
   413  * `approve` - Approves a proposal to finalize a package revision.
   414  * `reject`  - Rejects a proposal to finalize a package revision
   415  
   416  In the [Authoring Packages](#authoring-packages) section above we created
   417  several _draft_ packages and in this section we will create proposals for
   418  publishing some of them.
   419  
   420  ```sh
   421  # List package revisions to identify relevant drafts:
   422  $ kpt alpha rpkg get
   423  NAME                                                   PACKAGE         WORKSPACENAME   REVISION   LATEST   LIFECYCLE   REPOSITORY
   424  ...
   425  deployments-e06c2f6ec1afdd8c7d977fcf204e4d543778ddac   cloned-bucket   v1                         false    Draft       deployments
   426  deployments-11ca1db650fa4bfa33deeb7f488fbdc50cdb3b82   istions-clone   v1                         false    Draft       deployments
   427  deployments-c32b851b591b860efda29ba0e006725c8c1f7764   new-package     v1                         false    Draft       deployments
   428  
   429  # Propose two packge revisions to be be published
   430  $ kpt alpha rpkg propose \
   431    deployments-11ca1db650fa4bfa33deeb7f488fbdc50cdb3b82 \
   432    deployments-c32b851b591b860efda29ba0e006725c8c1f7764 \
   433    -ndefault
   434  
   435  deployments-11ca1db650fa4bfa33deeb7f488fbdc50cdb3b82 proposed
   436  deployments-c32b851b591b860efda29ba0e006725c8c1f7764 proposed
   437  
   438  # Confirm the package revisions are now Proposed
   439  $ kpt alpha rpkg get
   440  NAME                                                   PACKAGE         WORKSPACENAME   REVISION   LATEST   LIFECYCLE   REPOSITORY
   441  ...
   442  deployments-e06c2f6ec1afdd8c7d977fcf204e4d543778ddac   cloned-bucket   v1                         false    Draft       deployments
   443  deployments-11ca1db650fa4bfa33deeb7f488fbdc50cdb3b82   istions-clone   v1                         false    Proposed    deployments
   444  deployments-c32b851b591b860efda29ba0e006725c8c1f7764   new-package     v1                         false    Proposed    deployments
   445  ```
   446  
   447  At this point, a person in _platform administrator_ role, or even an automated
   448  process, will review and either approve or reject the proposals. To aid with the
   449  decision, the platform administrator may inspect the package contents using the
   450  commands above, such as `kpt alpha rpkg pull`.
   451  
   452  ```sh
   453  # Approve a proposal to publish a package revision
   454  $ kpt alpha rpkg approve deployments-11ca1db650fa4bfa33deeb7f488fbdc50cdb3b82 -ndefault
   455  deployments-11ca1db650fa4bfa33deeb7f488fbdc50cdb3b82 approved
   456  
   457  # Reject a proposal to publish a package revision
   458  $ kpt alpha rpkg reject deployments-c32b851b591b860efda29ba0e006725c8c1f7764 -ndefault
   459  deployments-c32b851b591b860efda29ba0e006725c8c1f7764 rejected
   460  ```
   461  
   462  Now the user can confirm lifecycle stages of the package revisions:
   463  
   464  ```sh
   465  # Confirm package revision lifecycle stages after approvals:
   466  $ kpt alpha rpkg get
   467  NAME                                                   PACKAGE         WORKSPACENAME   REVISION   LATEST   LIFECYCLE   REPOSITORY
   468  ...
   469  deployments-e06c2f6ec1afdd8c7d977fcf204e4d543778ddac   cloned-bucket   v1                         false    Draft       deployments
   470  deployments-11ca1db650fa4bfa33deeb7f488fbdc50cdb3b82   istions-clone   v1              v1         true     Published   deployments
   471  deployments-c32b851b591b860efda29ba0e006725c8c1f7764   new-package     v1                         false    Draft       deployments
   472  ```
   473  
   474  Observe that the rejected proposal returned the package revision back to _Draft_
   475  lifecycle stage. The package whose proposal was approved is now in _Published_
   476  state.
   477  
   478  ## Deploying a Package
   479  
   480  Commands used in the context of deploying a package include are in the
   481  `kpt alpha sync` command group (named `sync` to emphasize that Config Sync
   482  is the deploying mechanism and that configuration is being synchronized with the
   483  actuation target as a means of deployment) and include:
   484  
   485  * `create` - Creates a sync of a package in the deployment cluster.
   486  * `del` - Deletes the package RootSync.
   487  * `get` - Gets a RootSync resource with which package was deployed.
   488  
   489  ```sh
   490  # Make sure Config Sync is configured to use multirepo mode
   491  kubectl apply -f - <<EOF
   492  # config-management.yaml
   493  apiVersion: configmanagement.gke.io/v1
   494  kind: ConfigManagement
   495  metadata:
   496    name: config-management
   497  spec:
   498    enableMultiRepo: true
   499  EOF
   500  
   501  # Create a sync resource to deploy a package using Config Sync
   502  $ kpt alpha sync create -ndefault \
   503    --package=deployments-11ca1db650fa4bfa33deeb7f488fbdc50cdb3b82 \
   504    sync-istions-clone
   505  
   506  Created RootSync config-management-system/sync-istions-clone
   507  
   508  # Get the status of the sync resource
   509  $ kpt alpha sync get sync-istions-clone -oyaml
   510  apiVersion: configsync.gke.io/v1beta1
   511  kind: RootSync
   512  metadata:
   513    name: sync-istions-clone
   514    namespace: config-management-system
   515  ...
   516  
   517  # Delete the sync resource
   518  $ kpt alpha sync delete sync-istions-clone
   519  Deleting synced resources
   520  Waiting for deleted resources to be removed
   521  Sync sync-istions-clone successfully deleted
   522  ```