github.com/SamarSidharth/kpt@v0.0.0-20231122062228-c7d747ae3ace/site/guides/porch-user-guide.md (about) 1 # Porch User Guide 2 3 This document is focused on using Porch via the `kpt` CLI. 4 5 Installation of Porch, including prerequisites, is covered in a 6 [dedicated document](guides/porch-installation.md). 7 8 ## Prerequisites 9 10 To use Porch, you will need: 11 12 * [`kpt`](https://kpt.dev) 13 * [`gcloud`](https://cloud.google.com/sdk/gcloud) (if running on GKE) 14 * [`kubectl`](https://kubernetes.io/docs/tasks/tools/#kubectl) 15 16 Make sure that your `kubectl` context is set up for `kubectl` to interact with the 17 correct Kubernetes instance (see 18 [installation instructions](guides/porch-installation.md) or 19 the [running-locally](https://github.com/GoogleContainerTools/kpt/blob/main/porch/docs/running-locally.md) guide for details). 20 21 To check whether `kubectl` is configured with your Porch cluster (or local instance), run: 22 23 ```sh 24 kubectl api-resources | grep porch 25 ``` 26 27 You should see the following four resourceds listed: 28 29 ``` 30 repositories config.porch.kpt.dev/v1alpha1 true Repository 31 packagerevisionresources porch.kpt.dev/v1alpha1 true PackageRevisionResources 32 packagerevisions porch.kpt.dev/v1alpha1 true PackageRevision 33 functions porch.kpt.dev/v1alpha1 true Function 34 ``` 35 36 ## Porch Resources 37 38 Porch server manages the following resources: 39 40 1. `repositories`: a repository (Git or OCI) can be registered with Porch to support 41 discovery or management of KRM configuration packages in those repositories, 42 or discovery of KRM functions in those repositories. 43 2. `packagerevisions`: a specific revision of a KRM configuration package 44 managed by Porch in one of the registered repositories. This resource 45 represents a _metadata view_ of the KRM configuration package. 46 3. `packagerevisionresources`: this resource represents the contents of the 47 configuration package (KRM resources contained in the package) 48 4. `functions`: function resource represents a KRM function discovered in a repository 49 registered with Porch. Functions are only supported with OCI repositories. 50 51 Note that `packagerevisions` and `packagerevisionresources` represent different 52 _views_ of the same underlying KRM configuration package. `packagerevisions` 53 represents the package metadata, and `packagerevisionresources` represents the 54 package content. The matching resources share the same `name` (as well as API 55 group and version: `porch.kpt.dev/v1alpha1`) and differ in resource kind 56 (`PackageRevision` and `PackageRevisionResources` respectively). 57 58 ## Repository Registration 59 60 To use Porch with a Git repository, you will need: 61 62 * A Git repository for your blueprints. 63 * A [Personal Access Token](https://github.com/settings/tokens) (when using 64 GitHub repository) for Porch to authenticate with the repository. Porch requires 65 the 'repo' scope. 66 * Or Basic Auth credentials for Porch to authenticate with the repository. 67 68 To use Porch with an OCI repository 69 ([Artifact Registry](https://console.cloud.google.com/artifacts) or 70 [Google Container Registry](https://cloud.google.com/container-registry)), first 71 make sure to: 72 * Enable [workload identity](guides/porch-installation.md#workload-identity) for Porch 73 * Assign appropriate roles to the Porch workload identity service account 74 (`iam.gke.io/gcp-service-account=porch-server@$(GCP_PROJECT_ID).iam.gserviceaccount.com`) 75 to have appropriate level of access to your OCI repository. 76 77 Use the `kpt alpha repo register` command to register your repository with Porch: 78 79 ```sh 80 # Register a Git repository: 81 82 GITHUB_USERNAME=<your github username> 83 GITHUB_TOKEN=<GitHub Personal Access Token> 84 85 $ kpt alpha repo register \ 86 --namespace default \ 87 --repo-basic-username=${GITHUB_USERNAME} \ 88 --repo-basic-password=${GITHUB_TOKEN} \ 89 https://github.com/${GITHUB_USERNAME}/blueprints.git 90 ``` 91 92 All command line flags supported: 93 94 * `--directory` - Directory within the repository where to look for packages. 95 * `--branch` - Branch in the repository where finalized packages are committed. 96 (defaults to `main`) 97 * `--name` - Name of the package repository Kubernetes resource. If unspecified, 98 will default to the name portion (last segment) of the repository URL 99 (`blueprint` in the example above) 100 * `--description` - Brief description of the package repository. 101 * `--deployment` - Boolean value; If specified, repository is a deployment 102 repository; published packages in a deployment repository are considered 103 deployment-ready. 104 * `--repo-basic-username` - Username for repository authentication using basic auth. 105 * `--repo-basic-password` - Password for repository authentication using basic auth. 106 107 Additionally, common `kubectl` command line flags for controlling aspects of 108 interaction with the Kubernetes apiserver, logging, and more (this is true for 109 all `kpt` CLI commands which interact with Porch). 110 111 Use the `kpt alpha repo get` command to query registered repositories: 112 113 ```sh 114 # Query registered repositories 115 $ kpt alpha repo get 116 117 NAME TYPE CONTENT DEPLOYMENT READY ADDRESS 118 blueprints git Package True https://github.com/platkrm/blueprints.git 119 deployments git Package true True https://github.com/platkrm/deployments.git 120 ``` 121 122 The `kpt alpha <group> get` commands support common `kubectl` 123 [flags](https://kubernetes.io/docs/reference/kubectl/cheatsheet/#formatting-output) 124 to format output, for example `kpt alpha repo get --output=yaml`. 125 126 The command `kpt alpha repo unregister` can be used to unregister a repository: 127 128 ```sh 129 # Unregister a repository 130 $ kpt alpha repo unregister deployments --namespace default 131 ``` 132 133 ## Package Discovery And Introspection 134 135 The `kpt alpha rpkg` command group contains commands for interacting with 136 packages managed by the Package Orchestration service. the `r` prefix used 137 in the command group name stands for 'remote'. 138 139 The `kpt alpha rpkg get` command list the packages in registered repositories: 140 141 ```sh 142 # List package revisions in registered repositories 143 $ kpt alpha rpkg get 144 145 NAME PACKAGE WORKSPACENAME REVISION LATEST LIFECYCLE REPOSITORY 146 blueprints-0349d71330b89ee48ac85167598ef23021fd0484 basens main main false Published blueprints 147 blueprints-2e47615fda05664491f72c58b8ab658683afa036 basens v1 v1 true Published blueprints 148 blueprints-7e2fe44bfdbb744d49bdaaaeac596200102c5f7c istions main main false Published blueprints 149 blueprints-ac6e872be4a4a3476922deca58cca3183b16a5f7 istions v1 v1 false Published blueprints 150 blueprints-421a5b5e43b03bc697d96f471929efc6ba3f54b3 istions v2 v2 true Published blueprints 151 ... 152 ``` 153 154 The `LATEST` column indicates whether the package revision is the latest among 155 the revisions of the same package. In the output above, `v2` is the latest 156 revision of `istions` package and `v1` is the latest revision of `basens` 157 package. 158 159 The `LIFECYCLE` column indicates the lifecycle stage of the package revision, 160 one of: `Published`, `Draft` or `Proposed`. 161 162 The `REVISION` column indicates the revision of the package. Revisions are 163 assigned when a package is `Published` and starts at `v1`. 164 165 The `WORKSPACENAME` column indicates the workspace name of the package. The 166 workspace name is assigned when a draft revision is created and is used as the 167 branch name for proposed and draft package revisions. The workspace name must be 168 must be unique among package revisions in the same package. 169 170 *Note* on package revision names. Packages exist in a hierarchical directory 171 structure maintained by the underlying repository such as git, or in a 172 filesystem bundle of OCI images. The hierarchical, filesystem-compatible names 173 of packages do not satisfy the Kubernetes naming 174 [constraints](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). 175 Therefore, the names of the Kubernetes resources representing package revisions 176 are computed as a hash. 177 178 Simple filtering of package revisions by name (substring) and revision (exact 179 match) is supported by the CLI using `--name` and `--revision` flags: 180 181 ```sh 182 # List package with `istio` in the package name, and `v2` revision 183 $ kpt alpha rpkg get --name istio --revision=v2 184 185 NAME PACKAGE WORKSPACENAME REVISION LATEST LIFECYCLE REPOSITORY 186 blueprints-421a5b5e43b03bc697d96f471929efc6ba3f54b3 istions v2 v2 true Published blueprints 187 ``` 188 189 The common `kubectl` flags that control output format are available as well: 190 191 ```sh 192 # Get the package revision in YAML format 193 $ kpt alpha rpkg get blueprints-421a5b5e43b03bc697d96f471929efc6ba3f54b3 -ndefault -oyaml 194 195 apiVersion: porch.kpt.dev/v1alpha1 196 kind: PackageRevision 197 metadata: 198 labels: 199 kpt.dev/latest-revision: "true" 200 name: blueprints-421a5b5e43b03bc697d96f471929efc6ba3f54b3 201 namespace: default 202 spec: 203 lifecycle: Published 204 packageName: istions 205 repository: blueprints 206 revision: v2 207 workspaceName: v2 208 ... 209 ``` 210 211 The `kpt alpha rpkg pull` command can be used to read the package resources. 212 213 The command can be used to print the package revision resources as 214 `ResourceList` to `stdout`, which enables 215 [chaining](https://kpt.dev/book/04-using-functions/02-imperative-function-execution?id=chaining-functions-using-the-unix-pipe) 216 evaluation of functions on the package revision pulled from the Package 217 Orchestration server. 218 219 ```sh 220 # Pull package revision resources, output as ResourceList to stdout 221 $ kpt alpha rpkg pull blueprints-421a5b5e43b03bc697d96f471929efc6ba3f54b3 -ndefault 222 223 apiVersion: config.kubernetes.io/v1 224 kind: ResourceList 225 items: 226 - apiVersion: kpt.dev/v1 227 kind: Kptfile 228 metadata: 229 name: istions 230 ... 231 ``` 232 233 Or, the package contents can be saved on local disk for direct introspection 234 or editing: 235 236 ```sh 237 # Pull package revision resources, save to local disk into `./istions` directory 238 $ kpt alpha rpkg pull blueprints-421a5b5e43b03bc697d96f471929efc6ba3f54b3 ./istions -ndefault 239 240 # Explore the package contents 241 $ find istions 242 243 istions 244 istions/istions.yaml 245 istions/README.md 246 istions/Kptfile 247 istions/package-context.yaml 248 ... 249 ``` 250 251 ## Authoring Packages 252 253 Several commands in the `kpt alpha rpkg` group support package authoring: 254 255 * `init` - Initializes a new package revision in the target repository. 256 * `clone` - Creates a clone of a source package in the target repository. 257 * `copy` - Creates a new package revision from an existing one. 258 * `push` - Pushes package resources into a remote package. 259 * `del` - Deletes one or more packages in registered repositories. 260 261 262 The `kpt alpha rpkg init` command can be used to initialize a new package 263 revision. Porch server will create and initialize a new package (as a draft) 264 and save it in the specified repository. 265 266 ```sh 267 # Initialize a new (empty) package revision: 268 $ kpt alpha rpkg init new-package --repository=deployments --workspace=v1 -ndefault 269 270 deployments-c32b851b591b860efda29ba0e006725c8c1f7764 created 271 272 # List the available package revisions. 273 $ kpt alpha rpkg get 274 275 NAME PACKAGE WORKSPACENAME REVISION LATEST LIFECYCLE REPOSITORY 276 deployments-c32b851b591b860efda29ba0e006725c8c1f7764 new-package v1 false Draft deployments 277 ... 278 ``` 279 280 The new package is created in the `Draft` lifecycle stage. This is true also for 281 all commands that create new package revision (`init`, `clone` and `copy`). 282 283 Additional flags supported by the `kpt alpha rpkg init` command are: 284 285 * `--repository` - Repository in which the package will be created. 286 * `--workspace` - Workspace of the new package. 287 * `--description` - Short description of the package. 288 * `--keywords` - List of keywords for the package. 289 * `--site` - Link to page with information about the package. 290 291 292 Use `kpt alpha rpkg clone` command to create a _downstream_ package by cloning 293 an _upstream_ package: 294 295 ```sh 296 # Clone an upstream package to create a downstream package 297 $ kpt alpha rpkg clone blueprints-421a5b5e43b03bc697d96f471929efc6ba3f54b3 istions-clone \ 298 --repository=deployments -ndefault 299 deployments-11ca1db650fa4bfa33deeb7f488fbdc50cdb3b82 created 300 301 # Confirm the package revision was created 302 kpt alpha rpkg get deployments-11ca1db650fa4bfa33deeb7f488fbdc50cdb3b82 -ndefault 303 NAME PACKAGE WORKSPACENAME REVISION LATEST LIFECYCLE REPOSITORY 304 deployments-11ca1db650fa4bfa33deeb7f488fbdc50cdb3b82 istions-clone v1 false Draft deployments 305 ``` 306 307 `kpt alpha rpkg clone` can also be used to clone packages that are in 308 repositories not registered with Porch, for example: 309 310 ```sh 311 # Clone a package from Git repository directly (repository is not registered) 312 $ kpt alpha rpkg clone \ 313 https://github.com/GoogleCloudPlatform/blueprints.git cloned-bucket \ 314 --directory=catalog/bucket \ 315 --ref=main \ 316 --repository=deployments \ 317 --namespace=default 318 deployments-e06c2f6ec1afdd8c7d977fcf204e4d543778ddac created 319 320 # Confirm the package revision was created 321 kpt alpha rpkg get deployments-e06c2f6ec1afdd8c7d977fcf204e4d543778ddac -ndefault 322 NAME PACKAGE WORKSPACENAME REVISION LATEST LIFECYCLE REPOSITORY 323 deployments-e06c2f6ec1afdd8c7d977fcf204e4d543778ddac cloned-bucket v1 false Draft deployments 324 ``` 325 326 The flags supported by the `kpt alpha rpkg clone` command are: 327 328 * `--directory` - Directory within the upstream repository where the upstream 329 package is located. 330 * `--ref` - Ref in the upstream repository where the upstream package is 331 located. This can be a branch, tag, or SHA. 332 * `--repository` - Repository to which package will be cloned (downstream 333 repository). 334 * `--workspace` - Workspace to assign to the downstream package. 335 * `--strategy` - Update strategy that should be used when updating this package; 336 one of: `resource-merge`, `fast-forward`, `force-delete-replace`. 337 338 339 The `kpt alpha rpkg copy` command can be used to create a new revision of an 340 existing package. It is a means to modifying an already published package 341 revision. 342 343 ```sh 344 # Create a new revision of an existing package 345 $ kpt alpha rpkg copy \ 346 blueprints-421a5b5e43b03bc697d96f471929efc6ba3f54b3 \ 347 --workspace=v3 -ndefault 348 349 # Confirm the package revision was created 350 $ kpt alpha rpkg get blueprints-bf11228f80de09f1a5dd9374dc92ebde3b503689 -ndefault 351 NAME PACKAGE WORKSPACENAME REVISION LATEST LIFECYCLE REPOSITORY 352 blueprints-bf11228f80de09f1a5dd9374dc92ebde3b503689 istions v3 false Draft blueprints 353 ``` 354 355 The `kpt alpha rpkg push` command can be used to update the resources (package 356 contents) of a package _draft_: 357 358 ```sh 359 # Pull package draft contents into a local directory 360 $ kpt alpha rpkg pull \ 361 deployments-c32b851b591b860efda29ba0e006725c8c1f7764 ./new-package -ndefault 362 363 # Make edits using your favorite YAML editor, for example adding a new resource 364 $ cat <<EOF > ./new-package/config-map.yaml 365 apiVersion: v1 366 kind: ConfigMap 367 metadata: 368 name: example-config-map 369 data: 370 color: orange 371 EOF 372 373 # Push the updated contents to the Package Orchestration server, updating the 374 # package contents. 375 $ kpt alpha rpkg push \ 376 deployments-c32b851b591b860efda29ba0e006725c8c1f7764 ./new-package -ndefault 377 378 # Confirm that the remote package now includes the new ConfigMap resource 379 $ kpt alpha rpkg pull deployments-c32b851b591b860efda29ba0e006725c8c1f7764 -ndefault 380 381 apiVersion: config.kubernetes.io/v1 382 kind: ResourceList 383 items: 384 ... 385 - apiVersion: v1 386 kind: ConfigMap 387 metadata: 388 name: example-config-map 389 data: 390 color: orange 391 ... 392 ``` 393 394 Package revision can be deleted using `kpt alpha rpkg del` command: 395 396 ```sh 397 # Delete package revision 398 $ kpt alpha rpkg del blueprints-bf11228f80de09f1a5dd9374dc92ebde3b503689 -ndefault 399 400 blueprints-bf11228f80de09f1a5dd9374dc92ebde3b503689 deleted 401 ``` 402 403 ## Package Lifecycle and Approval Flow 404 405 Authoring is performed on the package revisions in the _Draft_ lifecycle stage. 406 Before a package can be deployed or cloned, it must be _Published_. The approval 407 flow is the process by which the package is advanced from _Draft_ state through 408 _Proposed_ state and finally to _Published_ lifecycle stage. 409 410 The commands used to manage package lifecycle stages include: 411 412 * `propose` - Proposes to finalize a package revision draft 413 * `approve` - Approves a proposal to finalize a package revision. 414 * `reject` - Rejects a proposal to finalize a package revision 415 416 In the [Authoring Packages](#authoring-packages) section above we created 417 several _draft_ packages and in this section we will create proposals for 418 publishing some of them. 419 420 ```sh 421 # List package revisions to identify relevant drafts: 422 $ kpt alpha rpkg get 423 NAME PACKAGE WORKSPACENAME REVISION LATEST LIFECYCLE REPOSITORY 424 ... 425 deployments-e06c2f6ec1afdd8c7d977fcf204e4d543778ddac cloned-bucket v1 false Draft deployments 426 deployments-11ca1db650fa4bfa33deeb7f488fbdc50cdb3b82 istions-clone v1 false Draft deployments 427 deployments-c32b851b591b860efda29ba0e006725c8c1f7764 new-package v1 false Draft deployments 428 429 # Propose two packge revisions to be be published 430 $ kpt alpha rpkg propose \ 431 deployments-11ca1db650fa4bfa33deeb7f488fbdc50cdb3b82 \ 432 deployments-c32b851b591b860efda29ba0e006725c8c1f7764 \ 433 -ndefault 434 435 deployments-11ca1db650fa4bfa33deeb7f488fbdc50cdb3b82 proposed 436 deployments-c32b851b591b860efda29ba0e006725c8c1f7764 proposed 437 438 # Confirm the package revisions are now Proposed 439 $ kpt alpha rpkg get 440 NAME PACKAGE WORKSPACENAME REVISION LATEST LIFECYCLE REPOSITORY 441 ... 442 deployments-e06c2f6ec1afdd8c7d977fcf204e4d543778ddac cloned-bucket v1 false Draft deployments 443 deployments-11ca1db650fa4bfa33deeb7f488fbdc50cdb3b82 istions-clone v1 false Proposed deployments 444 deployments-c32b851b591b860efda29ba0e006725c8c1f7764 new-package v1 false Proposed deployments 445 ``` 446 447 At this point, a person in _platform administrator_ role, or even an automated 448 process, will review and either approve or reject the proposals. To aid with the 449 decision, the platform administrator may inspect the package contents using the 450 commands above, such as `kpt alpha rpkg pull`. 451 452 ```sh 453 # Approve a proposal to publish a package revision 454 $ kpt alpha rpkg approve deployments-11ca1db650fa4bfa33deeb7f488fbdc50cdb3b82 -ndefault 455 deployments-11ca1db650fa4bfa33deeb7f488fbdc50cdb3b82 approved 456 457 # Reject a proposal to publish a package revision 458 $ kpt alpha rpkg reject deployments-c32b851b591b860efda29ba0e006725c8c1f7764 -ndefault 459 deployments-c32b851b591b860efda29ba0e006725c8c1f7764 rejected 460 ``` 461 462 Now the user can confirm lifecycle stages of the package revisions: 463 464 ```sh 465 # Confirm package revision lifecycle stages after approvals: 466 $ kpt alpha rpkg get 467 NAME PACKAGE WORKSPACENAME REVISION LATEST LIFECYCLE REPOSITORY 468 ... 469 deployments-e06c2f6ec1afdd8c7d977fcf204e4d543778ddac cloned-bucket v1 false Draft deployments 470 deployments-11ca1db650fa4bfa33deeb7f488fbdc50cdb3b82 istions-clone v1 v1 true Published deployments 471 deployments-c32b851b591b860efda29ba0e006725c8c1f7764 new-package v1 false Draft deployments 472 ``` 473 474 Observe that the rejected proposal returned the package revision back to _Draft_ 475 lifecycle stage. The package whose proposal was approved is now in _Published_ 476 state. 477 478 ## Deploying a Package 479 480 Commands used in the context of deploying a package include are in the 481 `kpt alpha sync` command group (named `sync` to emphasize that Config Sync 482 is the deploying mechanism and that configuration is being synchronized with the 483 actuation target as a means of deployment) and include: 484 485 * `create` - Creates a sync of a package in the deployment cluster. 486 * `del` - Deletes the package RootSync. 487 * `get` - Gets a RootSync resource with which package was deployed. 488 489 ```sh 490 # Make sure Config Sync is configured to use multirepo mode 491 kubectl apply -f - <<EOF 492 # config-management.yaml 493 apiVersion: configmanagement.gke.io/v1 494 kind: ConfigManagement 495 metadata: 496 name: config-management 497 spec: 498 enableMultiRepo: true 499 EOF 500 501 # Create a sync resource to deploy a package using Config Sync 502 $ kpt alpha sync create -ndefault \ 503 --package=deployments-11ca1db650fa4bfa33deeb7f488fbdc50cdb3b82 \ 504 sync-istions-clone 505 506 Created RootSync config-management-system/sync-istions-clone 507 508 # Get the status of the sync resource 509 $ kpt alpha sync get sync-istions-clone -oyaml 510 apiVersion: configsync.gke.io/v1beta1 511 kind: RootSync 512 metadata: 513 name: sync-istions-clone 514 namespace: config-management-system 515 ... 516 517 # Delete the sync resource 518 $ kpt alpha sync delete sync-istions-clone 519 Deleting synced resources 520 Waiting for deleted resources to be removed 521 Sync sync-istions-clone successfully deleted 522 ```