Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
OCI Release Capsule
truth, then render from that object instead of chasing source at promotion
time.
Detailed Technical Description of Plan
This plan makes the release object itself an OCI artifact, not a Git commit or a
rendered branch. The app image and the capsule share the same
git-<full-commit-sha>identity, and the capsule carries the exact deploy package plus release
metadata. Promotion is therefore a two-step trust chain: first verify that the
promoted image and capsule belong to the same release identity, then unpack the
capsule and render from the package stored inside it. That is what makes this
plan different from the rendered-branch plans: the output is still reviewable,
but the thing Kargo promotes is an immutable registry object instead of a live
source checkout or a synthetic Git release record.
The capsule should be thought of as a frozen release bundle with a small,
explicit schema.
release.yamlnames the image ref, digest, package kind, andpackage path; the
package/tree contains Helm chart files;metadata/carries provenance and SBOM data. Promotion must download the capsule, confirm
the tag/digest/package metadata match the Freight identity, and then render
from the exact path recorded in the capsule. The important tricky part is that
the capsule is not a generic blob archive: the package path inside the artifact
is part of the contract, so Helm must have a predictable internal layout that
downstream steps can trust.
For Helm, the capsule is mostly a frozen chart plus values. That means the
capsule still depends on
k8s-gitopsfor environment shaping, but it does notdepend on live
code-dot-orgsource at promotion time. The alternatepackage-pair form in this doc is intentionally weaker and more incremental: it
keeps the same image+package pairing but splits the release witness into Git
plus OCI artifacts. The full capsule is the stronger, more opinionated version
when the team wants one registry-native release object to own both the deploy
payload and its provenance. For this handoff, the full capsule form is the
required implementation target. Treat the package-pair text below as future-only
context, not as a co-equal first-pass option.
oci-release-capsule
Sibling PR: code-dot-org/code-dot-org#71563