Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
OCI Release Capsule
truth, then render from that object instead of chasing source at promotion
time.
Detailed Technical Description of Plan
This plan makes the release object itself an OCI artifact, not a Git commit or a
rendered branch. The app image and the capsule share the same
git-<full-commit-sha>identity, and the capsule carries the exact deploypackage plus release metadata. Promotion is therefore a two-step trust chain:
first verify that the promoted image and capsule belong to the same release
identity, then unpack the capsule and render from the package stored inside it.
That is what makes this plan different from the rendered-branch plans: the
output is still reviewable, but the thing Kargo promotes is an immutable
registry object instead of a live source checkout or a synthetic Git release
record.
The capsule should be thought of as a frozen release bundle with a small,
explicit schema.
release.yamlnames the image ref, digest, package kind, andpackage path; the
package/tree contains the shared Kustomize package; andmetadata/carries provenance and SBOM data. Promotion must download thecapsule, confirm the tag/digest/package metadata match the Freight identity,
and then render from the exact path recorded in the capsule. The important
tricky part is that the capsule is not a generic blob archive: the package path
inside the artifact is part of the contract, so Kustomize packaging and the
downstream render step must have a predictable internal layout that Kargo can
trust.
For this plan, the capsule is the required implementation target. The Kustomize
form still depends on
k8s-gitopsfor environment shaping, but it does notdepend on live
code-dot-orgsource at promotion time. The alternate packagepair form in this doc is intentionally weaker and more incremental: it keeps the
same image+package pairing but splits the release witness into Git plus OCI
artifacts. The full capsule is the stronger, more opinionated version when the
team wants one registry-native release object to own both the deploy payload and
its provenance.
oci-release-capsule
Sibling PR: code-dot-org/code-dot-org#71569