Skip to content

[deckhouse-cli] Fetch plugin contracts from manifest annotation#388

Merged
ldmonster merged 2 commits into
mainfrom
feat/update-using-manifests-contract
Jun 25, 2026
Merged

[deckhouse-cli] Fetch plugin contracts from manifest annotation#388
ldmonster merged 2 commits into
mainfrom
feat/update-using-manifests-contract

Conversation

@Glitchy-Sheep

@Glitchy-Sheep Glitchy-Sheep commented Jun 22, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Important

🧩 Stacked PR · d8 self-update & plugins · 3 / 3 · Direct manifest download
Merge in this order:

  1. Update - [deckhouse-cli] Plugins / d8 self-update with requirements check #386
  2. Multiplatform support - [deckhouse-cli] Platform-aware image pulls from RPP #387
  3. Direct manifest download - [deckhouse-cli] Fetch plugin contracts from manifest annotation #388 ← this PR

Proxy side: deckhouse/deckhouse#20795 · deckhouse/deckhouse#20800

Summary

Reading a plugin's contract no longer downloads the plugin image.

The contract is published as an annotation on the image manifest, and d8 fetches just that manifest.

How it works

  • d8 fetches GET /v1/images/<image>/manifests/<ref> (ref is a tag or a digest) and decodes the base64-JSON contract annotation.
  • For a multi-platform image index with no top-level annotation, d8 follows the first child manifest by digest and reads the annotation there.
  • Install still pulls the full image to lay down the binary; only contract reads got cheaper.

Before / After

Before: every contract read pulled and untarred the plugin image to find contract.yaml.

After: every contract read is one manifest request with no layers.

Also in this PR: built-in commands can satisfy a plugin dependency

A plugin contract may depend on a capability that ships as a built-in d8 command
rather than a published plugin (currently delivery-kit, a werf re-skin).

With this pr we can setup a list of built-in commands which can resolve plugins contract dependencies.

  • Curated allow-list (just delivery-kit)
  • Only dependency resolution is affected - d8 plugins install delivery-kit directly still reports it is not published.

@Glitchy-Sheep Glitchy-Sheep force-pushed the feat/multiplatform-rpp-request branch from fc4d5dd to 7b84a8a Compare June 23, 2026 11:11
@Glitchy-Sheep Glitchy-Sheep force-pushed the feat/update-using-manifests-contract branch from 4dec67e to aaae09f Compare June 23, 2026 11:11
@Glitchy-Sheep Glitchy-Sheep mentioned this pull request Jun 23, 2026
Merged
@Glitchy-Sheep Glitchy-Sheep force-pushed the feat/update-using-manifests-contract branch from aaae09f to 177b033 Compare June 24, 2026 02:21
@Glitchy-Sheep Glitchy-Sheep force-pushed the feat/multiplatform-rpp-request branch 2 times, most recently from 8e2f183 to 88f14d8 Compare June 24, 2026 03:17
@Glitchy-Sheep Glitchy-Sheep force-pushed the feat/update-using-manifests-contract branch from 177b033 to 4a60385 Compare June 24, 2026 03:17
This was referenced Jun 24, 2026
Merged
Merged
Merged
@Glitchy-Sheep Glitchy-Sheep marked this pull request as ready for review June 24, 2026 20:42
@Glitchy-Sheep Glitchy-Sheep requested a review from ldmonster as a code owner June 24, 2026 20:42
Base automatically changed from feat/multiplatform-rpp-request to feat/cli-and-plugins-autoupdate June 25, 2026 10:18
@Glitchy-Sheep Glitchy-Sheep mentioned this pull request Jun 25, 2026
Merged
@Glitchy-Sheep Glitchy-Sheep changed the base branch from feat/cli-and-plugins-autoupdate to main June 25, 2026 10:50
@Glitchy-Sheep
Fetch plugin contracts from the manifest annotation
c7a5cc8 
- `Client.GetManifest` fetches the raw image manifest over
  `/<image>/manifests/<ref>` - one manifest fetch, no layer pull. The binary is
  pulled only on install.
- The CLI reads the base64 `contract` annotation itself; the proxy stays generic
  and returns the manifest verbatim.
- Multi-platform images: when the index carries no contract, the first child
  manifest is followed by digest, so the contract is found wherever it lives.
- A missing annotation yields name+version (contract-less plugin); a malformed one
  is an error. `selectCompatible` hard-stops on any contract error and never
  silently demotes to an older installed version.

Signed-off-by: Roman Berezkin <roman.berezkin@flant.com>
@Glitchy-Sheep
Let built-in commands satisfy plugin dependencies
2177ee8 
- A plugin dependency named after a built-in command (e.g. `delivery-kit`) is satisfied by the command's presence - no install, no registry lookup.
- Version constraints on such deps are ignored: a built-in can't be upgraded, so presence alone is enough.
- The planner and the pre-switch validators short-circuit on built-in deps, for both mandatory and conditional requirements.
- `d8` registers `delivery-kit` as a built-in via `SetBuiltinCommands` when it builds the `plugins` command.

Signed-off-by: Roman Berezkin <roman.berezkin@flant.com>
@Glitchy-Sheep Glitchy-Sheep force-pushed the feat/update-using-manifests-contract branch from e9b4155 to 2177ee8 Compare June 25, 2026 11:04
@ldmonster ldmonster merged commit 0a79af2 into main Jun 25, 2026
5 checks passed
@ldmonster ldmonster deleted the feat/update-using-manifests-contract branch June 25, 2026 15:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ldmonster ldmonster ldmonster approved these changes

Assignees

@Glitchy-Sheep Glitchy-Sheep

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Glitchy-Sheep @ldmonster