►
From YouTube: CNCF SIG App Delivery Air Gapped WG 2020-05-15
Description
CNCF SIG App Delivery Air Gapped WG 2020-05-15
A
A
A
A
All
right,
it
looks
like
we
have
quite
a
few
people,
so
we
can
get
started
hello,
everyone.
This
is
the
air
gapped
working
group
from
cncfc
gap,
delivery,
friday
may
15th
our
agenda
is
posted
in
chat,
feel
free
to
add
yourself
as
attendee.
Today
we
have
a
demo
from
carolyn
from
microsoft
for
cnab
and
porter,
so
I'll.
A
B
You're
able
to
work
with
your
applications
deployment
as
a
logical
unit
and
be
able
to
put
all
the
logic
for
managing
not
only
the
deployment
like
the
installation,
but
upgrade
maybe
discrete
actions
that
you
up.
That
you
do
on
that
deployment
like
doing
a
dump
of
logs
or
like
database
dumps
things
like
that,
checking
the
status
and
the
health
of
your
system
prove
it
anything
like
it'll
run
any
command.
It'll
do
anything
it's
whatever
you
put
inside
of
it.
B
B
So
I'm
deploying
a
chart
that
I
made
called
whale
gap
and
my
chart's
right
here
on
my
file
system,
and
it
has
a
couple
parameters
that
I'm
passing
in
through
my
bundle
itself
and
that's
something
that's
kind
of
built
into
cnn
is
the
ability
to
pass
to
the
bundle
as
like
as
a
user.
I
could
pass
a
parameter
to
it
and
then
it
can
make
it
all
the
way
through
into
the
bundle.
B
So
I
can
alter
what
it's
doing
when
it's
doing
the
installation-
and
the
other
thing
you
know
is
helm,
needs
a
cube,
config
file,
it
needs
a
credential.
So
that's
the
other
thing
I've
done.
Is
I've
defined
that
my
bundle
is
going
to
need
when
it's
installed
a
cube,
config
file,
and
it
says
where,
where
it's
going
to
find
it
so
add
installation
it's
going
to
install
this
wheel
gap
thing
and
then
it
also
knows
how
to
upgrade
wheel
gap
and
knows
how
to
uninstall
it.
A
B
Yeah,
so
that
was
the
next
thing
is
so
porter
and
bundles
itself.
Bundles,
bring
everything
you
need
in
order
to
install
your
application
inside
of
itself
right
now,
like
a
bundle,
can
have
multiple
different
runtimes,
but
at
the
moment
it's
just
docker
containers,
so
a
bundle
has
two
components
to
it.
It
has
a
definition
of
what
the
bundle
is.
B
So
I
said,
there's
yaml,
but
it
actually
comes
down
to
this.
This
is
cnab
right
now,
like
you
saw
porter
before
this
is
cena,
and
this
is
the
definition
of
what
the
bundle
is,
but
the
other
part
of
what
makes
a
bundle
is
the
docker
file.
The
invocation
image
essentially,
is
the
installer
that
goes
with
it.
It's
a
considered
utility
docker
container
that
has
helm.
It
has
cube
ctl.
B
B
B
B
B
B
D
B
E
B
D
B
F
B
Acts
as
an
adapter
between
understanding
cnab,
because
there's
there's
some
templating
going
on
there's
some
environment
variables,
there's
things
that
are
specific
to
the
specification
going
on
inside
of
this
this
docker
container,
and
then
it
then
handles
making
calls
navy
to
a
command
line
tool
potentially
to
an
end
point
like.
Maybe
it's
talking
directly
to
a
cloud
provider
or
it
could
be
doing
something
just
as
like.
I've
made
a
mix
in
that
just
prints
things
to
the
terminal
like
to
the
console.
B
B
And
that's
that's
a
porter
specific
thing,
not
a
cnab
thing.
It
just
kind
of
helps.
You
make
a
a
bundle
quickly
using
existing
tools
out
there.
Otherwise,
you
could.
You
could
make
a
bundle
just
by
writing
a
like
a
really
big
bash
script,
but
the
nice
thing
about
porter,
like
the
reason
why
we
did
it
this
way.
D
B
D
B
B
Yeah,
you
could
do
your
own
things
from
here
and
then
you
could
then
just
call
these
commands
yourself.
The
the
idea
behind
cnav
is
it's
extremely
flexible?
It's
whatever
you
need
to
be
able
to
do.
There's
very
little,
there's
absolutely
no
opinion
about
what
you
have
to
do
or
understanding
about
what
any
of
the
tools
are
inside
of
your
bundle.
B
So
I
want
to
talk
a
little
bit
about
the
air
gap
part
about
this,
because
one
thing
I'm
doing
here
that
you
don't
always
see
with
helm,
is
I'm
passing
in
some
extra
parameters,
some
set
parameters
here,
I'm
giving
it
very
specifically
what
repository
and
what
digest
to
use.
When
I
do
my
home
install
and
that's
for
a
very
particular
reason.
When
I
move
my
bundle
across
the
air
gap,
I
won't
have
access
to
docker
hub
anymore.
B
B
So
in
the
images
section
I
can
give
like
a
tag
to
my
image,
and
so
my
image
is
called
will
say
d
here
and
I
just
say
it's
a
docker
image
and
it's
originally
coming
from
carolyn
vs,
wales
id
and
here's
the
digest
and
I'm
using
digests,
because
I
don't
trust
tags
tags
can
be
forced
pushed
and
from
one
day
to
the
next
right
I
could
be
getting
different
content.
I
don't
want
that.
So.
B
B
So
what
this
lets
me
do
is
that
when
I
put
this
in
here
when
I
make
the
bundle,
it
will
put
this
image,
it'll
grab
it
from
the
the
registry
and
it'll
actually
put
it
inside
the
bundle
too,
so
the
whole
thing's
portable.
So
let's
take
a
look
and
see
what
that
that
actually
looks
like.
So
when
I
run
porter,
I
have
this
command
archive
and
I
want
to
make
there's
different
ways
to
work
with
bundles.
I'm
showing
you
a
way
called:
stick
bundle.
B
This
isn't
really
the
normal
way,
but
this
is
the
air
gap
way,
so
I'm
going
to
make
whale
gap
and
when
you
archive
it
it
just
makes
a
gza
file
for
you
and
I'm
gonna
get
it
from
the
registry
where
this
is
pushed.
So
it's
that
get
porter
wheel
gap,
zero
one!
That's
that's!
Zero!
Okay,
I'm
not
gonna
run
this
command,
because
this
is
a
demo
and
it
actually
takes
a
little
bit
of
time
because
it's
500
megabytes.
So
it's
right
here
actually
well
gap,
tgz!
B
C
B
B
Let's
see
what
gets
put
inside
of
this
thick
bundle
so
first,
this
is
the
cena
part.
It's
the
definition
of
the
bundle.
Okay
and
again,
this
is
just
the
translation
of
everything
that
was
in
that
yaml
file
to
the
standard,
spec
format
and
has
everything
about
it.
Like
the
credentials
all
the
parameters,
the
description,
and
it
also
has
a
listing
of
what
images
are
used
inside
of
this
bundle
like
this
is
what
we
were
just
looking
at
a
minute
ago.
B
The
other
piece
that's
in
this
zip
follow
is
a
listing
of
all
the
different
manifests.
Sorry
of
all
the
different
images
that
are
contained
here,
and
we
have
two
different
images:
one
is
the
invocation
image
or
the
installer
for
the
bundle.
Okay,
and
this
is
something
that's
always
present,
with
any
bundle
and,
as
you
can
see,
it
originally
came
from
docker
hub
right.
This
is
where
I
had
published
it
from
and
when
I
archived
it,
that's
where
I
pulled
it
from,
but
the
other
thing
it
has
is
remember.
B
B
Yeah
yeah
there's
a
copy
command,
so
I
could
have
done
porter
copy
and
then
given
it,
two
different
tags
and
it'll,
actually
just
shuffle
them
over.
So
I
could
rename
it
from
one
to
the
other.
So
I
do
up
here.
I
can
give
it
a
source
and
a
destination.
Is
that
what
you're
asking
about
yep,
okay,
yeah
and
it'll
just
rename
it
and
bring
everything
over
and
everything
it's
referencing
from
one
to
the
other.
D
D
B
F
G
Technically,
we
rely
on
the
fact
that,
between
on
the
same
registry,
the
content
digest
should
not
change
if
you
push
the
same
content,
but
we
do
have
the
option
for
the
user
to
accept
the
fact
that,
if
the
die
just
changes,
the
actual
digest
of
the
whole
bundle
is
going
to
change
and
essentially
is
going
to
be
a
different
content.
If,
if
something
changed
in
your
bundle,
so
it's
essentially
by
default.
G
G
B
B
B
G
B
D
Yeah,
so
basically,
if
you're
going
to
do
a
copy,
then
you're
going
to
probably
just
you're
going
to
have
to
do
a
copy
multiple
times
for
each
architecture
and
it
probably
doesn't
do
a
recur.
You
know
full
tree
copy
of
all
the
architectures,
I'm
imagining
that's
kind
of
the
default
behavior
of
a
lot
of
tools.
D
G
B
E
A
A
Do
I
get
that
the
merging
of
those
layers
or
will
it
differentiate
because
they're
pulled
in
separately?
You
know,
I
guess
it's
for
me.
It's.
You
know
right
now,
our
docker
images
when
we
pulled
them
off
into
like
a
tar
ball
to
transfer
air
gaps,
it
ends
up
being
to
be
terabytes
because
we
don't
achieve
any.
You
know
we
don't
minify
until
we
you
know
rehydrate,
I
guess,
and
so
from
a
bundling
perspective.
If
we
can
bundle,
you
know
and
we're
achieving
something
similar.
E
A
Yeah,
I
guess
well
it'd
be
more
yeah
like
if
you're,
if
I'm
taking.
Let's
say
you
know
alpine
into
two
different
bundles
are
and
then
the
the
bundle
itself
turns
into
an
oci
compliant.
You
know
image
or
whatever.
If
I
push
that
into
you
know,
v2
registry
are
the
images
or
the
layers
from
that
alpine
deduped
or
because
it's
been
bundled
it
gets.
B
G
The
assumption,
though,
is
that,
when
you've
archived
the
bundle
you're
ready
to
distribute
it
to
the
airgap
environment,
so
you're,
not
as
much
for
at
least
the
current
thinking
is
that
the
moment
you
archive
it
is
prior
to
using
it.
If
you
want
to
move
a
large
number
of
bundles
between
two
different
environments,
then
you
might
want
to
look
into
running
a
registry
in
your
private
environment
and
pushing.
A
G
D
A
B
A
E
So
then,
also
from
a
holistic
standpoint
like
from
a
higher
level
standpoint,
it's
really
easy
to
realize
that
when
you
decide
you're
going
to
drag
a
whole
bunch
of
layers
across
an
air
gap,
the
package
is
going
to
be
big.
You
don't
have
a
way
to
avoid
that,
so
you
you
need
to.
Oh
for
sure,
it's
on
the
it's
it's
the
transport
layer.
E
A
A
B
I'm
bringing
this
up
how
the
kind
of
switcheroo
works
when
we
come
across
the
area,
so
I
did
the
publish
here
and
so
previously
I
was
on
that
other
registry.
I
can't
really
do
like
a
full
like
isolated
network
here,
because
I'm
demoing
to
you
online,
so
I
moved
it
to
another
registry.
Okay
and
I
have
a
kubernetes
cluster
here.
That's
pointed
to
use
this
registry,
and
so
I'd
like
to
do
then
is
do
a
porter
install
and
I'd
like
to
give
it
my
creds.
B
B
Yeah,
so
this
is
what
we
want
to
highlight
here
is
that
we
did
the
switcheroo
okay,
we
told
it
what
the
new
digest
was
when
we
did
the
helm
install,
and
we
also
told
it.
This
is
the
new
repository
we
want
to
use
so
that
it's
not
pointing
anymore
to
docker
hub,
it's
grabbing
it
off
of
the
new
registry
on
the
other
side
of
the
air
gap,
and
I
just
want
to
prove
it
to
you.
So
let's
take
a
look
at
the
pod
that
it
spun
up.
B
When
I
ran
that
publish
command
porter
publish
if
we
do
a
little
bit
scrolling
here,
I
ran
quarter,
publish
and
what
it
did
is
it
went
through
every
single
one
of
those
those
blobs
right.
It
went
through
the
manifest
and
it
went
here
are
the
images
that
are
inside
of
this,
this
zip
file,
and
then
it
published
those
to
the
registry
on
the
other
side.
So
it
grabbed
it
went
through
all
the
different
layers
reassembled.
It
made
an
image
and
pushed
it
all
back
up.
G
If,
if
okay,
if,
if
the
registry
is
oci
compliant,
they
should
preserve
the
digests,
and
in
this
case
it's,
I
think,
it's
azure
container
registry,
which
does
preserve
between
docker
hub
and
acr
they're,
both
oci
compliant.
In
this
perspective,
and
most
of
the
time
all
most
registries
strive
to
towards
keeping
the
digest.
So
I
think,
in
this
case,
they're
actually
preserved
the
image
digests.
D
D
B
A
B
D
F
B
B
It
would
be
really
great
if
mixins
could
understand
what
was
being
used
and
be
able
to
help
report
this
back
to
porter,
so
that
you're
not
having
to
fill
this
out
by
hand.
But
you
know
with
helm
it's
kind
of
like
you
know
this
information
could
have
been
anywhere,
so
you
kind
of
have
to
type
it
in
yourself,
but.
D
B
B
Yeah,
this
wasn't
magic,
it
was
just
it
just
had
to
do
with
like
this
was
how
the
chart
was
written.
It
had
it
split
into
a
repository
and
it
digests
if
it
was
a
single
value
that
I
could
have
put
in
like.
If
I
go
look
at
the
values
here.
If
it
had
been
just
a
single
thing,
then
I
could
have
done
a
single
thing,
but
most
charts
have
it
done
this
way
instead,
so
you
can
easily
swap
out
just
the
version
used.
You
know
just
the
tag.
D
A
B
A
B
A
Right
yeah,
so
it's
easy
to
get.
This
is
the
tag
right,
but
when
it's
so
you
so
when
I
so
when
I,
when
I
rehydrate
this
in
my
air
gap,
environment
is
what
does
it?
Does
it
add
the
tag
to
the
upstream
registry
or
not?
No,
okay.
So
then
my
helm
chart
would
fail
because
it
would
need
it
would
need
to
use
a
digest
instead
of
a
tag.
B
D
E
But
it's
not
not
not
of
the
tag
form
that
the
original
repository
had
it
and
so
the
the
real.
So
this
is
a
great
thing
to
point
out
sort
of
at
the
stage
we're
at
right
now.
The
expectation
is
that,
if
you're
pulling
something
from
online
across
an
air
gap
that
you're
doing
that
with
some
desire
to
have
confidence,
it's
precisely
the
same
artifact,
and
so
the
original
implementation
is
based
on
digest.
E
Because
that's
the
only
way
we
can
give
you
any
kind
of
verification
or
validation
that
you're
really
installing
precisely
the
same
thing
that
you
had
in
an
online
environment
and
tags,
just
don't
give
you
that
help
they're.
Just
they
just
don't
give
you
enough
confidence.
But,
alternatively,
you
know
you
could
we
could?
E
Actually
you
know
you
could
re-tag
them,
but
we're
expecting
that
it's,
or
at
least
at
least
the
in
the
current
situation,
we're
sort
of
expecting
that
the
bundle
owner
would
actually
understand
that,
because
you
have
to
sort
of
build
it
a
certain
way
to
make
it
a
thick
bundle
so
that
the
bundle
owner
would
understand
that
modifying
the
chart
inside
the
bundle
to
accept
digest.
Would
probably
be
part
of
their
workload
and.
A
Their
work
club,
where
my
concern
is
is
this
is
a
huge
issue.
We've
had
in
general
is
many.
Many
operators
will
hard
code
tags
into
go
code
that,
especially
if
they're
helpers,
like
you
know,
I
need
busybox
1.2.8,
all
right
1.28
and
it's
hardcoded,
because
that's
the
helper
and
who
doesn't
have
busybox,
and
so
they
don't
allow
you
override
that
you
can
override
a
lot
of
the
other
ones.
But
if
that
tagged,
you
know
image
doesn't
exist,
it
doesn't
have
it's
like
you
know.
A
A
But
we've
even
well
often
it'll
just
say
you
know
busybox
with
no
registry,
and
it
assumes
that
it
resolves
and
we've
solved
that
using
you
know
we
use
container
d
and
we
do
mirrors
so,
like
you
know,
docker.io
and
whatever
goes
to
our
registry,
so
yeah
handle
it.
That
way,
and
we
also
you
know,
turned
off
force
pushing
on
our
registries.
You
know
in
in
our
in
our
environment,
so
we
have
some
resemblance
of
you
know
it
hasn't
been
forced
pushed
but
yeah.
A
G
G
F
I
have
a
quick
question.
I
think
you
mentioned
something
when
you
showed
the
bundle
json
that
that
was.
Is
that
the
that's
the
actual
spec,
that
cnab
conforms
to
and
porter
creates?
That
is
that,
is
that
I'm
understanding.
So
when
you
said
that
at
the
spec
level,
it
only
supports
digest.
That's
what
you
that's.
What
we're
kind
of
talking
about
here
is
that
yeah.
F
G
C
E
B
C
A
I
mean
I
think
this
has
been
awesome
and
I
really
appreciate
it.
Do
you
I
mean,
could
do
you
know
enough
to
give
a
quick
rundown
like
porter
versus
the
competition
like
you
know
what
you
know,
how
do
you,
what
what
did
you
guys?
You
know?
What's
yours,
you
know
interpretation
of
the
the
spec
versus
others
and
and
how
there's
differences.
Sure.
B
So
that
means
that
it's,
it's
not
really
it's
more
intended
to
vet
the
spec
and
not
really
intended
to
be
like
it's
not
really
actively
developed
I'll
put
it
that
way
rato.
You
could
check
me
if
I'm
wrong
people
work
on
it
when
we're
changing
the
spec.
You
know
what
I
mean
and
then
we'll
make
changes
and
make
sure
that
it
supports
the
spec.
But
beyond
that
there
is
an
ongoing
development
on
it
and
the
way
duffle
works.
B
But
at
the
same
time
like
there's,
since
there's
no
opinion
you
can
do
whatever
you
want.
The
other
one
is
docker
app,
which
is
very
similar
to
dr
compose.
Basically,
I
haven't
used
it
terribly
much,
but
that's
the
way
I
think
about
it.
It's
more
focused
on
the
deployment
of
services
that
were
already
defined
using
docker
compose
and
then
so
it
conforms
to
the
spec
and
everything,
but
deploying
infrastructure
isn't
really
it's
not
really
focused
on
that.
B
B
So
then,
then,
there's
porter
and
porter
is
really
built
around
being
able
to
reuse
and
adapt
existing
devops
tools
and
existing
tools
that
we
use
to
do
everything,
and
it
is
it's
essentially
like
I
said,
a
workflow
execution
engine
to
be
able
to
plug
them
all
together
and
adapt
them
so
that
you
can
pass
inputs
like
parameters
and
credentials
and
outputs
between
them.
So
if
one
step
with
an
install
created
a
cube
config,
you
can
pass
it
along
to
the
next
one,
or
maybe
it
made
a
database
connection
string.
D
D
B
A
A
A
Okay,
cool,
so
is
there
any
concept
of
like
so
well?
So
when
you,
when
you
deploy
a
bundle,
does
it
does
it
have
any
like
chaining
or
is
there
any
dependency
management
with
it
of
so
like
one
of
our
our,
we
wrote
an
internal
tool
right
because
we
essentially
need
istio
installed
pretty
early
on,
because
it
has
a
mutating
web
point
and
if
you
don't
have
the
mutated
web
hook
before
you
install
things,
nothing
is
mutated.
Does
bundle
bundles,
have
any
kind
of
concept
of
that
or
not
really
yeah.
B
Yeah,
so
we
have
the
only
one
that
implements
it
is
porter.
At
the
moment
we
have
a
beginning
of
a
spec
for
dependencies
in
the
cnam,
spec
and
so
porter
lets
you
specify
one
level
deep
who
you're
depending
on
so
like
my
canonical
example,
is
I
have
a
wordpress
bundle
and
I
depend
on
my
my
sql
bundle.
B
So
I'd
say
the
next
over
the
summer
we're
going
to
be
working
to
really
bring
more
scenarios
to
the
dependency
spec
being
able
to
have
more
level,
I'm
able
to
order
your
dependencies
and
be
able
to
satisfy
dependencies
from
something
that
we
say
installed
weeks
ago
and
things
like
that,
there's
a
little
bit
of
work.
We
need
to
do
that's
happening
right
now
to
be
able
to
enable
these
scenarios.
But
yes,
sorry
long
answer.
Yes,.
B
If
anyone's
interested
by
the
way,
porter
is
looking
for
contributors
or
just
people
who
have
ideas
like
everything
you're
seeing
right
now,
it's
super
exciting
for
me
and
if
you
want
to
hop
on
our
slack
we're
going
to
ncf
slack
or
we
just
want
to
like
open
an
issue
and
drop
ideas
or
leave
comments,
we
really
want
feedback
or
I
don't
know
anything.
Any
engagement
you're
interested
in
would
be
amazing
because
I
don't
know
you're
you're
doing
the
things
that
we're
really
interested
in
learning
more
about.
D
B
D
Okay,
except
I
wrote
my
competing
version
of
this,
but
I
had
to
do
it
at
the
same
time.
Cnab
came
out,
though
it
wasn't
quite
ready
for
the
scenarios
we
had.
So
it's
interesting
because
you
and
I
have
taken
different
angles
and
so
mine's
mine's
called
the
case
specification.
Call
it
application
call
whatever
it.
Matt
stands
for
container
applications
for
enterprises
anyway,
so
it's
out
there
on
git
too,
but
it
has
a
whole
different
perspective
on
how
what
what
the
opinionated
parts
and
the
unopinionated
unopinionated
parts
are
so
yeah.
It's
interesting.
G
Speaking
of
things,
people
should
be
using.
I
just
want
to
point
out
that
there's
also
a
security
spec
that
we're
actively
working
on
so,
if
you're
interested
in
that
part,
essentially,
we
integrate
with
the
tough
and
in
total
upstream
specifications
and
we're
working
on
having
working
implementations
for
both
of
these.
So
just
if
you're
interested
in
this
feel
free
to
ping
us
in
the
cnap,
channel
or
tough
or
in
total
channels
for
the.
E
G
Yeah
essentially,
there's
two
parts
of
it:
one
which
is
signing
the
bundle
itself
using
a
notary
service
just
like
just
like.
You
would
sign
a
regular
container
image,
we're
just
using
note
3
in
the
same
way
as
docker
content,
trust,
so
you're
signing
a
bundle
in
the
same
way
and
then
the
second
part,
which
is,
if
you
have
ins.
If
you
have
a
supply
chain
layout
using
intoto,
you
can
bring
that
up
into
the
note
3
metadata
as
well,
so
you
can
have
both
of
them
specifically
for
air
gap.