►
From YouTube: CNCF SIG App Delivery Air Gapped WG 2020-05-15
Description
CNCF SIG App Delivery Air Gapped WG 2020-05-15
A
I
will
give
people
a
couple
minutes
to
come
in
before
we
get
started
in
the
meantime.
You
can
add
yourself
to
the
attendees
on
the
agenda
that
I
just
posted
in.
A
A
A
All
right,
it
looks
like
we
have
quite
a
few
people,
so
we
can
get
started
hello,
everyone.
This
is
the
air
gapped
working
group
from
cncfc
gap,
delivery,
friday
may
15th
our
agenda
is
posted
in
chat,
feel
free
to
add
yourself
as
attendee.
Today
we
have
a
demo
from
carolyn
from
microsoft
for
cnab
and
porter,
so
I'll.
A
Let
her
take
over
and
in
just
a
few
minutes,
but
before
that,
I
just
wanted
to
see
if
anyone
had
any
other
announcements
or
parking
lot
items
for
after
the
demo
to
discuss
in
today's
meeting.
A
Great
well
carolyn,
I
see
you
here
so
feel
free
to
take
over
final
note
that
this
meeting
is
recorded.
So
don't
say
anything
you
don't
want
on
the
internet
forever
and
with
that
caroline,
it's
all
yours.
B
I'm
carolyn
van
sike,
I
work
on
the
davis
labs
team
under
the
azure
group
with
microsoft,
and
I've
been
working
for
a
while
on
something
called
cloud
native
application,
bundles
which
delightfully
shortens
the
cnab,
and
specifically
I've
been
working
on
the
implementation
of
that
so
cnab's
a
specification
there's
a
couple
different
implementations
of
that
you
may
have
heard
of
docker
app
is
one
and
another.
B
One
is
called
porter,
and
I
wanted
to
show
this
to
you
today
and
it's
kind
of
relevant
to
your
group,
because
it
understands
how
to
work
with
air-gapped
networks.
B
Yep
looks
great
okay,
so
I
I
know
I
don't
know
how
much
time
we
have
for
the
demo,
but
I
just
want
to
explain
at
a
really
high
level.
B
What's
cnab
and
porter,
I'm
going
to
kind
of
use
them
a
little
synonymously
they're,
not
quite
the
same,
but
what
it
lets
you
do
and
it
takes
everything
that
you
need
to
deploy
your
application
and
puts
it
in
a
bundle
and
allows
you
to
version
it
and
be
able
to
distribute
it
using
oci
registries
docker
registries
and
be
able
to
bring
it
over
air
gaps,
for
example,
and
then
be
able
to
work
with
it
using
a
single
command.
B
You're
able
to
work
with
your
applications
deployment
as
a
logical
unit
and
be
able
to
put
all
the
logic
for
managing
not
only
the
deployment
like
the
installation,
but
upgrade
maybe
discrete
actions
that
you
up.
That
you
do
on
that
deployment
like
doing
a
dump
of
logs
or
like
database
dumps
things
like
that,
checking
the
status
and
the
health
of
your
system
prove
it
anything
like
it'll
run
any
command.
It'll
do
anything
it's
whatever
you
put
inside
of
it.
B
It's
just
a
packaging
system
with
versioning
and
security,
and
things
like
that,
and
it
allows
you
to
work
with
it
as
a
single
unit.
B
B
Maybe
you're
happy
and
if
you're
sad,
and
so
this
defines
my
bundle
that
I
made
just
for
y'all
called
whale
gap
and
it
sneaks
a
whale
size
bundle
through
an
air
gap
and
it's
designed
to
be
published,
like
I
said,
to
an
ocr
registry.
B
B
This
bundle
has
because,
like
bottles
by
itself,
just
packaging
unit,
so
what's
inside
of
it
inside
of
it,
I've
put
helm,
you
can
use
anything
inside
your
bundle,
you
don't
have
to
use
it's
not
tied
to
kubernetes
whatsoever,
but
I
decided
to
use
home
and
it's
heavily
templated.
B
So
I'm
deploying
a
chart
that
I
made
called
whale
gap
and
my
chart's
right
here
on
my
file
system,
and
it
has
a
couple
parameters
that
I'm
passing
in
through
my
bundle
itself
and
that's
something
that's
kind
of
built
into
cnn
is
the
ability
to
pass
to
the
bundle
as
like
as
a
user.
I
could
pass
a
parameter
to
it
and
then
it
can
make
it
all
the
way
through
into
the
bundle.
B
So
I
can
alter
what
it's
doing
when
it's
doing
the
installation-
and
the
other
thing
you
know
is
helm,
needs
a
cube,
config
file,
it
needs
a
credential.
So
that's
the
other
thing
I've
done.
Is
I've
defined
that
my
bundle
is
going
to
need
when
it's
installed
a
cube,
config
file,
and
it
says
where,
where
it's
going
to
find
it
so
add
installation
it's
going
to
install
this
wheel
gap
thing
and
then
it
also
knows
how
to
upgrade
wheel
gap
and
knows
how
to
uninstall
it.
A
No
dumb
questions,
so
when
you
say
helm
is
it
assuming
that
the
helm
binary
is
on
the
disk
similar
to
the
the
cube
config
file
and
cube
control?
Is
there
or
do
you
bundle
it
with
it?.
B
Yeah,
so
that
was
the
next
thing
is
so
porter
and
bundles
itself.
Bundles,
bring
everything
you
need
in
order
to
install
your
application
inside
of
itself
right
now,
like
a
bundle,
can
have
multiple
different
runtimes,
but
at
the
moment
it's
just
docker
containers,
so
a
bundle
has
two
components
to
it.
It
has
a
definition
of
what
the
bundle
is.
B
So
I
said,
there's
yaml,
but
it
actually
comes
down
to
this.
This
is
cnab
right
now,
like
you
saw
porter
before
this
is
cena,
and
this
is
the
definition
of
what
the
bundle
is,
but
the
other
part
of
what
makes
a
bundle
is
the
docker
file.
The
invocation
image
essentially,
is
the
installer
that
goes
with
it.
It's
a
considered
utility
docker
container
that
has
helm.
It
has
cube
ctl.
B
It
has
certificates
that
you
may
need
scripts.
The
charts
file,
like
all
my
files,
anything
else
that
I
may
have
needed
to
do
my
installation
all
get
shopped
into
this
container
here.
B
So
this
is
a
generated
docker
file.
Porter
generates
it
part
of
cnav
generation
is
not
that's
why
I
met
like
cnab's
one
thing:
porter's
another,
but
so
porter
generated
this
docker
file
for
you
just
based
on
the
fact
that
you
said
mix
and
helm
boom.
B
B
It
can
auto,
detect
what
you're
using
and
get
one
for
you
and
also
put
on
cube
ctl
to
it,
needs
it
just
for
a
couple
extra
things,
and
it
will
also
copy
all
the
files
that
are
on
your
in
your
directory,
so
it
automatically
brought
in
the
charts
that
you
had
so
that
helped
answer
your
question.
B
B
They
all
know
how
to
run
these
they're.
They
work
because
there's
a
spec.
They
work
with
all
of
them.
As
long
as
you
have
one
of
those
tools
on
your
file
system
and
you
have
the
runtime
in
this
case,
it's
docker,
you
have
everything
you
need
to
run
a
bundle,
no
matter
what's
inside,
that
bundle.
B
Yeah
it
is,
anyone
can
make
a
mixon.
You
know,
we've
made
a
bunch
that
are
like
obvious
like
we
could
have.
Kubernetes
we
could
have
docker
compose
is
a
new
one.
Is
it
terraform.
D
B
We
don't
have
ansible,
yet
that'd,
be
a
cool
one
to
have
that's
that
no
one
can
make
them.
It's
just
a
binary
that
understands
how
to
talk
on
standard
and
standard
out.
E
E
Quite
sure
we
don't,
but
I
know
where
it
is
and
we'll
wired
it
up.
B
Add
that,
for
me,
ralph
that'd
be
great.
You
betcha
yeah
yeah,
so
anyone
can
make
one
there's
no
such
thing
as
like
an
official
one
or
an
unofficial
one.
If
it.
If
it's
on
your
file
system,
it'll
work.
D
B
Two
levels
of
mixing:
actually
here's
two
binaries
for
every
mixin
there's
a
client
side
which
understands,
for
example,
darwin
linux,
mac,
and
it
understands
how
to
do
things
like
injecting
these
lines
into
your
docker
file,
because
it
knows
like
this
is
what
it
takes
to
get
helm
inside
of
a
docker
file.
B
But
then,
when
you're
actually
executing
this
install
part,
this
is
happening
at
runtime
and
you
still
need
that
helm.
Binary.
The
mix
in
binary.
F
B
Acts
as
an
adapter
between
understanding
cnab,
because
there's
there's
some
templating
going
on
there's
some
environment
variables,
there's
things
that
are
specific
to
the
specification
going
on
inside
of
this
this
docker
container,
and
then
it
then
handles
making
calls
navy
to
a
command
line
tool
potentially
to
an
end
point
like.
Maybe
it's
talking
directly
to
a
cloud
provider
or
it
could
be
doing
something
just
as
like.
I've
made
a
mix
in
that
just
prints
things
to
the
terminal
like
to
the
console.
B
B
And
that's
that's
a
porter
specific
thing,
not
a
cnab
thing.
It
just
kind
of
helps.
You
make
a
a
bundle
quickly
using
existing
tools
out
there.
Otherwise,
you
could.
You
could
make
a
bundle
just
by
writing
a
like
a
really
big
bash
script,
but
the
nice
thing
about
porter,
like
the
reason
why
we
did
it
this
way.
B
Is
it
gives
you
a
lot
of
inspectable
metadata
that
you
could
use
to
enforce
or
do
quick,
find,
replace
and
and
kind
of
set
policy,
and
things
like
that,
it's
more
fun
to
work
with
this
way,
instead
of
having
to
like
reinvent
the
wheel
over
and
over
again,
it
has
a
lot
of
built-in
air
handling
and
kind
of
smarts
understanding
how
bundles
work
and
more
desired
state
configuration,
as
opposed
to
maybe
commands
that
it's
fine
to
fail
versus
if
I'm
gonna
mash
upgrade
over
and
over
and
over
again
until
it
works.
D
B
You
have
full
control
over
everything
that
happens
under
install
or
upgrade.
Porter
has
no
opinion.
It's
porter
at
its
heart
is
like
a
workflow
execution
engine
and
it'll
just
do
whatever
is
in
the
yaml.
B
D
B
B
If
I
had
my
indenting
right,
you
can
make
one
called
status
and
you
could
do
like
a
helm
command
here
or
you
could
just
you
could
just
go
into
bash
for
example,
and
start
doing
your
own
things.
B
Yeah,
you
could
do
your
own
things
from
here
and
then
you
could
then
just
call
these
commands
yourself.
The
the
idea
behind
cnav
is
it's
extremely
flexible?
It's
whatever
you
need
to
be
able
to
do.
There's
very
little,
there's
absolutely
no
opinion
about
what
you
have
to
do
or
understanding
about
what
any
of
the
tools
are
inside
of
your
bundle.
B
So
I
want
to
talk
a
little
bit
about
the
air
gap
part
about
this,
because
one
thing
I'm
doing
here
that
you
don't
always
see
with
helm,
is
I'm
passing
in
some
extra
parameters,
some
set
parameters
here,
I'm
giving
it
very
specifically
what
repository
and
what
digest
to
use.
When
I
do
my
home
install
and
that's
for
a
very
particular
reason.
When
I
move
my
bundle
across
the
air
gap,
I
won't
have
access
to
docker
hub
anymore.
B
B
B
B
So
in
the
images
section
I
can
give
like
a
tag
to
my
image,
and
so
my
image
is
called
will
say
d
here
and
I
just
say
it's
a
docker
image
and
it's
originally
coming
from
carolyn
vs,
wales
id
and
here's
the
digest
and
I'm
using
digests,
because
I
don't
trust
tags
tags
can
be
forced
pushed
and
from
one
day
to
the
next
right
I
could
be
getting
different
content.
I
don't
want
that.
So.
B
I
could
use
the
tag
like
as
a
comment.
I
guess
porter
supports
just
putting
a
tag
in
and
will
resolve
the
digest
for
you,
but
at
the
spec
level
it
just
supports
the
digest
yeah.
B
So
what
this
lets
me
do
is
that
when
I
put
this
in
here
when
I
make
the
bundle,
it
will
put
this
image,
it'll
grab
it
from
the
the
registry
and
it'll
actually
put
it
inside
the
bundle
too,
so
the
whole
thing's
portable.
So
let's
take
a
look
and
see
what
that
that
actually
looks
like.
So
when
I
run
porter,
I
have
this
command
archive
and
I
want
to
make
there's
different
ways
to
work
with
bundles.
I'm
showing
you
a
way
called:
stick
bundle.
B
This
isn't
really
the
normal
way,
but
this
is
the
air
gap
way,
so
I'm
going
to
make
whale
gap
and
when
you
archive
it
it
just
makes
a
gza
file
for
you
and
I'm
gonna
get
it
from
the
registry
where
this
is
pushed.
So
it's
that
get
porter
wheel
gap,
zero
one!
That's
that's!
Zero!
Okay,
I'm
not
gonna
run
this
command,
because
this
is
a
demo
and
it
actually
takes
a
little
bit
of
time
because
it's
500
megabytes.
So
it's
right
here
actually
well
gap,
tgz!
B
C
B
B
Let's
see
what
gets
put
inside
of
this
thick
bundle
so
first,
this
is
the
cena
part.
It's
the
definition
of
the
bundle.
Okay
and
again,
this
is
just
the
translation
of
everything
that
was
in
that
yaml
file
to
the
standard,
spec
format
and
has
everything
about
it.
Like
the
credentials
all
the
parameters,
the
description,
and
it
also
has
a
listing
of
what
images
are
used
inside
of
this
bundle
like
this
is
what
we
were
just
looking
at
a
minute
ago.
B
The
other
piece
that's
in
this
zip
follow
is
a
listing
of
all
the
different
manifests.
Sorry
of
all
the
different
images
that
are
contained
here,
and
we
have
two
different
images:
one
is
the
invocation
image
or
the
installer
for
the
bundle.
Okay,
and
this
is
something
that's
always
present,
with
any
bundle
and,
as
you
can
see,
it
originally
came
from
docker
hub
right.
This
is
where
I
had
published
it
from
and
when
I
archived
it,
that's
where
I
pulled
it
from,
but
the
other
thing
it
has
is
remember.
B
B
So
then
in
these
blobs
are
actually
all
the
layers
of
all
the
docker
images
I'm
using,
and
this
lets
me
move
it
across
the
air
gap
and
then
republish
it
somewhere
else
to
another
registry.
B
Yeah
yeah
there's
a
copy
command,
so
I
could
have
done
porter
copy
and
then
given
it,
two
different
tags
and
it'll,
actually
just
shuffle
them
over.
So
I
could
rename
it
from
one
to
the
other.
So
I
do
up
here.
I
can
give
it
a
source
and
a
destination.
Is
that
what
you're
asking
about
yep,
okay,
yeah
and
it'll
just
rename
it
and
bring
everything
over
and
everything
it's
referencing
from
one
to
the
other.
D
D
B
F
G
Technically,
we
rely
on
the
fact
that,
between
on
the
same
registry,
the
content
digest
should
not
change
if
you
push
the
same
content,
but
we
do
have
the
option
for
the
user
to
accept
the
fact
that,
if
the
die
just
changes,
the
actual
digest
of
the
whole
bundle
is
going
to
change
and
essentially
is
going
to
be
a
different
content.
If,
if
something
changed
in
your
bundle,
so
it's
essentially
by
default.
G
G
B
B
D
So
is
this
multi-architecture
enabled
so
can
I
have
fat
manifest
for
the
porter
images
and
have
different
architecture
groups
for
that
or
do
they
have
to
be
tagged
independently.
B
G
Up
when
pushing
the
bundle
to
a
registry
architecture
is
taken
into
account,
so
it's
generated
in
in
the
bundle
you
can
specify
an
index
that
points
to
a
multi-arch
image.
I'm
not
exactly
sure
if
at
front
time,
that's
hooked
up
yet,
but
technically
it
should
support
it.
B
D
Yeah,
so
basically,
if
you're
going
to
do
a
copy,
then
you're
going
to
probably
just
you're
going
to
have
to
do
a
copy
multiple
times
for
each
architecture
and
it
probably
doesn't
do
a
recur.
You
know
full
tree
copy
of
all
the
architectures,
I'm
imagining
that's
kind
of
the
default
behavior
of
a
lot
of
tools.
D
G
B
That's
the
question
is
words
kind
of
stumped
on
the
runtime.
I
have
to
maybe
look
it
up
and
get
back
to
you.
It's
not
a
question
of
like.
Do
we
not
want
to
support
it?
It's
this
question
of
like
did
it
get
coded
yep
yeah.
E
I
would
expect
it
to
work
properly
on
all
our
architectures
in
the
future.
Whether
it
does
now
or
not,
is
a
great
question.
We
should
test
it.
A
Semi-Unrelated
question:
do
you
preserve
the
original
layers
of
the
images
you're
pulling
in
when
you're
generating
the
bundle
itself
as
in
like?
If
I
have,
if
I
have
you,
know,
20
bundles
and
they
all
have
the
same
exact
like
you
know
three
images
or
you
know
whatever
at
the
bundle
level?
A
Do
I
get
that
the
merging
of
those
layers
or
will
it
differentiate
because
they're
pulled
in
separately?
You
know,
I
guess
it's
for
me.
It's.
You
know
right
now,
our
docker
images
when
we
pulled
them
off
into
like
a
tar
ball
to
transfer
air
gaps,
it
ends
up
being
to
be
terabytes
because
we
don't
achieve
any.
You
know
we
don't
minify
until
we
you
know
rehydrate,
I
guess,
and
so
from
a
bundling
perspective.
If
we
can
bundle,
you
know
and
we're
achieving
something
similar.
E
A
Yeah,
I
guess
well
it'd
be
more
yeah
like
if
you're,
if
I'm
taking.
Let's
say
you
know
alpine
into
two
different
bundles
are
and
then
the
the
bundle
itself
turns
into
an
oci
compliant.
You
know
image
or
whatever.
If
I
push
that
into
you
know,
v2
registry
are
the
images
or
the
layers
from
that
alpine
deduped
or
because
it's
been
bundled
it
gets.
B
So
we
we
preserve
the
original
layers.
If
you
take
a
look
here
these,
these
are
the
layers
that
came
out
of
the
registry
and
we
don't
alter
them.
G
The
assumption,
though,
is
that,
when
you've
archived
the
bundle
you're
ready
to
distribute
it
to
the
airgap
environment,
so
you're,
not
as
much
for
at
least
the
current
thinking
is
that
the
moment
you
archive
it
is
prior
to
using
it.
If
you
want
to
move
a
large
number
of
bundles
between
two
different
environments,
then
you
might
want
to
look
into
running
a
registry
in
your
private
environment
and
pushing.
A
G
D
A
B
It's
not
something
specific
so,
like
I
think,
most
or
all
of
the
layers
already
here.
So
if
I
try
to
do
this,
it
should
go
pretty
quick,
because
all
the
layers
are
there.
A
B
See,
instead
of
taking
like
really
long
time,
because
I
said
it
was
500
megabytes,
it
went
really
quick
because
the
layers
were
there,
it
recognized
it
and
then
only
had
to
push
like
one
thing.
E
So
then,
also
from
a
holistic
standpoint
like
from
a
higher
level
standpoint,
it's
really
easy
to
realize
that
when
you
decide
you're
going
to
drag
a
whole
bunch
of
layers
across
an
air
gap,
the
package
is
going
to
be
big.
You
don't
have
a
way
to
avoid
that,
so
you
you
need
to.
Oh
for
sure,
it's
on
the
it's
it's
the
transport
layer.
E
A
A
B
I'm
bringing
this
up
how
the
kind
of
switcheroo
works
when
we
come
across
the
area,
so
I
did
the
publish
here
and
so
previously
I
was
on
that
other
registry.
I
can't
really
do
like
a
full
like
isolated
network
here,
because
I'm
demoing
to
you
online,
so
I
moved
it
to
another
registry.
Okay
and
I
have
a
kubernetes
cluster
here.
That's
pointed
to
use
this
registry,
and
so
I'd
like
to
do
then
is
do
a
porter
install
and
I'd
like
to
give
it
my
creds.
B
B
B
Yeah,
so
this
is
what
we
want
to
highlight
here
is
that
we
did
the
switcheroo
okay,
we
told
it
what
the
new
digest
was
when
we
did
the
helm
install,
and
we
also
told
it.
This
is
the
new
repository
we
want
to
use
so
that
it's
not
pointing
anymore
to
docker
hub,
it's
grabbing
it
off
of
the
new
registry
on
the
other
side
of
the
air
gap,
and
I
just
want
to
prove
it
to
you.
So
let's
take
a
look
at
the
pod
that
it
spun
up.
B
When
I
ran
that
publish
command
porter
publish
if
we
do
a
little
bit
scrolling
here,
I
ran
quarter,
publish
and
what
it
did
is
it
went
through
every
single
one
of
those
those
blobs
right.
It
went
through
the
manifest
and
it
went
here
are
the
images
that
are
inside
of
this,
this
zip
file,
and
then
it
published
those
to
the
registry
on
the
other
side.
So
it
grabbed
it
went
through
all
the
different
layers
reassembled.
It
made
an
image
and
pushed
it
all
back
up.
G
If,
if
okay,
if,
if
the
registry
is
oci
compliant,
they
should
preserve
the
digests,
and
in
this
case
it's,
I
think,
it's
azure
container
registry,
which
does
preserve
between
docker
hub
and
acr
they're,
both
oci
compliant.
In
this
perspective,
and
most
of
the
time
all
most
registries
strive
to
towards
keeping
the
digest.
So
I
think,
in
this
case,
they're
actually
preserved
the
image
digests.
D
E
Install
just
tells
just
tells
helm
to
tell
kubernetes
to
pull
them.
D
B
Everything
that's
used
by
your
application,
so
it
includes
that
application
image.
D
B
A
B
My
my
image
was
called
like
caroline
vs
wheel
gap,
and
so
now
it's
get
porter
azure
acr
wheel
gap,
so
it
did
rename
it.
It
took
like
the
registry
swapped
out
the
registry's
names
but
then
preserved
the
final
path.
Part.
D
F
B
So
the
mix
and
didn't
need
to
understand
this.
The
templating
handled
subbing
this
in
so
the
mixin
just
needed
a
way
to
accept
the
templated
values.
B
B
It
would
be
really
great
if
mixins
could
understand
what
was
being
used
and
be
able
to
help
report
this
back
to
porter,
so
that
you're
not
having
to
fill
this
out
by
hand.
But
you
know
with
helm
it's
kind
of
like
you
know
this
information
could
have
been
anywhere,
so
you
kind
of
have
to
type
it
in
yourself,
but.
D
B
B
Yeah,
this
wasn't
magic,
it
was
just
it
just
had
to
do
with
like
this
was
how
the
chart
was
written.
It
had
it
split
into
a
repository
and
it
digests
if
it
was
a
single
value
that
I
could
have
put
in
like.
If
I
go
look
at
the
values
here.
If
it
had
been
just
a
single
thing,
then
I
could
have
done
a
single
thing,
but
most
charts
have
it
done
this
way
instead,
so
you
can
easily
swap
out
just
the
version
used.
You
know
just
the
tag.
D
A
B
A
B
A
Pushed
right,
it
doesn't
take
the
the
tags
with
the
manifest
when
you
grab
a
digest.
B
So
what
what
porter
will
do
here
is
it
will
at
build
time
when
you
build
the
bundle
it
will
resolve
this
tag
to
the
digest
and
then
when
it
builds
the
bundle,
because
everything
turns
into
a
bundle
at
the
end
of
the
day,
it
has
to
be
resolved
to
a
content
digest
so
it'll
make
it
an
immutable
digest
for
you
right.
A
Right
yeah,
so
it's
easy
to
get.
This
is
the
tag
right,
but
when
it's
so
you
so
when
I
so
when
I,
when
I
rehydrate
this
in
my
air
gap,
environment
is
what
does
it?
Does
it
add
the
tag
to
the
upstream
registry
or
not?
No,
okay.
So
then
my
helm
chart
would
fail
because
it
would
need
it
would
need
to
use
a
digest
instead
of
a
tag.
B
The
whole
chart
wouldn't
fail
because
it
still
would
have
this
tag.
Oh
yeah,
I
see
what
you're
saying.
D
E
But
it's
not
not
not
of
the
tag
form
that
the
original
repository
had
it
and
so
the
the
real.
So
this
is
a
great
thing
to
point
out
sort
of
at
the
stage
we're
at
right
now.
The
expectation
is
that,
if
you're
pulling
something
from
online
across
an
air
gap
that
you're
doing
that
with
some
desire
to
have
confidence,
it's
precisely
the
same
artifact,
and
so
the
original
implementation
is
based
on
digest.
E
Because
that's
the
only
way
we
can
give
you
any
kind
of
verification
or
validation
that
you're
really
installing
precisely
the
same
thing
that
you
had
in
an
online
environment
and
tags,
just
don't
give
you
that
help
they're.
Just
they
just
don't
give
you
enough
confidence.
But,
alternatively,
you
know
you
could
we
could?
E
Actually
you
know
you
could
re-tag
them,
but
we're
expecting
that
it's,
or
at
least
at
least
the
in
the
current
situation,
we're
sort
of
expecting
that
the
bundle
owner
would
actually
understand
that,
because
you
have
to
sort
of
build
it
a
certain
way
to
make
it
a
thick
bundle
so
that
the
bundle
owner
would
understand
that
modifying
the
chart
inside
the
bundle
to
accept
digest.
Would
probably
be
part
of
their
workload
and.
A
Their
work
club,
where
my
concern
is
is
this
is
a
huge
issue.
We've
had
in
general
is
many.
Many
operators
will
hard
code
tags
into
go
code
that,
especially
if
they're
helpers,
like
you
know,
I
need
busybox
1.2.8,
all
right
1.28
and
it's
hardcoded,
because
that's
the
helper
and
who
doesn't
have
busybox,
and
so
they
don't
allow
you
override
that
you
can
override
a
lot
of
the
other
ones.
But
if
that
tagged,
you
know
image
doesn't
exist,
it
doesn't
have
it's
like
you
know.
A
A
But
we've
even
well
often
it'll
just
say
you
know
busybox
with
no
registry,
and
it
assumes
that
it
resolves
and
we've
solved
that
using
you
know
we
use
container
d
and
we
do
mirrors
so,
like
you
know,
docker.io
and
whatever
goes
to
our
registry,
so
yeah
handle
it.
That
way,
and
we
also
you
know,
turned
off
force
pushing
on
our
registries.
You
know
in
in
our
in
our
environment,
so
we
have
some
resemblance
of
you
know
it
hasn't
been
forced
pushed
but
yeah.
A
G
G
F
I
have
a
quick
question.
I
think
you
mentioned
something
when
you
showed
the
bundle
json
that
that
was.
Is
that
the
that's
the
actual
spec,
that
cnab
conforms
to
and
porter
creates?
That
is
that,
is
that
I'm
understanding.
So
when
you
said
that
at
the
spec
level,
it
only
supports
digest.
That's
what
you
that's.
What
we're
kind
of
talking
about
here
is
that
yeah.
F
B
G
C
E
Stop
trying
to
auto
complete
for
me
there
we
go
yeah
super
great
conversation,
because
that's
it.
It's
very
interesting
to
hear
the
problems
that
you
run
into
such
that
we
can
think
about
how
to
handle
them.
B
C
A
I
mean
I
think
this
has
been
awesome
and
I
really
appreciate
it.
Do
you
I
mean,
could
do
you
know
enough
to
give
a
quick
rundown
like
porter
versus
the
competition
like
you
know
what
you
know,
how
do
you,
what
what
did
you
guys?
You
know?
What's
yours,
you
know
interpretation
of
the
the
spec
versus
others
and
and
how
there's
differences.
Sure.
B
B
So
that
means
that
it's,
it's
not
really
it's
more
intended
to
vet
the
spec
and
not
really
intended
to
be
like
it's
not
really
actively
developed
I'll
put
it
that
way
rato.
You
could
check
me
if
I'm
wrong
people
work
on
it
when
we're
changing
the
spec.
You
know
what
I
mean
and
then
we'll
make
changes
and
make
sure
that
it
supports
the
spec.
But
beyond
that
there
is
an
ongoing
development
on
it
and
the
way
duffle
works.
B
Is
you
edit,
the
docker
file
yourself,
so
whatever
you
need
inside
of
that
installer
invocation
image
you
put
in
there
and
then
you're,
given
a
bash
script,
a
run
script
and
whatever
you
put
in
there,
that's
what
it'll
do
when
it
comes
to
running,
install
upgrade
or
uninstall
or
custom
action,
but
there
isn't
any
like
auto
magic
or
like
building
blocks
like
porter
or
docker
app.
B
But
at
the
same
time
like
there's,
since
there's
no
opinion
you
can
do
whatever
you
want.
The
other
one
is
docker
app,
which
is
very
similar
to
dr
compose.
Basically,
I
haven't
used
it
terribly
much,
but
that's
the
way
I
think
about
it.
It's
more
focused
on
the
deployment
of
services
that
were
already
defined
using
docker
compose
and
then
so
it
conforms
to
the
spec
and
everything,
but
deploying
infrastructure
isn't
really
it's
not
really
focused
on
that.
B
So
deploying,
for
example,
like
a
say,
like
an
s3
bucket,
isn't
really
what
it's
intended
for.
I'm
not
even
sure
if
you
could
do
that
to
be
honest
with
docker
out.
Someone
fact
check
me
there
right
ralph,
that's
not
what
it's
not
really
good
one
of
its
strengths
right
awesome!
B
So
then,
then,
there's
porter
and
porter
is
really
built
around
being
able
to
reuse
and
adapt
existing
devops
tools
and
existing
tools
that
we
use
to
do
everything,
and
it
is
it's
essentially
like
I
said,
a
workflow
execution
engine
to
be
able
to
plug
them
all
together
and
adapt
them
so
that
you
can
pass
inputs
like
parameters
and
credentials
and
outputs
between
them.
So
if
one
step
with
an
install
created
a
cube
config,
you
can
pass
it
along
to
the
next
one,
or
maybe
it
made
a
database
connection
string.
B
It's
basically
allows
you
to
pass
information
between
them
and
kind
of
string
together
a
series
of
steps
between
all
your
different
tools
that
probably
weren't
meant
to
work
together
and
hopefully
make
something
a
little
bit
easier
to
manage
and
deal
with
air
conditions
edge
cases
and
make
something
a
little
more
robust
than
a
monolithic,
bash
script,
and
that's
kind
of
the
intent
is
that,
instead
of
making
something
that
replaces
or
is
a
giant
wrapper
script
around
like
column
and
terraform
and
qbctl,
it
gives
you
a
little
bit
more
easier
ways
to
work
with
them.
D
B
Needs
to
be
able
to
connect
to
a
docker
connection
either,
so
it
cannot
anything
is
a
local
docker
socket
or
it
needs
to
connect
to
a
remote
one.
So,
for
example,
we
run
porter
in
azure
cloud
shell,
and
at
that
point
it's
a
remote
docker
engine
that
we
connect
to
okay,.
A
A
I
just
want
to
clarify,
and
so
I
guess
my
next
question
is:
if
no,
I
don't
want
to
take
everyone's
time.
So
does
anyone
have
questions
because
I've
asked
a
lot.
A
Okay,
cool,
so
is
there
any
concept
of
like
so
well?
So
when
you,
when
you
deploy
a
bundle,
does
it
does
it
have
any
like
chaining
or
is
there
any
dependency
management
with
it
of
so
like
one
of
our
our,
we
wrote
an
internal
tool
right
because
we
essentially
need
istio
installed
pretty
early
on,
because
it
has
a
mutating
web
point
and
if
you
don't
have
the
mutated
web
hook
before
you
install
things,
nothing
is
mutated.
Does
bundle
bundles,
have
any
kind
of
concept
of
that
or
not
really
yeah.
B
Yeah,
so
we
have
the
only
one
that
implements
it
is
porter.
At
the
moment
we
have
a
beginning
of
a
spec
for
dependencies
in
the
cnam,
spec
and
so
porter
lets
you
specify
one
level
deep
who
you're
depending
on
so
like
my
canonical
example,
is
I
have
a
wordpress
bundle
and
I
depend
on
my
my
sql
bundle.
B
For
example,
it
will
run
my
sql
bundle
first
and
then
pass
outputs
up
into
the
wordpress
bundle,
because
it
needs
that
connection
string,
you
know
and
then
it
will
then
use
that
and
then
tie
them
together
and
then
you
can
work
with
them
as
a
unit,
but
we're
trying
to
bring
that
to
more
mature
level.
B
So
I'd
say
the
next
over
the
summer
we're
going
to
be
working
to
really
bring
more
scenarios
to
the
dependency
spec
being
able
to
have
more
level,
I'm
able
to
order
your
dependencies
and
be
able
to
satisfy
dependencies
from
something
that
we
say
installed
weeks
ago
and
things
like
that,
there's
a
little
bit
of
work.
We
need
to
do
that's
happening
right
now
to
be
able
to
enable
these
scenarios.
But
yes,
sorry
long
answer.
Yes,.
B
If
anyone's
interested
by
the
way,
porter
is
looking
for
contributors
or
just
people
who
have
ideas
like
everything
you're
seeing
right
now,
it's
super
exciting
for
me
and
if
you
want
to
hop
on
our
slack
we're
going
to
ncf
slack
or
we
just
want
to
like
open
an
issue
and
drop
ideas
or
leave
comments,
we
really
want
feedback
or
I
don't
know
anything.
Any
engagement
you're
interested
in
would
be
amazing
because
I
don't
know
you're
you're
doing
the
things
that
we're
really
interested
in
learning
more
about.
D
B
B
So
okay,
you're,
just
really
into
c
now
and
making
bundles
porter
just
exists
to
be
an
implementation
of
cnab.
Essentially.
D
Okay,
except
I
wrote
my
competing
version
of
this,
but
I
had
to
do
it
at
the
same
time.
Cnab
came
out,
though
it
wasn't
quite
ready
for
the
scenarios
we
had.
So
it's
interesting
because
you
and
I
have
taken
different
angles
and
so
mine's
mine's
called
the
case
specification.
Call
it
application
call
whatever
it.
Matt
stands
for
container
applications
for
enterprises
anyway,
so
it's
out
there
on
git
too,
but
it
has
a
whole
different
perspective
on
how
what
what
the
opinionated
parts
and
the
unopinionated
unopinionated
parts
are
so
yeah.
It's
interesting.
B
Yeah,
I
I
think
this
is
an
area
that
really
does
need
a
lot
more
innovation
and
people
just
using
it,
trying
it
in
different
environments
in
production
and
seeing
what
really
works
when,
like
you
meet
reality,
if
that
makes
sense-
and
it's
definitely
like
this
is
v1,
I
think
v2
will
look
very
different.
G
Speaking
of
things,
people
should
be
using.
I
just
want
to
point
out
that
there's
also
a
security
spec
that
we're
actively
working
on
so,
if
you're
interested
in
that
part,
essentially,
we
integrate
with
the
tough
and
in
total
upstream
specifications
and
we're
working
on
having
working
implementations
for
both
of
these.
So
just
if
you're
interested
in
this
feel
free
to
ping
us
in
the
cnap,
channel
or
tough
or
in
total
channels
for
the.
E
I'm
happy
to
basically,
you
can
do
supply
chain
signing
and
then
bring
that
metadata
along
with
you,
and
if
you
have
the
right
access
to
the
original
metadata
server,
you
can.
You
can
validate
the
supply
chain
and
arbitrary.
G
Yeah
essentially,
there's
two
parts
of
it:
one
which
is
signing
the
bundle
itself
using
a
notary
service
just
like
just
like.
You
would
sign
a
regular
container
image,
we're
just
using
note
3
in
the
same
way
as
docker
content,
trust,
so
you're
signing
a
bundle
in
the
same
way
and
then
the
second
part,
which
is,
if
you
have
ins.
If
you
have
a
supply
chain
layout
using
intoto,
you
can
bring
that
up
into
the
note
3
metadata
as
well,
so
you
can
have
both
of
them
specifically
for
air
gap.
A
Awesome
well,
thank
you
very
much
carolyn
and
everyone
else
from
microsoft
that
chimed
in.
We
really
appreciate
it.
This
is
interesting
and
chris,
are
you
still
able
to
demo
next
week
or
yeah?
They
can
scope.
You
will.
D
Be
much
easier,
it's
really
small
compared
to
this.
So
if
you
have
other
topics,
I
would.