Allow versioned dependencies to be bundled and distributed as a Release

Problem to solve

Images and packages are often tied to a Release and need be used to distribute software to a runtime, such as point-of-sale or IoT devices, which need access to a secure, immutable image(s) that are required for your software to run.

Job stories

• When I create images I want to have a distribution model of those packages for others to consume so that we can use artifacts across many devices
• When I create different versions of artifacts I want those to be stored in a central and immutable place for easy access and version control so that devices and users can consume the latest artifacts in release bundles
• When I approve a release bundle for consumption by others I want to use a single place to verify the artifacts contained within the version so that consumers know what’s valid for use

Intended users

• Rachel (Release Manager)
• Delaney (Development Team Lead)
• Sasha (Software Developer)
• Devon (DevOps Engineer)
• Sidney (Systems Administrator)

Further details

Competitive offerings

• Artifactory has the concept of edge nodes, which allows for replication for any packages or images included in a release bundle.
• Harbor allows you to create push and pull endpoints to replicate images from Harbor to other container registries.

Proposal

• Allow users to create and keep a semantic version using a pre-defined environment variable and use that variable to tag images, packages, and other artifacts.
• Create a new GitLab API endpoint that will allow users to:
  • Add images and packages to a release version.
  • List images and packages tied to a given version.
  • Delete images and packages tied to a given version.
  • Update images and packages tied to a given version.
• Create a new GitLab API endpoint that will allow users to CRUD replication policies for a given release. People use that variable to tag images, packages, other artifacts
• Add a new UI that will expose the above APIs

Permissions and Security

• We need to validate what level of permissions are required for each action

Documentation

Availability & Testing

What does success look like, and how can we measure that?

Success looks like we offer our customers the ability to programmatically bundle their project's dependencies in a Release and help them distribute their software to any device.

What is the type of buyer?

• This needs to be validated

Is this a cross-stage feature?

Yes - this impacts Release and Package and may be expanded to include other stages in the future.

Links / references

• https://www.jfrog.com/confluence/display/JFROG/JFrog+Artifactory+Edge
• https://goharbor.io/docs/1.10/administration/configuring-replication/create-replication-rules/
• https://about.gitlab.com/direction/versioned-dependencies/