mirror

package
v0.30.20 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 4, 2026 License: Apache-2.0 Imports: 26 Imported by: 0

README

d8 mirror Command

Overview

The d8 mirror command facilitates the distribution of Deckhouse Kubernetes Platform to air-gapped or restricted network environments. It enables users to download (pull) the complete Deckhouse distribution bundle from an external registry and upload (push) it to a private container registry.

This functionality is exclusively available to users holding a valid license for any commercial version of the Deckhouse Kubernetes Platform.

Official Documentation: https://deckhouse.io/products/kubernetes-platform/documentation/latest/installing/#manual-loading-of-dkp-images-and-vulnerability-db-into-a-private-registry

License Note

© Flant JSC 2025

The d8 mirror functionality requires a valid commercial Deckhouse Kubernetes Platform license.

Commands

  • d8 mirror pull - Download Deckhouse distribution to local filesystem
  • d8 mirror push - Upload Deckhouse distribution to a third-party registry

d8 mirror pull

Description

Downloads the Deckhouse Kubernetes Platform distribution bundle to the local filesystem. The bundle contains specific platform releases, modules, and security databases that can later be pushed to an air-gapped container registry.

Synopsis
d8 mirror pull <images-bundle-path> [flags]
Arguments
  • <images-bundle-path> - Path to the directory where the bundle will be stored
Flags
Authentication
Flag Short Environment Variable Description
--source Source registry to pull from (default: registry.deckhouse.ru/deckhouse/ee)
--source-login D8_MIRROR_SOURCE_LOGIN Source registry login
--source-password D8_MIRROR_SOURCE_PASSWORD Source registry password
--license -l D8_MIRROR_LICENSE_TOKEN Deckhouse license key (shortcut for --source-login=license-token --source-password=<token>)
Version Selection
Flag Description
--since-version Minimal Deckhouse release to pull (lower bound, inclusive). Ignored if above current Rock Solid release. Conflicts with --deckhouse-tag and --include-platform
--include-platform Select platform releases by semver constraint (e.g. ">=1.64 <=1.68"). Uses the same constraint dialect as --include-module. Conflicts with --deckhouse-tag and --since-version. See Platform Version Filtering
--deckhouse-tag Specific Deckhouse build tag to pull. Conflicts with --since-version and --include-platform. If the registry contains a release channel image for the specified tag, all release channels in the bundle will point to it
Module Filtering
Flag Short Description
--include-module -i Whitelist specific modules. Use one flag per module. Disables --exclude-module. See Module Filtering for format details
--exclude-module -e Blacklist specific modules. Format: module-name[@version]. Use one flag per module. Overridden by --include-module
--modules-path-suffix Suffix to append to source repo path to locate modules (default: /modules)
Component Selection
Flag Description
--no-platform Do not pull Deckhouse Kubernetes Platform into bundle
--no-security-db Do not pull security databases into bundle
--no-modules Do not pull Deckhouse modules into bundle
--only-extra-images Pull only extra images for modules (security databases, scanners, etc.) without main module images
--no-installer Do not pull Deckhouse installer into bundle
--installer-tag Specific Deckhouse installer build tag to pull.
Bundle Options
Flag Short Description
--images-bundle-chunk-size -c Split resulting bundle into chunks of at most N gigabytes (default: 0 = no splitting)
--gost-digest Calculate GOST R 34.11-2012 STREEBOG digest for downloaded bundle
--force Overwrite existing bundle packages if they conflict with current pull operation
--no-pull-resume Do not continue last unfinished pull operation; start from scratch
Proxy/Cache Registry Discovery
Flag Description
--proxy-registry Pull from a proxy/caching registry that does not implement the registry catalog API. Discovers tags by probing individual semver versions instead of listing. Requires --include-platform and/or --include-module. See Proxy Registry Mode for a summary and PROXY-REGISTRY.md for the full reference. Cannot be combined with --deckhouse-tag or --since-version
Connection Options
Flag Description
--tls-skip-verify Disable TLS certificate validation
--insecure Interact with registries over HTTP
--tmp-dir Path to temporary directory for processing. Ensure sufficient disk space for the entire bundle
Platform Version Filtering

The --include-platform flag accepts a semver constraint expression to pull only a specific window of platform releases. It uses exactly the same constraint dialect as the version part of --include-module.

When to use
Goal Recommended flag
Pull all releases from a given minimum upward --since-version 1.64.0
Pull a bounded range (e.g. for an incremental update) --include-platform ">=1.64 <=1.68"
Pull every release of a single minor --include-platform "~1.65.0"
Pin a single exact release (same as --deckhouse-tag) --include-platform "=v1.65.3"
Constraint syntax

The same rules apply as for --include-module version constraints (see Module Filtering):

  • Latest-patch-per-minor collapsing — for semver ranges, only the highest patch in each (major, minor) bucket is pulled. Inclusive boundary operators (>=, <=) always preserve the named version as an anchor even when a newer patch exists.
  • Channel filtering — release channels whose current snapshot points outside the constraint window are dropped from the bundle so no entry references an image that was not downloaded.
  • Exact-tag form (=) — operationally identical to --deckhouse-tag: a single tag is pulled and all default release channels in the bundle are pointed at it.
Examples
# Pull releases v1.64.x through v1.68.x (incremental update scenario)
d8 mirror pull /tmp/d8-bundle \
  --license $LICENSE_TOKEN \
  --include-platform ">=1.64 <=1.68"

# Pull only the latest patch of v1.65.x
d8 mirror pull /tmp/d8-bundle \
  --license $LICENSE_TOKEN \
  --include-platform "~1.65.0"

# Pull every minor from v1.65 onward that the registry exposes
d8 mirror pull /tmp/d8-bundle \
  --license $LICENSE_TOKEN \
  --include-platform "^1.65.0"

# Pin an exact release (all channels point to v1.65.3)
d8 mirror pull /tmp/d8-bundle \
  --license $LICENSE_TOKEN \
  --include-platform "=v1.65.3"
Proxy Registry Mode

--proxy-registry adapts the pull command to source registries that act as a transparent proxy or cache in front of another registry and do not implement the registry catalog API (/v2/_catalog, /v2/<name>/tags/list). Instead of calling ListTags, the pull walks individual semver tags forward from a starting point you supply via --include-platform / --include-module and probes each one with a single manifest HEAD request.

Minimal example:

d8 mirror pull /tmp/d8-bundle \
  --source proxy.internal.company.com/deckhouse/ee \
  --license $LICENSE_TOKEN \
  --proxy-registry \
  --include-platform ">=1.64.0 <=1.68.0" \
  --include-module prometheus@^1.0.0

Full documentation — end-to-end pipeline diagram, walk algorithm, worked example with a step-by-step HEAD-request trace, HTTP response handling, per-component behaviour table, required flag combinations, performance characteristics, known limitations and more examples — lives in a dedicated document:

PROXY-REGISTRY.md

Module Filtering

The --include-module and --exclude-module flags support version constraints for fine-grained control over which module versions to include.

Filter Format
module-name[@version-constraint]
Version Constraint Types

  1. No version specified - Includes all versions from all release channels

    --include-module mymodule

  2. Semver caret constraint (^) - Compatible versions (default when version is specified without operator)

    --include-module mymodule@1.3.0
--include-module mymodule@^1.3.0  # equivalent
    • Example: For available versions v1.0.0, v1.1.0, v1.2.0, v1.3.0, v1.3.3, v1.4.1
    • Constraint ^1.3.0 includes: v1.3.3, v1.4.1
    • Only the highest patch in each (major, minor) series is kept, matching the platform release discovery rule. Use the exact-tag form (=) to pin a specific older patch.
    • Versions currently pinned by release channels (alpha, beta, early-access, stable, rock-solid, lts) are pulled in addition, regardless of the patch filter.
    • Also pulls current versions from all release channels

  3. Semver tilde constraint (~) - Patch-level changes only

    --include-module mymodule@~1.3.0
    • Example: For available versions v1.0.0, v1.1.0, v1.2.0, v1.3.0, v1.3.3, v1.4.1
    • Constraint ~1.3.0 (equivalent to >=1.3.0 <1.4.0) includes: v1.3.3 (latest patch of 1.3.x)
    • Also pulls current versions from all release channels

  4. Semver range constraint - Explicit version range

    --include-module mymodule@">=1.1.0 <1.3.0"
    • Example: For available versions v1.0.0, v1.1.0, v1.1.2, v1.2.0, v1.2.4, v1.3.0
    • Constraint >=1.1.0 <1.3.0 includes: v1.1.0, v1.1.2, v1.2.4
    • The latest patch in each (major, minor) is kept; inclusive boundary operators (>=, <=) always preserve the named version, even when a newer patch exists in the same minor. >=1.1.0 literally means "v1.1.0 OR newer" — the equality is part of the operator.
    • Strict bounds (>, <) do NOT preserve the named version; they exclude it by definition.
    • Caret (^) and tilde (~) are syntactic shorthand for a range: their lower bounds are NOT anchors and the latest-patch-per-minor filter applies in full.
    • Anchors that are not present in the registry are silently skipped — this command never invents a tag.
    • Also pulls current versions from all release channels

  5. Exact tag match (=) - Single specific version

    --include-module mymodule@=v1.3.0
    • Includes only v1.3.0
    • Publishes to all release channels (alpha, beta, early-access, stable, rock-solid)

  6. Exact tag with custom build identifier

    --include-module mymodule@=bobV1
    • Includes only the bobV1 tag
    • Publishes to all release channels

  7. Exact tag with specific channel

    --include-module mymodule@=v1.3.0+stable
    • Includes only v1.3.0
    • Publishes only to the stable channel
Examples
# Download all modules
d8 mirror pull /tmp/d8-bundle --license $LICENSE_TOKEN

# Download a bounded range of platform releases (e.g. v1.64.x – v1.68.x)
d8 mirror pull /tmp/d8-bundle \
  --license $LICENSE_TOKEN \
  --include-platform ">=1.64 <=1.68"

# Download only specific modules
d8 mirror pull /tmp/d8-bundle \
  --license $LICENSE_TOKEN \
  --include-module neuvector \
  --include-module prometheus

# Download module with version constraint
d8 mirror pull /tmp/d8-bundle \
  --license $LICENSE_TOKEN \
  --include-module neuvector@^1.2.0

# Combine platform range with a module filter
d8 mirror pull /tmp/d8-bundle \
  --license $LICENSE_TOKEN \
  --include-platform ">=1.64 <=1.68" \
  --include-module neuvector

# Exclude specific modules
d8 mirror pull /tmp/d8-bundle \
  --license $LICENSE_TOKEN \
  --exclude-module module1 \
  --exclude-module module2

# Download only platform and security databases (no modules)
d8 mirror pull /tmp/d8-bundle \
  --license $LICENSE_TOKEN \
  --no-modules

# Download specific Deckhouse version
d8 mirror pull /tmp/d8-bundle \
  --license $LICENSE_TOKEN \
  --deckhouse-tag v1.59.0
Environment Variables

Additional configuration options are available through environment variables:

Variable Description
SSL_CERT_FILE Path to SSL certificate. If set, system certificates are not used
SSL_CERT_DIR Colon-separated list of directories to search for SSL certificate files. If set, system certificates are not used. More info: https://docs.openssl.org/1.0.2/man1/c_rehash/
HTTP_PROXY URL of proxy server for HTTP requests to hosts not listed in NO_PROXY
HTTPS_PROXY URL of proxy server for HTTPS requests to hosts not listed in NO_PROXY
NO_PROXY Comma-separated list of hosts to exclude from proxying. Supports IP addresses, CIDR notations, domains, and asterisk. Domains match name and subdomains. A single * disables all proxying
Bundle Structure

The pull command creates a bundle with the following structure:

<images-bundle-path>/
├── platform.tar              # Deckhouse platform images (if not --no-platform)
├── security.tar              # Security databases (if not --no-security-db)
├── module-<name>.tar         # Individual module bundles (if not --no-modules)
└── module-<name>-<n>.chunk   # Chunked bundles (if --images-bundle-chunk-size is set)

If --gost-digest is specified, .gostsum files are created alongside each .tar file.

d8 mirror push

Description

Uploads a previously downloaded Deckhouse Kubernetes Platform distribution bundle to a third-party container registry. This is typically used to populate an air-gapped registry with Deckhouse images.

Synopsis
d8 mirror push <images-bundle-path> <registry> [flags]
Arguments
  • <images-bundle-path> - Path to the directory containing the bundle created by d8 mirror pull
  • <registry> - Target registry address (format: registry-host[:port]/path)
Flags
Authentication
Flag Short Environment Variable Description
--registry-login -u D8_MIRROR_REGISTRY_LOGIN Username to log into the target registry
--registry-password -p D8_MIRROR_REGISTRY_PASSWORD Password to log into the target registry
Connection Options
Flag Description
--tls-skip-verify Disable TLS certificate validation
--insecure Interact with registries over HTTP
--tmp-dir Path to temporary directory for processing. Ensure sufficient disk space for the entire bundle
Other Options
Flag Description
--modules-path-suffix Suffix to append to source repo path to locate modules (default: /modules)
Examples
# Push bundle to private registry with authentication
d8 mirror push /tmp/d8-bundle registry.company.com/deckhouse \
  --registry-login admin \
  --registry-password secretpassword

# Push to registry over HTTP (insecure)
d8 mirror push /tmp/d8-bundle registry.local:5000/deckhouse \
  --insecure

# Push with custom temporary directory
d8 mirror push /tmp/d8-bundle registry.company.com/deckhouse \
  --registry-login admin \
  --registry-password secretpassword \
  --tmp-dir /mnt/large-disk/tmp
Environment Variables

The same environment variables used by d8 mirror pull are also supported:

Variable Description
SSL_CERT_FILE Path to SSL certificate
SSL_CERT_DIR Colon-separated list of directories for SSL certificates
HTTP_PROXY HTTP proxy server URL
HTTPS_PROXY HTTPS proxy server URL
NO_PROXY Comma-separated list of hosts to exclude from proxying

Complete Workflow Example

Scenario: Air-Gapped Installation

  1. On a machine with internet access, download the bundle:

    # Full pull from a minimum version
d8 mirror pull /tmp/deckhouse-bundle \
  --license $DECKHOUSE_LICENSE_TOKEN \
  --since-version 1.59.0 \
  --include-module prometheus \
  --include-module ingress-nginx \
  --images-bundle-chunk-size 10

# Or pull only a specific version window for an incremental update
d8 mirror pull /tmp/deckhouse-bundle \
  --license $DECKHOUSE_LICENSE_TOKEN \
  --include-platform ">=1.64 <=1.68" \
  --include-module prometheus \
  --include-module ingress-nginx

  2. Transfer the bundle to the air-gapped environment (USB drive, secure file transfer, etc.)

  3. On a machine in the air-gapped environment, push to the internal registry:

    d8 mirror push /tmp/deckhouse-bundle registry.internal.company.com/deckhouse \
  --registry-login admin \
  --registry-password admin_password

  4. Configure Deckhouse to use the internal registry during installation

Troubleshooting

Common Issues
Insufficient Disk Space

Problem: Pull operation fails due to lack of disk space.

Solution:

  • Use --tmp-dir to specify a location with more space
  • Use --images-bundle-chunk-size to split the bundle into smaller chunks
  • Use component flags (--no-modules, --no-security-db) to reduce bundle size
TLS Certificate Errors

Problem: TLS certificate validation failures when connecting to registries.

Solution:

  • Use --tls-skip-verify to disable certificate validation (not recommended for production)
  • Set SSL_CERT_FILE or SSL_CERT_DIR to provide custom certificates
  • Ensure system certificates are up to date
Authentication Failures

Problem: Unable to authenticate to source or target registry.

Solution:

  • Verify credentials are correct
  • For Deckhouse registry, use --license flag with your license token
  • Check that the license is valid and not expired
  • Ensure network access to the registry
Pull Resume Issues

Problem: Pull operation keeps retrying from scratch.

Solution:

  • The tool automatically resumes incomplete pulls within 24 hours
  • Use --no-pull-resume to force starting from scratch
  • Use --force to overwrite conflicting bundle packages
Debug Logging

Enable debug logging to troubleshoot issues:

# Set debug level (1-4, higher = more verbose)
export D8_LOG_LEVEL=3

d8 mirror pull /tmp/bundle --license $LICENSE_TOKEN

Best Practices

Performance Optimization
  1. Use Local Storage: Ensure --tmp-dir points to fast local storage (SSD preferred)
  2. Network Bandwidth: Large bundles can be several gigabytes; ensure adequate bandwidth
  3. Parallel Operations: The tool automatically parallelizes image pulling
  4. Chunking: For very large bundles or size-constrained transfers, use --images-bundle-chunk-size
Security Considerations
  1. Protect Credentials: Use environment variables for sensitive values
  2. Secure Transfer: Use encrypted channels when transferring bundles
  3. Verify Integrity: Use --gost-digest to generate checksums for bundle verification
  4. TLS Validation: Avoid --tls-skip-verify in production environments
Version Management
  1. Use --since-version: To pull all releases from a given minimum upward, reducing bundle size relative to a full pull
  2. Use --include-platform: To pull a bounded window of releases (e.g. ">=1.64 <=1.68") — useful for staged incremental updates where you want to move up a few minors at a time without pulling the entire channel history
  3. Specific Versions: Use --deckhouse-tag (or --include-platform "=vX.Y.Z") for fully controlled, single-release deployments
  4. Module Versioning: Leverage semver constraints in --include-module for flexible module version management; --include-platform speaks the same dialect
  5. Release Channels: Pulling respects all configured release channels (alpha, beta, early-access, stable, rock-solid); channels whose snapshot falls outside an --include-platform constraint are automatically excluded from the bundle
Bundle Management
  1. Regular Updates: Periodically pull new bundles to stay current with security patches
  2. Version Control: Track which bundle versions are deployed in which environments
  3. Storage Planning: Account for bundle size growth over time (multiple versions, modules)
  4. Cleanup: Remove old bundles after successful deployment to free space

Architecture Notes

Bundle Components

The mirror system handles three primary component types:

  1. Platform Images: Core Deckhouse Kubernetes Platform containers
  2. Modules: Optional Deckhouse modules with versioned releases
  3. Security Databases: Vulnerability scanning databases and related data
Platform Release Discovery

By default, the platform service discovers releases between the current rock-solid channel version (lower bound) and the current alpha channel version (upper bound), keeping the highest patch per (major, minor).

--since-version raises the lower bound above rock-solid when the user wants to skip older minors.

--include-platform replaces this window with a user-supplied semver constraint, applying the same latest-patch-per-minor and inclusive-anchor rules as module version filtering. Channel snapshots outside the constraint are pruned so the bundle stays internally consistent.

--proxy-registry replaces the catalog-based ListTags call entirely with a sequential forward-probe walk seeded from the constraint's lower bound. The latest-patch-per-minor and inclusive-anchor rules still apply to the result; only the way the candidate tag list is obtained changes. Full reference: PROXY-REGISTRY.md.

Module Filtering Logic
  • Whitelist Mode: Only specified modules are included
  • Blacklist Mode: All modules except specified ones are included (default)
  • Version Constraints: Semver-based filtering for granular control (same dialect as --include-platform)
  • Release Channels: Each module can have multiple release channel versions
Storage Layout

Internally, the tool uses OCI-compliant image layouts for organizing container images and manifests. This ensures compatibility with standard container tools and registries.

Additional Resources

Support

For issues, questions, or feature requests:

Documentation

Index

Constants

View Source 
const (
	TmpMirrorFolderName     = "mirror"
	TmpMirrorPullFolderName = "pull"
)

Variables

This section is empty.

Functions

This section is empty.

Types

type BundleFile added in v0.30.20 

type BundleFile struct {
	// Name is the logical artifact name, e.g. "module-foo.tar".
	Name string
	// Bytes is the total size across all chunks of the artifact.
	Bytes int64
	// Chunks is the number of .chunk files (0 for a single .tar artifact).
	Chunks int
}

BundleFile is one logical bundle artifact (platform.tar, installer.tar, security.tar, module-<name>.tar), possibly spread over .NNNN.chunk files.

type BundleStats added in v0.30.20 

type BundleStats struct {
	Files      []BundleFile
	TotalBytes int64
}

BundleStats is the on-disk artifact accounting collected after packing.

type ComponentStats added in v0.30.20 

type ComponentStats struct {
	// Skipped is true when the category was disabled via a Skip* option.
	Skipped bool
	// Attempted is true when the phase ran, even if it produced zero images.
	Attempted bool
	// Images is the number of image manifests (planned or actual).
	Images int
	// Versions are the resolved release versions that will be (or were) pulled,
	// e.g. ["v1.69.0"] or ["v1.71.7", "v1.72.3"]. Populated for the platform;
	// available in dry-run too, since version selection happens before download.
	Versions []string
	// Channels is the set of release channels mapped to Versions (platform only).
	Channels []string
}

ComponentStats is the per-category image accounting captured after a pull phase completes. The image count is "planned" in dry-run (download-list lengths) and "actual" in a real pull (OCI layout manifest counts).

type ImageLayouts added in v0.22.1 

type ImageLayouts struct {
	DeckhousePlatform *platform.ImageLayouts

	TrivyDB           layout.Path
	TrivyDBImages     map[string]struct{}
	TrivyBDU          layout.Path
	TrivyBDUImages    map[string]struct{}
	TrivyJavaDB       layout.Path
	TrivyJavaDBImages map[string]struct{}
	TrivyChecks       layout.Path
	TrivyChecksImages map[string]struct{}

	Modules map[string]ModuleImageLayout
	// contains filtered or unexported fields
}

func NewImageLayouts added in v0.22.1 

func NewImageLayouts() *ImageLayouts

type ModuleImageLayout added in v0.22.1 

type ModuleImageLayout struct {
	ModuleLayout layout.Path
	ModuleImages map[string]struct{}

	ReleasesLayout layout.Path
	ReleaseImages  map[string]ModuleRelease

	ExtraLayout layout.Path
	ExtraImages map[string]struct{}
}

type ModuleRelease added in v0.22.1 

type ModuleRelease struct {
	Version string
}

type ModuleStat added in v0.30.20 

type ModuleStat struct {
	Name   string
	Images int
	// VEX is how many of Images are VEX attestations (a subset of Images).
	VEX int
	// Versions are the resolved module versions that will be (or were) pulled,
	// e.g. ["v1.10.3", "v1.9.16"]. Available in dry-run too.
	Versions []string
}

ModuleStat is one module's contribution to the pull.

type ModulesStats added in v0.30.20 

type ModulesStats struct {
	// Skipped is true when modules were disabled and OnlyExtraImages is off.
	Skipped bool
	// Attempted is true when the modules phase ran.
	Attempted bool
	// OnlyExtraImages reflects the --only-extra-images mode.
	OnlyExtraImages bool
	// Modules holds the per-module breakdown, sorted by name.
	Modules []ModuleStat
	// TotalImages is the sum of images across all modules.
	TotalImages int
	// TotalVEX is the number of VEX attestations across all modules, a subset of
	// TotalImages.
	TotalVEX int
}

ModulesStats aggregates per-module image accounting.

type PackageStat added in v0.30.20 

type PackageStat struct {
	Name   string
	Images int
	// VEX is how many of Images are VEX attestations (a subset of Images).
	VEX int
	// Versions are the resolved package versions that will be (or were) pulled,
	// e.g. ["v1.45.2", "v1.44.0"]. Available in dry-run too.
	Versions []string
}

PackageStat is one package's contribution to the pull.

type PackagesStats added in v0.30.20 

type PackagesStats struct {
	// Skipped is true when packages were disabled and OnlyExtraImages is off.
	Skipped bool
	// Attempted is true when the packages phase ran.
	Attempted bool
	// OnlyExtraImages reflects the --only-extra-images mode.
	OnlyExtraImages bool
	// Packages holds the per-package breakdown, sorted by name.
	Packages []PackageStat
	// TotalImages is the sum of images across all packages.
	TotalImages int
	// TotalVEX is the number of VEX attestations across all packages, a subset of
	// TotalImages.
	TotalVEX int
}

PackagesStats aggregates per-package image accounting.

type PullService added in v0.22.1 

type PullService struct {
	// contains filtered or unexported fields
}

func NewPullService added in v0.22.1 

func NewPullService(
	registryService *registryservice.Service,
	tmpDir string,
	targetTag string,
	options *PullServiceOptions,
	logger *dkplog.Logger,
	userLogger *log.SLogger,
) *PullService

func (*PullService) Pull added in v0.22.1 

func (svc *PullService) Pull(ctx context.Context) (*PullSummary, error)

Pull downloads Deckhouse components from registry.

It returns a PullSummary describing what was pulled (or planned, in dry-run). The summary is assembled incrementally as each phase completes, and is returned even on error so that callers can render a partial summary after a graceful cancellation.

type PullServiceOptions added in v0.24.3 

type PullServiceOptions struct {
	// SkipPlatform skips pulling platform images
	SkipPlatform bool
	// SkipSecurity skips pulling security databases
	SkipSecurity bool
	// SkipModules skips pulling module images
	SkipModules bool
	// SkipPackages skips pulling package images
	SkipPackages bool
	// SkipInstaller skips pulling installer images
	SkipInstaller bool
	// InstallerTag is the tag for the installer image
	InstallerTag string
	// OnlyExtraImages pulls only extra images for modules (without main module images)
	OnlyExtraImages bool
	// IgnoreSuspend allows mirroring even if release channels are suspended
	IgnoreSuspend bool
	// PlatformConstraint selects platform releases by semver constraint
	// (--include-platform). When non-nil it replaces the default
	// rock-solid..alpha discovery window for the platform service. Exact-tag
	// constraints are routed through TargetTag inside platform.PullPlatform.
	PlatformConstraint modules.VersionConstraint
	// ModuleFilter is the filter for module selection (whitelist/blacklist)
	ModuleFilter *modules.Filter
	// PackageFilter is the filter for package selection (whitelist/blacklist).
	// Packages reuse the modules filter because selection logic is identical.
	PackageFilter *modules.Filter
	// BundleDir is the directory to store the bundle
	BundleDir string
	// BundleChunkSize is the max size of bundle chunks in bytes (0 = no chunking)
	BundleChunkSize int64
	// SkipVexImages allows skipping VEX images
	SkipVexImages bool
	// Timeout is the timeout for the pull operation
	Timeout time.Duration
	// DryRun prints the pull plan without downloading any image blobs
	DryRun bool
	// ProxyRegistry switches platform/module discovery from a single
	// catalog ListTags call (which proxy registries typically return
	// empty for) to a sequential probe of explicit version tags. The
	// CLI guarantees that --include-platform and/or --include-module
	// are supplied so the probe has a defined starting point.
	ProxyRegistry bool
}

PullServiceOptions contains configuration options for PullService

type PullSummary added in v0.30.20 

type PullSummary struct {
	// DryRun reports whether this was a planning run with no downloads.
	DryRun bool
	// Cancelled marks a graceful interrupt (Ctrl+C); the summary reflects what
	// completed before it.
	Cancelled bool
	// Failed marks a hard-error abort (e.g. retries exhausted, checksum failure).
	// The summary still renders, in a FAILED state. A phase that never ran has a
	// zero-valued stat and renders "not pulled". Mutually exclusive with Cancelled.
	Failed bool
	// Edition is the source edition (e.g. "ce", "ee"), parsed from the source
	// registry path. Empty for a custom registry with no edition segment, in
	// which case the summary omits the Edition line.
	Edition string
	// Elapsed is the wall-clock duration of the pull, filled by the CLI.
	Elapsed time.Duration

	Platform  ComponentStats
	Installer ComponentStats
	Security  SecurityStats
	Modules   ModulesStats
	Packages  PackagesStats

	// Bundle is populated by the CLI from the bundle directory (real pull only).
	Bundle BundleStats
}

PullSummary is the complete end-of-pull accounting handed to the renderer.

type PushService added in v0.22.1 

type PushService struct {
	// contains filtered or unexported fields
}

PushService handles pushing OCI layouts to registry. It treats the layout structure as the source of truth - the relative path of each layout becomes the registry segment directly.

Expected layout structure (after unpack): 

<root>/
├── index.json                     # Deckhouse main images
├── blobs/
├── install/                       # Deckhouse Install
│   ├── index.json
│   └── blobs/
├── install-standalone/            # Deckhouse Standalone Install
├── release-channel/               # Deckhouse release channels
├── security/                      # Security databases
│   ├── trivy-db/
│   ├── trivy-bdu/
│   ├── trivy-java-db/
│   └── trivy-checks/
├── modules/                       # Modules
│   └── <module-name>/
│       ├── index.json
│       ├── release/
│       └── <extra-name>/
└── packages/                      # Packages
    └── <package-name>/
        ├── index.json
        ├── version/
        └── <extra-name>/

func NewPushService added in v0.22.1 

func NewPushService(
	client client.Client,
	options *PushServiceOptions,
	logger *dkplog.Logger,
	userLogger *log.SLogger,
) *PushService

NewPushService creates a new PushService

func (*PushService) Push added in v0.26.4 

func (svc *PushService) Push(ctx context.Context) error

Push uploads all OCI layouts from the bundle to the registry. It unpacks all packages into a unified directory and pushes each layout using its relative path as the registry segment.

The key principle: no path transformations. Whatever path the layout has in the unpacked directory becomes its path in the registry.

type PushServiceOptions added in v0.26.4 

type PushServiceOptions struct {
	// BundleDir is the directory containing the bundle to push
	BundleDir string
	// WorkingDir is the temporary directory for unpacking bundles
	WorkingDir string
}

PushServiceOptions contains configuration options for PushService

type SecurityStats added in v0.30.20 

type SecurityStats struct {
	// Skipped is true when --no-security-db was set.
	Skipped bool
	// Attempted is true when the security phase ran.
	Attempted bool
	// Available is false for editions without security databases (CE/BE/SE),
	// where securityDatabasesAvailable() returned false.
	Available bool
	// Databases is the number of databases pulled (real pull) or enqueued
	// (dry-run). At most AvailableDatabases.
	Databases int
	// AvailableDatabases is the size of the security database catalogue
	// (trivy-db, trivy-bdu, trivy-java-db, trivy-checks).
	AvailableDatabases int
}

SecurityStats specializes ComponentStats for the trivy security databases.

Source Files

View all Source files

Directories

Path Synopsis
api
v1alpha1
cmd
pull
pull/errdetect
Package errdetect classifies registry errors for d8 mirror pull with pull-specific causes and solutions.
 Package errdetect classifies registry errors for d8 mirror pull with pull-specific causes and solutions.
pull/flags
push
push/errdetect
Package errdetect classifies registry errors for d8 mirror push with push-specific causes and solutions.
 Package errdetect classifies registry errors for d8 mirror push with push-specific causes and solutions.
Package errmatch provides error matchers for container registry responses.
 Package errmatch provides error matchers for container registry responses.
Package pack contains the atomic-write helper shared by every component that emits a tar artifact into the user's bundle directory (platform, installer, security, per-module).
 Package pack contains the atomic-write helper shared by every component that emits a tar artifact into the user's bundle directory (platform, installer, security, per-module).
Package packages mirrors Deckhouse "packages", which are structurally identical to modules but live under a different set of registry segments:
 Package packages mirrors Deckhouse "packages", which are structurally identical to modules but live under a different set of registry segments:

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.