Package Storage v2 is the successor of the package-storage Git repository, and it is composed of Google Cloud buckets, service accounts and jobs responsible for maintenance including publishing and indexing.
The Package Storage v2 is available publicly behind the endpoint: package-storage.elastic.co and exposes different package resources:
- zipped packages (e.g. barracuda-0.2.2.zip)
- package signatures (e.g. barracuda-0.2.2 signature)
- extracted static resources (e.g. cisco-0.11.5 screenshot)
The Package Storage v2 has flat structure. It does not introduce any logic to divide packages into stages or a control panel to promote them. We recommend to use proper versioning instead and follow these rules:
- a package with
version < 1.0.0is a technical preview. - a package with
version >= 1.0.0can contain prerelease tags (beta1, SNAPSHOT, next) on its version to indicate its prerelease state.
We identified a few issues in v1 design, we couldn't easily overcome or patch:
- Automatically release new Docker images of the Package Storage without missing packages due to a race condition between CI jobs.
- Control the Docker image size, which is constantly growing (as of today, >1GB). Packages with size >1GB must be served through the Package Registry too.
- Deprecate promotion between stages. It caused a lot of frustration for package developers and most of them didn't follow the recommended promotion path
snapshot -> staging -> production. - Enable validation for incoming packages (spec and signatures).
- Support package signatures. It wasn't possible to calculate the signature for unarchived package directories.
Package revisions already deployed in the production Package Storage (present in the production branch of the package-storage)
are automatically synced with the new storage. In this case we disable the validation as some older packages will not be able
to pass current spec requirements.
Sync between v1 and v2 will be enabled until we officially deprecate the v1 storage (no more PRs or promotions).
Before we deprecate the v1 storage, package owners will have to adjust their releasing pipelines to submit packages to the new destination. Every package candidate should be submitted together with a corresponding signature, generated using the Elastic signing pipeline.
Here is the list of requirements and code modifications based on the beats-ci.
- CI job signing credentials (
sign-artifacts-with-gpg-job) - use them to call the signing pipeline on theinternal-ciJenkins instance. The pipeline will sign artifacts uploaded to the signing bucket and upload there their signatures. - Signing bucket credentials (
internal-ci-gcs-plugin) - use them to upload zipped packages to be signed and download matching signatures. - Package Storage GCP uploader credentials (
upload-package-to-package-storage) - use them to upload a package candidate to the "queue" bucket. The candidates will be picked by the publishing job and removed after processing. - Package Storage uploader secret (
secret/gce/elastic-bekitzur/service-account/package-storage-uploader) - use it to kick off the publishing job to process the uploaded candidate.
These code modifications refer to the Jenkinsfile/groovy files, which will orchestrate the Jenkins worker to sign the package and publish it using the Package Storage publishing job.
Function packageStoragePublish(...)
Function signUnpublishedArtifactsWithElastic(...).
- Check if the package has been already published (HTTP request to EPR).
- Upload the package candidate to the signing bucket.
- Call the Elastic signing pipeline to create matching signatures. The pipeline signs them using the Elastic private key.
- Once the job succeeded, download package signatures.
Function uploadUnpublishedToPackageStorage(...).
- Check if the package has been already published (HTTP request to EPR).
- Upload the package candidate to the special "queue" bucket -
elastic-bekitzur-package-storage-internal. - Call the publishing job. The publishing jobs verifies correctness of the package format and corresponding signature. Next, the job extracts static resources, uploads the zipped package to the public bucket, and schedules indexing in background.