{"id":28546723,"url":"https://github.com/docker/labs-tape","last_synced_at":"2025-07-07T07:31:45.536Z","repository":{"id":295005184,"uuid":"656697457","full_name":"docker/labs-tape","owner":"docker","description":"Tape is for packaging applications","archived":false,"fork":false,"pushed_at":"2025-04-14T18:12:57.000Z","size":18041,"stargazers_count":9,"open_issues_count":20,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-06-10T00:07:38.363Z","etag":null,"topics":["kubernetes-manifests"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/docker.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2023-06-21T13:01:05.000Z","updated_at":"2025-02-12T14:40:56.000Z","dependencies_parsed_at":"2025-05-23T05:25:16.599Z","dependency_job_id":null,"html_url":"https://github.com/docker/labs-tape","commit_stats":null,"previous_names":["docker/labs-tape"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/docker/labs-tape","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/docker%2Flabs-tape","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/docker%2Flabs-tape/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/docker%2Flabs-tape/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/docker%2Flabs-tape/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/docker","download_url":"https://codeload.github.com/docker/labs-tape/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/docker%2Flabs-tape/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264034497,"owners_count":23547220,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["kubernetes-manifests"],"created_at":"2025-06-10T00:07:43.145Z","updated_at":"2025-07-07T07:31:45.523Z","avatar_url":"https://github.com/docker.png","language":"Go","readme":"# Tape is for packaging applications\n\n## Disclaimer\n\nThis project is an archived experiment that was done as part of Docker Labs and is no longer worked on.\nIt's been made available by Docker Labs team under the Apache license as it's deemed of potential interest to the community, however, it's no longer in active development.\n\n## What is Tape?\n\nTape is a tool that can package an entire application as a self-contained (taped) OCI image that can be deployed to a\nKubernetes cluster. A taped OCI image contains all application components and Kubernetes resources required to run all\nof the components together.\n\n## What problem does it solve?\n\nThe process of building and deploying an application to Kubernetes is highly fragmented. There are many choices that\none has to make when implementing CI/CD. Leaving aside what CI vendor you pick, the starting point is the overall design of\na pipeline, repository structure, Dockerfiles, use of OCI registry, mapping of revisions to image tags, rules of deployment\nbased on tags, promotion between environments, as well as various kinds of ways to manage Kubernetes configs and how these\nconfigs get deployed to any particular cluster.\n\nOf course, there is some essential complexity, all CI pipelines will be different and everyone cannot use one and the same\ntool for philosophical reasons. However, as most CI systems rely on shell scripts, it's quite challenging to define\ncontracts. What Tape does is all about having a simple artifact, which is a concrete contractual term, and Tape ensures\nit has certain properties, for example, it references all formal dependencies by digest, i.e. dependencies that are OCI images\nreferenced from a canonical `image` field in a Kubernetes resource (e.g. `spec.containers[].image`).\n\nAnother issue that arises due to fragmentation is about collaboration between organisations that have made different choices,\ndespite all using OCI images and Kubernetes APIs. To illustrate this, let's ask ourselves: \"Why should there be any difference\nin the mechanics of how my application is deployed to a Kubernetes cluster vs. someone else's application being deployed to the\nsame cluster?\". Of course, it all comes down to Kubernetes API resources, but there is often a lot that happens in between.\nSometimes Helm is used, sometimes it's Kustomize, sometimes plain manifests are used with some bespoke automation around configs Git,\nand there many examples of configs defined in scripting languages as well. Of course, it's very often a mix of a few approaches.\nEven without anything too complicated, there is no such thing as a typical setup with Helm or Kustomize. The problem is that\nthe knowledge of what the choices are exactly and how some well-known tools might be used is not trivial or automatically\ntransferable, and there is little to say about the benefits of having something special.\n\nTape addresses the complexity by using OCI for the distribution of runnable code as well configuration required to run it\ncorrectly on Kubernetes. Tape introduces a notion of application artifact without introducing any particular model of how\ncomponents are composed into an artifact. This model aims to be a layer of interoperability between different tools and\nprovide a logical supply chain entry point and location for storing metadata.\n\nThe best analogy is flatpack furniture. Presently, deployment of an application is as if flatpack hasn't been invented, so\nwhen someone orders a wooden cabinet, all that arrives in a box is just the pieces of wood, they have to shop for nuts,\nbolts, and tools. Of course, that might be desirable for some, as they have a well-stocked workshop with the best tools and\na decent selection of nuts and bolts. But did the box even include assembly instructions with the list of nuts and bolts\none has to buy?\nThat model doesn't scale to the consumer market. Of course, some consumers might have a toolbox, but very few will be able\nto find the right nuts and bolts or even bother looking for any, they might just send the whole box back instead.\nA taped image is like a flatpack package, it has everything needed as well as assembly instructions, without introducing\nnew complexity elsewhere and allows users to keep using their favourite tools.\n\nTo summarise, Tape reduces the complexity of application delivery by packaging the entire application as an OCI image, providing\na transferable artifact that includes config and all of the components, analogous to flatpack furniture. This notion of artifact\nis very important because it helps to define a concise contract.\nTape also produces attestations about the provenance of the configuration source as well as any transforms it applies to the\nsource. The attestations are attached to the resulting OCI image, so it helps with security and observability as well.\n\n## How does Tape work?\n\nTape can parse a directory with Kubernetes configuration and find all canonical references to application images.\nIf an image reference contains a digest, Tape will use it, otherwise it resolves it by making a registry API call.\nFor each of the images, Tape searches of all well-known related tags, such as external signatures, attestations and\nSBOMs. Tape will make a copy of every application image and any tags related to it to a registry the user has specified.\nOnce images are copied, it updates manifests with new references and bundles the result in an OCI artifact pushed to\nthe same repo in the registry.\n\nCopying of all application images and referencing by digest is performed to ensure the application and its configuration\nare tightly coupled together to provide a single link in the supply chain as well as a single point of distribution\nand access control for the whole application.\n\nTape also checks the VCS provenance of manifests, so if any manifest files are checked in Git, Tape will attest to what\nGit repository each file came from, all of the revision metadata, and whether it's been modified or not.\nAdditionally, Tape attests to all key steps that it performs, e.g. original image references it detects and manifest\nchecksums. It stores the attestations using in-toto format in an OCI artifact.\n\n## Usage\n\nTape has the following commands:\n\n- `tape images` - examine images referenced by a given set of manifests before packaging them\n- `tape package` - package an artifact and push it to a registry\n- `tape pull` – download and extract contents and attestations from an existing artifact\n- `tape view` – inspect an existing artifact\n\n### Example\n\nFirst, clone the repo and build `tape` binary:\n\n```console\ngit clone -q git@github.com:docker/labs-brown-tape.git ; cd ./labs-brown-tape\n(cd ./tape ; go build)\n```\n\nClone podinfo app repo:\n```console\n(git clone -q https://github.com/stefanprodan/podinfo ; cd podinfo ; git switch --detach 6.4.1)\n```\n\nExamine podinfo manifests:\n```console\n$ ./tape/tape images --output-format text --manifest-dir ./podinfo/kustomize\nINFO[0000] resolving image digests\nINFO[0000] resolving related images\nghcr.io/stefanprodan/podinfo:6.4.1@sha256:92d43edf253c30782a1a9ceb970a718e6cb0454cff32a473e4f8a62dac355559\n Sources:\n ghcr.io/stefanprodan/podinfo:6.4.1 deployment.yaml:26:16@sha256:bb42d5f170c5c516b7c0f01ce16e82fff7b747c515e5a72dffe80395b52ac778\n Digest provided: false\n OCI manifests:\n sha256:4163972f9a84fde6c8db0e7d29774fd988a7668fe26c67ac09a90a61a889c92d application/vnd.oci.image.manifest.v1+json linux/amd64 1625\n sha256:e2d08f844f9af861a6ea5f47ce0f3fc45cfe3cc9f46f41ddbf8667f302711aea application/vnd.oci.image.manifest.v1+json linux/arm/v7 1625\n sha256:1eb30e81513b6cd96e51b4298ab49b8812c0c33403fc1b730dbf23c280af4cf7 application/vnd.oci.image.manifest.v1+json linux/arm64 1625\n sha256:fd6487d2b151367fbb2b35576f5ac4bcf17d846f13133bf8f5f416eb796d2710 application/vnd.oci.image.manifest.v1+json unknown/unknown 840\n sha256:ddb4ee5ac923648fc01af3610c9090f2f22bb66a2d3a600b82fe4cb09d15c39b application/vnd.oci.image.manifest.v1+json unknown/unknown 840\n sha256:d00c5c99beb6afddfcc3a6f3184bb91d14fdf27a41994542238751124f70332b application/vnd.oci.image.manifest.v1+json unknown/unknown 840\n Inline attestations: 3\n External attestations: 0\n Inline SBOMs: 3\n External SBOMs: 0\n Inline signatures: 0\n External signatures: 1\n$\n```\n\nPackage podinfo:\n```console\n$ ./tape/tape package --manifest-dir ./podinfo/kustomize --output-image ttl.sh/docker-labs-brown-tape/podinfo\nINFO[0000] VCS info for \"./podinfo/kustomize\": {\"unmodified\":true,\"path\":\"kustomize\",\"uri\":\"https://github.com/stefanprodan/podinfo\",\"isDir\":true,\"git\":{\"objectHash\":\"e5f73cd48e13a37c7f7c7b116d7da41e9adf7fd6\",\"remotes\":{\"origin\":[\"https://github.com/stefanprodan/podinfo\"]},\"reference\":{\"name\":\"HEAD\",\"hash\":\"4892983fd12e3ffffcd5a189b1549f2ef26b81c2\",\"type\":\"hash-reference\"}}}\nINFO[0000] resolving image digests\nINFO[0000] resolving related images\nINFO[0007] copying images\nINFO[0012] copied images: ttl.sh/docker-labs-brown-tape/podinfo:app.98767129386790b1a06737587330605eed510345e9b40824f8d48813513a086a@sha256:92d43edf253c30782a1a9ceb970a718e6cb0454cff32a473e4f8a62dac355559, ttl.sh/docker-labs-brown-tape/podinfo:sha256-92d43edf253c30782a1a9ceb970a718e6cb0454cff32a473e4f8a62dac355559.sig@sha256:ed4e1649736c14982b5fe8a25c31a644ee99b7cec232d987c78fe1ab77000dce\nINFO[0012] updating manifest files\nINFO[0019] created package \"ttl.sh/docker-labs-brown-tape/podinfo:config.ea816abb3c83c66181ff027115a84d930ec055ade76e3b7a861046df000bf75c@sha256:c4ef95c63f4572fbbdcc15270c2e2441b5aba753bc7d3a0cf8f7e3d8171b7c6d\"\n$\n```\n\nStore image name and config tag+digest as environment variables:\n```console\npodinfo_image=ttl.sh/docker-labs-brown-tape/podinfo\npodinfo_config=${podinfo_image}:config.ea816abb3c83c66181ff027115a84d930ec055ade76e3b7a861046df000bf75c@sha256:c4ef95c63f4572fbbdcc15270c2e2441b5aba753bc7d3a0cf8f7e3d8171b7c6d\n```\n\nExamine the OCI index of the config image that's been created:\n```console\n$ crane manifest \"${podinfo_config}\" | jq .\n{\n \"schemaVersion\": 2,\n \"mediaType\": \"application/vnd.oci.image.index.v1+json\",\n \"manifests\": [\n {\n \"mediaType\": \"application/vnd.oci.image.manifest.v1+json\",\n \"size\": 625,\n \"digest\": \"sha256:1f8b36b04801367cf9302ebadb7ff8a55d4a6b388007ccdc1b423657486952e2\",\n \"platform\": {\n \"architecture\": \"unknown\",\n \"os\": \"unknown\"\n },\n \"artifactType\": \"application/vnd.docker.tape.content.v1alpha1.tar+gzip\"\n },\n {\n \"mediaType\": \"application/vnd.oci.image.manifest.v1+json\",\n \"size\": 1440,\n \"digest\": \"sha256:6b8bd7bdb30a489db183930676c48f191b52f94be23c05ce035f8a3a8d330a53\",\n \"platform\": {\n \"architecture\": \"unknown\",\n \"os\": \"unknown\"\n },\n \"artifactType\": \"application/vnd.docker.tape.attest.v1alpha1.jsonl+gzip\"\n }\n ],\n \"annotations\": {\n \"org.opencontainers.image.created\": \"2023-08-30T11:05:44+01:00\"\n }\n}\n$\n```\nExamine each of the two 2nd-level OCI manifests, the first one is for config contents, and the second for attestations:\n```console\n$ crane manifest \"${podinfo_image}@$(crane manifest \"${podinfo_config}\" | jq -r '.manifests[0].digest')\" | jq .\n{\n \"schemaVersion\": 2,\n \"mediaType\": \"application/vnd.oci.image.manifest.v1+json\",\n \"config\": {\n \"mediaType\": \"application/vnd.docker.tape.content.v1alpha1.tar+gzip\",\n \"size\": 233,\n \"digest\": \"sha256:3a5b16a8c592ad85f9b16563f47d03e5b66430e4db3f4260f18325e44e91942e\"\n },\n \"layers\": [\n {\n \"mediaType\": \"application/vnd.docker.tape.content.v1alpha1.tar+gzip\",\n \"size\": 1182,\n \"digest\": \"sha256:ea816abb3c83c66181ff027115a84d930ec055ade76e3b7a861046df000bf75c\"\n }\n ],\n \"annotations\": {\n \"application/vnd.docker.tape.content-interpreter.v1alpha1\": \"application/vnd.docker.tape.kubectl-apply.v1alpha1.tar+gzip\",\n \"org.opencontainers.image.created\": \"2023-08-30T11:05:44+01:00\"\n }\n}\n$ crane manifest \"${podinfo_image}@$(crane manifest \"${podinfo_config}\" | jq -r '.manifests[1].digest')\" | jq .\n{\n \"schemaVersion\": 2,\n \"mediaType\": \"application/vnd.oci.image.manifest.v1+json\",\n \"config\": {\n \"mediaType\": \"application/vnd.docker.tape.attest.v1alpha1.jsonl+gzip\",\n \"size\": 233,\n \"digest\": \"sha256:3c162e42a2bbd7ff794312811a1da7a2a39289d4f41c7ac0f63c487a0eb3ae1a\"\n },\n \"layers\": [\n {\n \"mediaType\": \"application/vnd.docker.tape.attest.v1alpha1.jsonl+gzip\",\n \"size\": 892,\n \"digest\": \"sha256:9b4fdb608f604536f3740b4cdf9524f7d65ddd9e79c0d591383e2cc4970f4302\"\n }\n ],\n \"annotations\": {\n \"application/vnd.docker.tape.attestations-summary.v1alpha1\": \"eyJudW1TdGFtZW50ZXMiOjMsInByZWRpY2F0ZVR5cGVzIjpbImRvY2tlci5jb20vdGFwZS9NYW5pZmVzdERpci92MC4xIiwiZG9ja2VyLmNvbS90YXBlL09yaWdpbmFsSW1hZ2VSZWYvdjAuMSIsImRvY2tlci5jb20vdGFwZS9SZXNvbHZlZEltYWdlUmVmL3YwLjEiXSwic3ViamVjdCI6W3sibmFtZSI6Imt1c3RvbWl6ZS9kZXBsb3ltZW50LnlhbWwiLCJkaWdlc3QiOnsic2hhMjU2IjoiYmI0MmQ1ZjE3MGM1YzUxNmI3YzBmMDFjZTE2ZTgyZmZmN2I3NDdjNTE1ZTVhNzJkZmZlODAzOTViNTJhYzc3OCJ9fSx7Im5hbWUiOiJrdXN0b21pemUvaHBhLnlhbWwiLCJkaWdlc3QiOnsic2hhMjU2IjoiZDRiMmZmNmFmNjA3N2QwNjA2NTJiOTg0OWQwY2RhYjFlMjgxOGM2NGU1YjUwMWQ0MTRkODhjMjRkNWFiZGVmOCJ9fSx7Im5hbWUiOiJrdXN0b21pemUva3VzdG9taXphdGlvbi55YW1sIiwiZGlnZXN0Ijp7InNoYTI1NiI6Ijg5M2Y4OTYwZGVlZDM5NTkyZmQ0ZjQwMDRiNzBlMGIxYjZjNjkxYjRlNjI3MmRhMThhNDFjMTczNjBiNzcxZjUifX0seyJuYW1lIjoia3VzdG9taXplL3NlcnZpY2UueWFtbCIsImRpZ2VzdCI6eyJzaGEyNTYiOiJmMTg3NTY2ZjIxMmZjMTRlOWJlNjNkYWI3OWQ5ZGY1Y2ZhNzFkYzI4NDUwOWYyMjdlOWE0MjVkMTUyZmVlYzg1In19XX0K\",\n \"org.opencontainers.image.created\": \"2023-08-30T11:05:44+01:00\"\n }\n}\n$\n```\n\nStore digests as variables:\n```console\ntape_config_digest=\"$(crane manifest \"${podinfo_image}@$(crane manifest \"${podinfo_config}\" | jq -r '.manifests[0].digest')\" | jq -r '.layers[0].digest')\"\ntape_attest_digest=\"$(crane manifest \"${podinfo_image}@$(crane manifest \"${podinfo_config}\" | jq -r '.manifests[1].digest')\" | jq -r '.layers[0].digest')\"\n```\n\nExamine config contents:\n```console\n$ crane blob ${podinfo_image}@${tape_config_digest} | tar t\n.\ndeployment.yaml\nhpa.yaml\nkustomization.yaml\nservice.yaml\n$\n```\n\nExamine attestations:\n```console\n$ crane blob ${podinfo_image}@${tape_attest_digest} | gunzip | jq .\n{\n \"_type\": \"https://in-toto.io/Statement/v0.1\",\n \"predicateType\": \"docker.com/tape/ManifestDir/v0.1\",\n \"subject\": [\n {\n \"name\": \"kustomize/deployment.yaml\",\n \"digest\": {\n \"sha256\": \"bb42d5f170c5c516b7c0f01ce16e82fff7b747c515e5a72dffe80395b52ac778\"\n }\n },\n {\n \"name\": \"kustomize/hpa.yaml\",\n \"digest\": {\n \"sha256\": \"d4b2ff6af6077d060652b9849d0cdab1e2818c64e5b501d414d88c24d5abdef8\"\n }\n },\n {\n \"name\": \"kustomize/kustomization.yaml\",\n \"digest\": {\n \"sha256\": \"893f8960deed39592fd4f4004b70e0b1b6c691b4e6272da18a41c17360b771f5\"\n }\n },\n {\n \"name\": \"kustomize/service.yaml\",\n \"digest\": {\n \"sha256\": \"f187566f212fc14e9be63dab79d9df5cfa71dc284509f227e9a425d152feec85\"\n }\n }\n ],\n \"predicate\": {\n \"containedInDirectory\": {\n \"path\": \"kustomize\",\n \"vcsEntries\": {\n \"providers\": [\n \"git\"\n ],\n \"entryGroups\": [\n [\n {\n \"unmodified\": true,\n \"path\": \"kustomize\",\n \"uri\": \"https://github.com/stefanprodan/podinfo\",\n \"isDir\": true,\n \"git\": {\n \"objectHash\": \"e5f73cd48e13a37c7f7c7b116d7da41e9adf7fd6\",\n \"remotes\": {\n \"origin\": [\n \"https://github.com/stefanprodan/podinfo\"\n ]\n },\n \"reference\": {\n \"name\": \"HEAD\",\n \"hash\": \"4892983fd12e3ffffcd5a189b1549f2ef26b81c2\",\n \"type\": \"hash-reference\"\n }\n }\n },\n {\n \"unmodified\": true,\n \"path\": \"kustomize/deployment.yaml\",\n \"uri\": \"https://github.com/stefanprodan/podinfo\",\n \"digest\": {\n \"sha256\": \"bb42d5f170c5c516b7c0f01ce16e82fff7b747c515e5a72dffe80395b52ac778\"\n },\n \"git\": {\n \"objectHash\": \"97c65ceffd80290eeab72dd9b7f94bdf59df9960\",\n \"remotes\": {\n \"origin\": [\n \"https://github.com/stefanprodan/podinfo\"\n ]\n },\n \"reference\": {\n \"name\": \"HEAD\",\n \"hash\": \"4892983fd12e3ffffcd5a189b1549f2ef26b81c2\",\n \"type\": \"hash-reference\"\n }\n }\n },\n {\n \"unmodified\": true,\n \"path\": \"kustomize/hpa.yaml\",\n \"uri\": \"https://github.com/stefanprodan/podinfo\",\n \"digest\": {\n \"sha256\": \"d4b2ff6af6077d060652b9849d0cdab1e2818c64e5b501d414d88c24d5abdef8\"\n },\n \"git\": {\n \"objectHash\": \"263e9128848695fec5ab76c7f864b11ec98c2149\",\n \"remotes\": {\n \"origin\": [\n \"https://github.com/stefanprodan/podinfo\"\n ]\n },\n \"reference\": {\n \"name\": \"HEAD\",\n \"hash\": \"4892983fd12e3ffffcd5a189b1549f2ef26b81c2\",\n \"type\": \"hash-reference\"\n }\n }\n },\n {\n \"unmodified\": true,\n \"path\": \"kustomize/kustomization.yaml\",\n \"uri\": \"https://github.com/stefanprodan/podinfo\",\n \"digest\": {\n \"sha256\": \"893f8960deed39592fd4f4004b70e0b1b6c691b4e6272da18a41c17360b771f5\"\n },\n \"git\": {\n \"objectHash\": \"470e464dfb87f30f136fb0626b16eddf2f874843\",\n \"remotes\": {\n \"origin\": [\n \"https://github.com/stefanprodan/podinfo\"\n ]\n },\n \"reference\": {\n \"name\": \"HEAD\",\n \"hash\": \"4892983fd12e3ffffcd5a189b1549f2ef26b81c2\",\n \"type\": \"hash-reference\"\n }\n }\n },\n {\n \"unmodified\": true,\n \"path\": \"kustomize/service.yaml\",\n \"uri\": \"https://github.com/stefanprodan/podinfo\",\n \"digest\": {\n \"sha256\": \"f187566f212fc14e9be63dab79d9df5cfa71dc284509f227e9a425d152feec85\"\n },\n \"git\": {\n \"objectHash\": \"9450823d5a09afc116a37ee16da12f53a6f4836d\",\n \"remotes\": {\n \"origin\": [\n \"https://github.com/stefanprodan/podinfo\"\n ]\n },\n \"reference\": {\n \"name\": \"HEAD\",\n \"hash\": \"4892983fd12e3ffffcd5a189b1549f2ef26b81c2\",\n \"type\": \"hash-reference\"\n }\n }\n }\n ]\n ]\n }\n }\n }\n}\n{\n \"_type\": \"https://in-toto.io/Statement/v0.1\",\n \"predicateType\": \"docker.com/tape/OriginalImageRef/v0.1\",\n \"subject\": [\n {\n \"name\": \"kustomize/deployment.yaml\",\n \"digest\": {\n \"sha256\": \"bb42d5f170c5c516b7c0f01ce16e82fff7b747c515e5a72dffe80395b52ac778\"\n }\n }\n ],\n \"predicate\": {\n \"foundImageReference\": {\n \"reference\": \"ghcr.io/stefanprodan/podinfo:6.4.1\",\n \"line\": 26,\n \"column\": 16\n }\n }\n}\n{\n \"_type\": \"https://in-toto.io/Statement/v0.1\",\n \"predicateType\": \"docker.com/tape/ResolvedImageRef/v0.1\",\n \"subject\": [\n {\n \"name\": \"kustomize/deployment.yaml\",\n \"digest\": {\n \"sha256\": \"bb42d5f170c5c516b7c0f01ce16e82fff7b747c515e5a72dffe80395b52ac778\"\n }\n }\n ],\n \"predicate\": {\n \"resolvedImageReference\": {\n \"reference\": \"ghcr.io/stefanprodan/podinfo:6.4.1@sha256:92d43edf253c30782a1a9ceb970a718e6cb0454cff32a473e4f8a62dac355559\",\n \"line\": 26,\n \"column\": 16,\n \"alias\": \"podinfo\"\n }\n }\n}\n$\n```\n\n## FAQ\n\n### What configuration formats does Tape support, does it support any kind of templating?\n\nTape supports plain JSON and YAML manifest, which was the scope of the original experiment.\nIf the project was to continue, it could accommodate a variety of popular templating options,\ne.g. CUE, Helm, and scripting languages, paving a way for a universal artifact format.\n\n### How does Tape relate to existing tools?\n\nMany existing tools in this space help with some aspects of handling Kubernetes resources. These tools operate on\neither loosely coupled collections of resouces (like Kustomize), or opinionated application package formats (most\nnotably Helm). One of the goals of Tape is to abstract the use of any tools that already exist while paving the way\nfor innovation. Tape will attempt to integrate with most of the popular tools, and enable anyone to deploy applications\nfrom taped images without having to know if under the hood it will use Kustomize, Helm, just plain manifest, or something\nelse entirely. The other goal is that users won't need to know about Tape either, perhaps someday `kubectl apply` could\nsupport OCI artifacts and there could be different ways of building the artifacts.\n\n### What kind of applications can Tape package?\n\nTape doesn't infer an opinion of how the application is structured, or what it consists of or doesn't consist of. It doesn't\npresent any application definition format, it operates on plain Kubernetes manifests found in a directory.\n\n### Does Tape provide SBOMs?\n\nTape doesn't explicitly generate or process SBOMs, but fundamentally it could provide functionality around that.\n\n## Acknowledgments \u0026 Prior Art\n\nWhat Tape does is very much in the spirit of Docker images, but it extends the idea by shifting the perspective to configuration\nas an entry point to a map of dependencies, as opposed to the forced separation of app images and configuration.\n\nIt's not a novelty to package configuration in OCI, there are many examples of this, yet that in itself doesn't provide for interoperability.\nOne could imagine something like Tape as a model that abstracts configuration tooling so that end-users don't need to think about whether\na particular app needs to be deployed with Helm, Kustomize, or something else.\n\nTape was directly inspired by [flux push artifact](https://fluxcd.io/flux/cheatsheets/oci-artifacts/). Incidentally, it also resembles\nsome of the aspects of CNAB, but it is much smaller in scope.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdocker%2Flabs-tape","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdocker%2Flabs-tape","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdocker%2Flabs-tape/lists"}