control-service: add kaniko job builder #152
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
antoniivanov
force-pushed
the
person/aivanov/control-service
branch
2 times, most recently
from
9624d7e to
db04b21
Compare
mivanov1988
approved these changes
Aug 30, 2021
antoniivanov
force-pushed
the
person/aivanov/control-service
branch
from
db04b21 to
56ee2db
Compare
|
Do you plan to revise other vdk_job_builder usages in projects/control-service/cicd/.gitlab-ci.yml? |
The following use-cases necessisate the change We need to be able to run in a more secure environment where running as priveleged is disabled. And although buildkit and img (which was used now) allow that they also requires seccomp and AppArmor to be disabled which is also an issue (see https://github.com/GoogleContainerTools/kaniko#comparison-with-other-tools and https://github.com/genuinetools/img#running-with-kubernetes) We would like to be able to run against insecure (http only) docker registry deployed within the namespace only and not accessible outside in order to enable single command installation of our helm chart. Kaniko make it easy by passing --insecure flag. Adding extra arguments option will be in separate change. Created new directory and moved only the relevant code there. The old directory and source in vdk_job_builder will be deleted after some time. Testing Done: the integration test passed I ran it both with ECR registry and docker registry as data job image registry and verified in both cases images are uploaded successfully. I don't forsee any issues iwth the images itself but our post deployment test (vdk-heartbeat) would catch if there any when it runs on main branch Signed-off-by: Antoni Ivanov <[email protected]>
antoniivanov
force-pushed
the
person/aivanov/control-service
branch
from
56ee2db to
a9d42d7
Compare
Yes, I will do that in a separate change in the spirit of breaking commits into small self-contained units |
antoniivanov
added a commit
that referenced
this pull request
Aug 30, 2021
#152 introduced new kaniko job builder. And we need to produce docker image as part of our CI. It follows the same way as before - if version.txt file is edited it will trigger control_service_publish_job_builder_image step in Gitlab CI which will produce image with tags: job-builder:{version} job-builder:latest Testing Done: Will verify CI has produced correct image when it runs on main Signed-off-by: Antoni Ivanov <[email protected]>
antoniivanov
added a commit
that referenced
this pull request
Aug 30, 2021
#152 introduced new kaniko job builder. And we need to produce docker image as part of our CI. It follows the same way as before - if version.txt file is edited it will trigger control_service_publish_job_builder_image step in Gitlab CI which will produce image with tags: job-builder:{version} job-builder:latest Testing Done: Will verify CI has produced correct image when it runs on main Signed-off-by: Antoni Ivanov <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The following use-cases necessisate the change
We need to be able to run in a more secure environment where running as
priveleged is disabled. And although buildkit and img (which was used
now) allow that they also requires seccomp and AppArmor to be disabled
which is also an issue (see
https://github.com/GoogleContainerTools/kaniko#comparison-with-other-tools
and https://github.com/genuinetools/img#running-with-kubernetes)
We would like to be able to run against insecure (http only) docker
registry deployed within the namespace only and not accessible outside
in order to enable single command installation of our helm chart. Kaniko
make it easy by passing --insecure flag. Adding extra arguments option
will be in separate change.
Created new directory and moved only the relevant code there.
The old directory and source in vdk_job_builder will be deleted after
some time.
Testing Done: the integration test passed I ran it both with ECR
registry and docker registry as data job image registry and verified in
both cases images are uploaded successfully. I don't forsee any issues
iwth the images itself but our post deployment test (vdk-heartbeat)
would catch if there any when it runs on main branch
Signed-off-by: Antoni Ivanov [email protected]