-
Notifications
You must be signed in to change notification settings - Fork 105
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Multi arch image builds #45
Multi arch image builds #45
Conversation
Welcome @RealHarshThakur! |
Hi @RealHarshThakur. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
aa6f05a
to
b3527a2
Compare
Sorry for the long delay, reviewing this now |
@RealHarshThakur what does "secret" mean in this context? Does Github have its own concept of secrets? Sorry, I don't know the GH flow. |
Yes, GitHub can store secrets which will show up as environment variables inside the job and only the owner of the repo can set it. https://docs.github.com/en/actions/reference/encrypted-secrets |
|
||
- name: Set Release Tag | ||
run: | | ||
TAG="${GITHUB_REF#refs/*/v}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What does this give you if you're running on master
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It gives it as refs/heads/master
whereas when it's pushed to v1
, it gives it as 1
.
https://github.com/RealHarshThakur/hierarchical-namespaces/runs/2753272153?check_suite_focus=true#step:8:11
https://github.com/RealHarshThakur/hierarchical-namespaces/runs/2753141639?check_suite_focus=true
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This means that we'll repeatedly overwrite the same tag, right? I'm not a huge fan of that, especially on the branches. Can we append the commit hash, e.g. something like hnc_manager:master-0a1b2c-multiarch
for the master branch, and hnc_manager:0.9-3d4e5f-multiarch
for the branches?
For the tags, it's probably ok to just have the tag name, e.g. hnc_manager:0.9.0-multiarch
. We'll never build the same tag twice - if we need to do a release candidate, we'll include that in the tag name in Git (e.g. 0.9.0-rc1
) and if we need to make a change to an existing tag, we'll just create a new one instead (e.g. 0.9.1
).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could also not push image for master branch. Only when a release is made and a branch is created, we create an image for it. We can have a separate image tag for Github Actions, just hope it doesn't confuse the end users. WDYT?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This applies to the release branches as well. It's only Git tags that only get built once.
I'd prefer if we could append some unique prefix onto each build that comes from a branch (and not a tag). Failing that, can we say -latest
on it so people know not to rely on it being constant?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: I suggest doing a +{date}
to the tag as these are automatic builds. A 'real' release should likely only be retagging an intermediate build into the proper version. At least that would be my suggestion, especially since our release include more than just an image build. It also includes docs, kustomization files, and soon to be helm charts.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@RealHarshThakur I'm not seeing the date in the tab above, am I missing someething?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that sets the Docker tag so that it includes the date, but RELEASE_TAG
(which I'm guessing is the Github release tag) still includes only the branch name, correct? E.g., I'd prefer for this to be something like:
GITREF="${GITHUB_REF#refs/*/v}"
echo "RELEASE_TAG=${GITREF}-${{ steps.date.outputs.HNC_BUILD_TIMESTAMP }}" >> $GITHUB_ENV
In other words, line up the RELEASE_TAG
and the Docker tags as closely as possible.
@RealHarshThakur if I've misinterpreted please feel free to remove the hold. We can always clean it up later anyway.
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.0 | ||
image: quay.io/brancz/kube-rbac-proxy:v0.10.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure about this one. I trust the kubebuilder build process; I don't know who quay.io/brancz
is or if we should trust their images. I'd prefer something like make manifests-multi
so that people have to explicitly opt into using this version of kube-rbac-proxy from an untrusted source. Or even just tell people to modify the manifest themselves (e.g. change gcr.io/k8s-staging-multitenancy/hnc-manager:v0.9.0
to gcr.io/k8s-staging-multitenancy/hnc-manager:v0.9.0-multi
, and change gcr.io/kubebuilder/kube-rbac-proxy:v0.4.0
to quay.io/brancz/kube-rbac-proxy:v0.10.0
at your own risk).
Is there a bug against kubebuilder to produce multiarch images?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the ownership has been passed and KubeBuilder maintainers are contributing to the same repo. Here's the repo and here's a comment by one of the maintainers suggesting to use the image(kubernetes-sigs/kubebuilder#1637 (comment)) .
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, ok, I see that github.com/brancz
is the source-of-truth for kube-rbac-proxy. I'm just not sure about their supply chain. Let me ask and find out why kubebuilder thought it was necessary to have their own copies in the first place.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So I asked around, and apparently gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0
is multi-architecture. I think I'd prefer to use that instead if it works.
The reason it's in gcr.io/kubebuilder
is that this registry is owned by a Kubernetes SIG, while quay.io
is not. This isn't an absolutely massive deal but it's why I'd prefer to follow kubebuilder's lead and use that image if it's reasonable to.
Thanks for the review @adrianludwin , will work on it tomorrow/day after tomorrow. |
Thanks! And I'll read up a bit more on GH actions.
…On Fri, Jun 4, 2021 at 2:38 PM Harsh Thakur ***@***.***> wrote:
Thanks for the review @adrianludwin <https://github.com/adrianludwin> ,
will work on it tomorrow/day after tomorrow.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#45 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AE43PZAU2V6POXFLOY6FZ43TREMRVANCNFSM45H6TNLQ>
.
|
ceab51c
to
c6ae91b
Compare
@adrianludwin I made the changes you recommended at most places. Replied on the others, PTAL |
|
||
- name: Set Release Tag | ||
run: | | ||
TAG="${GITHUB_REF#refs/*/v}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This means that we'll repeatedly overwrite the same tag, right? I'm not a huge fan of that, especially on the branches. Can we append the commit hash, e.g. something like hnc_manager:master-0a1b2c-multiarch
for the master branch, and hnc_manager:0.9-3d4e5f-multiarch
for the branches?
For the tags, it's probably ok to just have the tag name, e.g. hnc_manager:0.9.0-multiarch
. We'll never build the same tag twice - if we need to do a release candidate, we'll include that in the tag name in Git (e.g. 0.9.0-rc1
) and if we need to make a change to an existing tag, we'll just create a new one instead (e.g. 0.9.1
).
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.0 | ||
image: quay.io/brancz/kube-rbac-proxy:v0.10.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, ok, I see that github.com/brancz
is the source-of-truth for kube-rbac-proxy. I'm just not sure about their supply chain. Let me ask and find out why kubebuilder thought it was necessary to have their own copies in the first place.
/ok-to-test |
682f4c7
to
3ced647
Compare
Signed-off-by: Harsh Thakur <harshthakur9030@gmail.com>
3ced647
to
39ff519
Compare
@adrianludwin sorry for the delay. I think I addressed most comments, PTAL. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A couple last nits and then I think this looks good to start experimenting with.
/cc @rjbez17 - wdyt?
.github/workflows/image.yaml
Outdated
tags: | ||
- 'v*' | ||
|
||
# TODO: Migrate building binaries from Cloud Build |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/binaries/manifests and kubectl plugins/
|
||
- name: Set Release Tag | ||
run: | | ||
TAG="${GITHUB_REF#refs/*/v}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This applies to the release branches as well. It's only Git tags that only get built once.
I'd prefer if we could append some unique prefix onto each build that comes from a branch (and not a tag). Failing that, can we say -latest
on it so people know not to rely on it being constant?
.github/workflows/image.yaml
Outdated
# GCR_KEY is the service account key in json which is base64 encoded and stored in the secrets section of the repo. | ||
service_account_key: ${{ secrets.GCR_KEY }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you say anything about what this service account needs to be able to do? E.g., it must have permission to push to gcr.io/k8s-staging-multitenancy
? If that's the requirement, how did you test this - by pushing to some different GCR repo?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I used the Default compute service account
as shown in this blog and yes, I tested with a different repo.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah. That's bad advice, the default compute service account is terrible and generally shouldn't be used :D But there was no way for you to know that! I take it that the account was in the same GCP project as the repo you used to test?
Maybe just add the comment that we think the requirement for the service accounts it that it can push to the required registry (sorry, "registry" not "repo") but that we're not certain. We'll find out soon enough!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the future it'd be nice if we split up seperate things into different PRs or at least commits. This PR does a bit more than just multiarch builds.
|
||
- name: Set Release Tag | ||
run: | | ||
TAG="${GITHUB_REF#refs/*/v}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: I suggest doing a +{date}
to the tag as these are automatic builds. A 'real' release should likely only be retagging an intermediate build into the proper version. At least that would be my suggestion, especially since our release include more than just an image build. It also includes docs, kustomization files, and soon to be helm charts.
lgtm other than the nit around the tagging. I personally think a 'real' release tag should be somewhat manual but open to discussion, but having intermediate builds pushed up will be very helpful. |
+1 to the How would you have broken this up? I thought the majority was just "get github actions working" so maybe it's just the wrong title? The actual multiarch builds part seems pretty small. |
Yeah so I mean there are three things, one really unrelated, that I see here:
Not a huge deal but in this case since it isn't a huge amount of code changes here but yeah. |
regardless, lgtm after the +{date} addition |
b8d5d1a
to
7b3d33a
Compare
Signed-off-by: Harsh Thakur <harshthakur9030@gmail.com>
7b3d33a
to
2f61d91
Compare
/lgtm @adrianludwin want feel free to remove the hold |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: RealHarshThakur, rjbez17 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One last comment, otherwise lgtm. Please feel free to remove the hold yourself (/hold remove
) if I've misinterpreted, or if you just want to make that change in a followup PR.
|
||
- name: Set Release Tag | ||
run: | | ||
TAG="${GITHUB_REF#refs/*/v}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that sets the Docker tag so that it includes the date, but RELEASE_TAG
(which I'm guessing is the Github release tag) still includes only the branch name, correct? E.g., I'd prefer for this to be something like:
GITREF="${GITHUB_REF#refs/*/v}"
echo "RELEASE_TAG=${GITREF}-${{ steps.date.outputs.HNC_BUILD_TIMESTAMP }}" >> $GITHUB_ENV
In other words, line up the RELEASE_TAG
and the Docker tags as closely as possible.
@RealHarshThakur if I've misinterpreted please feel free to remove the hold. We can always clean it up later anyway.
@adrianludwin so we're using branch name + timestamp for image tags. The release tag itself is being used in the metadata during docker build. The reason for not using release tag in the image was because branch names like |
Ok let's see what it looks like in the GH UI, that should clarify a lot and
will tell us if we need more work.
Thanks for being patient as we went through all these reviews, and congrats
on getting this in! I know that was a lot of work but build systems and
procedures are hard. This is a great contribution!
…On Mon, Jul 5, 2021 at 11:20 AM Harsh Thakur ***@***.***> wrote:
/hold remove
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#45 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AE43PZB2G4VRZO3ICCDIVHLTWHETHANCNFSM45H6TNLQ>
.
|
/remove-hold |
Fixes #21
Notes to reviewer/maintainer: