-
Notifications
You must be signed in to change notification settings - Fork 83
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kbs: Build image on merge to main #170
kbs: Build image on merge to main #170
Conversation
21705eb
to
c6e1156
Compare
DOCKER_BUILDKIT=1 docker build -t quay.io/confidential-containers/kbs:coco-as-${commit_sha} . -f docker/Dockerfile --push; \ | ||
DOCKER_BUILDKIT=1 docker build -t quay.io/confidential-containers/kbs:coco-as-openssl-${commit_sha} --build-arg KBS_FEATURES=coco-as-builtin,openssl,resource,opa . -f docker/Dockerfile --push; \ | ||
DOCKER_BUILDKIT=1 docker build -t quay.io/confidential-containers/kbs:coco-as-grpc-${commit_sha} . -f docker/Dockerfile.coco-as-grpc --push |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we limit it to a single configuration that is bundles most common features first?
- name Build and Push Container Image:
run: DOCKER_BUILDKIT=1 docker build -t ghcr.io/confidential-containers/kbs-${{ github.sha }} --build-arg KBS_FEATURES=coco-as-builtin,openssl,resource,opa . -f docker/Dockerfile --push
I see that discussion of quay.io vs ghcr in other occasions. IIRC the last one we decided to stick with quay.io but at some point migrate everything to ghcr (which seems the preferable registry). For what I've seen ghcr has been used to deploy test/CI images, though. |
@kartikjoshi21 how those images relates to https://github.com/confidential-containers/kbs/pkgs/container/key-broker-service ? |
211d262
to
019e73b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice PR. Thanks for this. Let's discuss some details
id: commit_sha | ||
run: echo "::set-output name=sha::$(git rev-parse --short ${{ github.sha }})" | ||
|
||
- name: Login to quay Container Registry |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- name: Login to quay Container Registry | |
- name: Login to GHCR Container Registry |
run: | | ||
commit_sha=${{ steps.commit_sha.outputs.sha }} | ||
|
||
DOCKER_BUILDKIT=1 docker build -t ghcr.io/kartikjoshi21/confidential-containers/kbs:kbs-${{ github.sha }} --build-arg KBS_FEATURES=coco-as-builtin,openssl,resource,opa . -f docker/Dockerfile --push |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we can push the image to coco's community repo https://github.com/orgs/confidential-containers/packages.
cc @fitzthum wdyt?
Then we need to think about the location of the images. Two ideas from my side.
- The same repo as current kbs. The image name might be
ghcr.io/confidential-containers/key-broker-service:commit-${{ github.sha }}
- A new repo for staged images (We can think that AS/RVPS would also need on every merge to main). The image name might be
ghcr.io/confidential-containers/staged-images:kbs-commit-${{ github.sha }}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe lets keep merge to main images as part of new repo to avoid confusion. What do you think ?
@kartikjoshi21 at the moment this is not mergeable, right? it's pushing to your repo and that will only work on your fork (also, it's probably not what we want) |
2e61127
to
06ed40f
Compare
06ed40f
to
d77dc22
Compare
- name: Login to GHCR Container Registry | ||
uses: docker/login-action@v2 | ||
with: | ||
registry: ghcr.io | ||
username: ${{ secrets.repository_owner }} | ||
password: ${{ secrets.GHCR_TOKEN }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The auth scheme looks different from what's described here:
Is GHCR_TOKEN something that is used as a convention elsewhere in the project?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated the naming convection per official document, Thanks
d77dc22
to
b8316c1
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgmt. thanks
btw, the link error will be fixed in #216 |
b8316c1
to
2595eda
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! lgtm
Seems that PR still needs some time to review. I put a quick fix PR #222 |
@kartikjoshi21 Would you please rebase the latest code? I think the link check can pass now. |
2595eda
to
199f89b
Compare
Thanks @Xynnn007. |
Hi @wainersm please take a look if this pr looks good to you |
Fixes: confidential-containers#167 Signed-off-by: Kartik Joshi <[email protected]>
31c6f9b
to
7b7755a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks @kartikjoshi21
@kartikjoshi21 Hi, seems that there is something wrong. Could you help for this? see https://github.com/confidential-containers/kbs/actions/runs/7083141332/job/19275029794 |
Maybe env.REGISTRY needs to be ghcr.io? |
No description provided.