-
Notifications
You must be signed in to change notification settings - Fork 111
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add github action workflow to build pipeline base images #603
Conversation
This github actions workflow is used to build pipeline base image in multi-arch form with docker buildx. Architectures for manifest are amd64, arm64, s390x, ppc64le. The build runs on amd64 architecture, running builds for other architectures with emulation. The setup requires to have 2 secret parameters("GKE_SA_KEY" and "GKE_PROJECT") to push images to Google Cloud registry. There are also 3 input parameters to construct image name. The default values will create the `gcr.io/tekton-nightly/github.com/tektoncd/pipeline/build-base:latest` image. Workflow can be start manually at github.com or via Github API. Signed-off-by: Yulia Gaponenko <[email protected]>
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Hi @barthy1. Thanks for your PR. I'm waiting for a tektoncd member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
I think @vdemeester or @afrittoli were telling me about this recently but I'm wondering if using GitHub actions is what is solving our problem here or if it is the fact that the GitHub action(s) are using something other than kaniko to build with? There is no reason that we have to keep using kaniko - if using a different image / build method solves this problem we could use it. (Basically I'm trying to make sure that there isn't some underlying issue with Tekton itself that makes Tekton not work for this scenario, because if that is the case I think it's something we'd want to fix) |
This comes from #592. We discussed this in the productivity call and we kinda decided to go the quick way to unlock this while we work on making progress (:crossed_fingers:) on having all this in Tekton. The current "problem" with tekton is not from tekton itself but more on "building multi-arch images in kubernetes", it doesn't have anything to do with the architecture of tekton. As far as I know, there is not way to build multi-arch images using We can wait to run all this in tekton, or we can do the same as we do with prow, use what works while we wait and work on a solution completely tekton based 👼 |
/ok-to-test |
--platform linux/amd64,linux/arm64,linux/ppc64le,linux/s390x \ | ||
--tag ${{ github.event.inputs.imageRegistry }}/${{ github.event.inputs.pathToProject }}/${{ github.event.inputs.url }} \ | ||
--push \ | ||
./pipeline/images |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't this be different ? 🤔
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you mean platforms? which one would you you suggest?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nah I meant the ./pipeline/image
path. where is it in the tektoncd/plumbing
repository ? shouldn't this be pointing at each images with a Dockerfile ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
so far I've created this PR to build 1 image -gcr.io/tekton-nightly/github.com/tektoncd/pipeline/build-base:latest
- https://github.com/tektoncd/pipeline/blob/master/.ko.yaml#L5
And I thought its Dockerfile is located at https://github.com/tektoncd/pipeline/tree/master/images, so pipeline/images
for pipeline repo
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if it works smoothly we can build other images from plumbing repo itself
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ohhhh It's targeting tektoncd/pipeline
, I see 😅
Thanks for the explanation @vdemeester , I agree with moving ahead to unblock this (and think it's important we document why we are making these kinds of decisions). |
I'd like to avoid taking a dependency on GitHub Actions if we can avoid it, since our CI/CD setup is already sort of complicated, involving both Prow and dogfooded Tekton workflows. If the issue at hand is that kaniko is incapable of building multi-arch images, I think there are two ways we could get around it while staying within Tekton:
If those options have already been discussed and rejected it would be good to understand why. |
@imjasonh I posted the changes I used to build a multi-arch kaniko image here: GoogleContainerTools/kaniko#1452 The 0.18 release of mink I cut last night has builds of everything (incl. tekton and kaniko) with arm64: https://github.com/mattmoor/mink/releases/tag/v0.18.0 These aren't producing multi-arch images themselves, but since kaniko can now run on arm64 it can produce arm64 images, and then these can be stitched together with It'd be a really powerful pattern to demonstrate with Tekton (w/ sample, blog), but I have not tried it. |
@mattmoor agree that having just heterogeneous cluster with workers on different architectures is very interesting use case. And I am really looking forward to see that (or even participate with workers on ppc64le or s390x). However GKE where the Tekton dogfooding cluster is running has only amd64 clusters (please, correct me if I am wrong). At this moment the question is how to build I'd like also to point out that |
Test dependency yes, but since Bazel can cross-compile images, getting the builds effectively devolves to adding those architectures here: https://github.com/GoogleContainerTools/kaniko/pull/1452/files#diff-653e8b99fa9eba9096b9386de586f579R19-R22 |
Not wrong, I just wasn't limiting the infra to GKE. I have no clue how Tekton operates (or funds) its infra, so 🤷 |
Thanks for pointing me to that, as |
@barthy1 Yeah, no problem. I think the infra question remains because we need a place to run kaniko natively for that to work, but I'd like to push kaniko upstream to publish a wider variety of architectures once we have some miles through the amd64/arm64 version. After all, there's effectively nothing architecture specific in that image other than the binary, and all we're doing is cross-compiling which is a pretty well exercised path, I'd think. |
Well :) we can use Travis with its native hardware, but it's still extension and using another CI tool :( Github Actions was suggested just as faster and working way to speed up multi-arch builds at first step with plan in the future to switch to Tekton Tasks anyway. However I think this discussion is really great to collect some other ideas and have opportunity to verify them.. |
As a fairly radical alternative, you could try to eliminate the Dockerfile dependency entirely by replacing the tooling dependencies with libraries. e.g. where |
In general, we all agree it would be better to not depend on any other CI and we should aim to build anything in tekton. That said, building multiarch images can be tricky to achieve, in kubernetes at least (aka in containers).
This is, indeed, one issue, but let's give a bit more context. This is mainly about #592, and thus about building
This works for In the light of the comments, I feel @chmouel's comment is a good middle ground. We can create tasks to create a gcloud compute node, setup docker on it, build the images using docker and get the result. |
Close this PR in favour of tektoncd/pipeline#3402 |
Changes
Currently pipeline base image is built using gcr.io/kaniko-project/executor:v0.17.1 which doesn't support multi-arch builds, so it is a stopper to get multi-arch pipeline releases.
This Github actions workflow can be used to build pipeline base image in multi-arch form with
docker buildx
.Architectures for manifest are amd64, arm64, s390x, ppc64le.
The build runs on amd64 architecture, executing builds for other architectures using emulation.
The setup requires to have 2 secret parameters("GKE_SA_KEY" and "GKE_PROJECT")
to push images to Google Cloud registry.
There are also 3 input parameters to construct image name. The default values will create the
gcr.io/tekton-nightly/github.com/tektoncd/pipeline/build-base:latest
image.Workflow can be start manually at github.com or via Github API.
Submitter Checklist
These are the criteria that every PR should meet, please check them off as you
review them:
See the contribution guide
for more details.