Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Usage of Github Packages / Container repository #4514

Closed
rikatz opened this issue Oct 10, 2023 · 6 comments
Closed

Usage of Github Packages / Container repository #4514

rikatz opened this issue Oct 10, 2023 · 6 comments
Labels
lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.

Comments

@rikatz
Copy link
Contributor

rikatz commented Oct 10, 2023

Organization or Repo

kubernetes/ingress-nginx

User affected

No response

Describe the issue

Hi folks 👋

At ingress-nginx, we build a bunch of intermediate images that are used for CI, e2e tests, building another final image, etc.

I was testing Github Container Registry / GHCR and figured out it could be used with a Personal Access Token or via Actions (we use GH Actions on ingress-nginx), but the published packages are made available on Org package tab.

There are some approaches to scope the package to a repo, etc etc but before using it I would like to know:

  • Can we? Our goal is to use those images just on CI/CD so 99% of its pulls are going to be from Github Actions (there is the 1% of people that may want to run the build and e2e test locally, but it doesn't happens that much)
  • Is there any security concern on publishing the packages, as they appear on k org? If so, what is the desired approach?

Thanks
@rikatz
Copy link
Contributor Author

rikatz commented Nov 3, 2023

Adding more in here: CNCF is working with Self actuated to provide ARM runners. Today, one of our large build times is on ARM environments (and s390x, but this is another story) and we've been willing to make those builds fast cutting dependencies but also using better architectures.

Having a process that builds each architecture on its own "runner", pushes to ghcr and combines the layers into a single multi-arch layer seems straightforward (eg.: How atuin does) but we need a place to "push" this layers and then trigger cloudbuild to "get and push to staging", and the promotion stage layer.

@tao12345666333
Copy link
Member

FYI etcd-io/etcd#16801

The etcd project enables this Arm-based runner

@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Feb 1, 2024
@mrbobbytables
Copy link
Member

My apologies for the delay in response on this issue (did respond on slack).
We looked into it and unfortunately we can't enable the github package functionality for public use.
Essentially github does not give any granual permissions over repos and which ones can be public or private. It's an all or none thing meaning anyone can create public packages or no one can. Packages also exist outside of github's regular permission system, we cannot create custom roles or anything that could better manage access.

If/when GitHub updates it, we can revisit - but for now it's not something we're going to move forward with enabling. =/

With that I'm going to close this out, if you wish to discuss further, happy to reopen and continue. 👍

/close

@k8s-ci-robot
Copy link
Contributor

@mrbobbytables: Closing this issue.

In response to this:

My apologies for the delay in response on this issue (did respond on slack).
We looked into it and unfortunately we can't enable the github package functionality for public use.
Essentially github does not give any granual permissions over repos and which ones can be public or private. It's an all or none thing meaning anyone can create public packages or no one can. Packages also exist outside of github's regular permission system, we cannot create custom roles or anything that could better manage access.

If/when GitHub updates it, we can revisit - but for now it's not something we're going to move forward with enabling. =/

With that I'm going to close this out, if you wish to discuss further, happy to reopen and continue. 👍

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@rikatz
Copy link
Contributor Author

rikatz commented Feb 13, 2024

Thanks for taking care of it Bob, I really appreciate it. We can followup when there is something new on this feature :)

This was referenced Feb 20, 2024
Closed
Closed
@sbueringer sbueringer mentioned this issue May 7, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@tao12345666333 @mrbobbytables @rikatz @k8s-ci-robot @k8s-triage-robot