Comments (21)
Streaming the build context to the Pod is (probably?) going to be secure if proxied by the API server, which creates unnecessary API Server load (I believe the OpenShift folks pointed this out early in the knative/build
days, cc @bparees), and it's unclear that cluster-admins would allow this in general. I'm also unsure if this would work with mTLS enabled on a cluster with mesh (worth testing), especially since post-initContainers
tekton can support in-mesh builds (we had folks interested in this in the knative/build
days). Another implication of this is that clients must wait for builds to schedule before hanging up, which is exacerbated in multi-build pipelines, where the same context may be used by multiple phases (you have to wait for all tasks to schedule).
The other key thing that kontext was meant to experiment with was leveraging layering to make incremental rebuilds faster, so if you touch a single file, you could augment your prior upload with a single-file layer by extracting a manifest from the prior kontext image and computing the delta. This would mean that if the Build hit the same node on-cluster, the only file transfer would end up being the layer with the single file. Personally, I also like the simplicity of the provenance story when you build from a kontext container's digest.
Sorry for the brain dump, but happy to discuss more, if needed.
from cli.
This would be nice but I wonder how tekton would be able to access it if it's not in a remote data plane somewhere,
from cli.
Yeah we need to have a story on pipeline too for binary or source to image without a got resources builds
from cli.
So would this belong here or somewhere else?
from cli.
@chmouel would tekton not have access to a container registry?
from cli.
@poy it would be very useful to skip the registry and stream the packaged local directory directly to a pipeline
from cli.
@siamaksade I haven't given it deep thought, but my initial gut says that has quite a few edge cases that could make it brittle. Can you retry a pipeline if something goofs? Where is the directory stored? How does auth work?
It seems like that makes that instance have state, which normally we wouldn't want.
from cli.
Agree that retry wouldn't make sense for this use-case. The use-case is to allow a developer to run their local changes through the pipeline for example on minikube before committing them to the git repository.
from cli.
Is auth a concern then?
from cli.
How do you mean?
from cli.
@siamaksade Using a container registry to store the local directory implies the developer has write access to the registry. We can just piggy back on that auth.
However, if we push directly to the pipeline pod, then the pod will have to have an external IP with an exposed endpoint. This endpoint ideally is also secured somehow, but that means we'll have to solve for that.
from cli.
Related issue upstream (I think) : tektoncd/pipeline#924
from cli.
Streaming the build context to the Pod is (probably?) going to be secure if proxied by the API server, which creates unnecessary API Server load (I believe the OpenShift folks pointed this out early in the knative/build days, cc @bparees),
This is what we do for what we call "binary" builds in openshift, but yes there are open (but as yet unrealized) concerns about apiserver load.
from cli.
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close
.
/lifecycle stale
Send feedback to tektoncd/plumbing.
from cli.
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten
.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close
.
/lifecycle rotten
Send feedback to tektoncd/plumbing.
from cli.
Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen
.
Mark the issue as fresh with /remove-lifecycle rotten
.
/close
Send feedback to tektoncd/plumbing.
from cli.
@tekton-robot: Closing this issue.
In response to this:
Rotten issues close after 30d of inactivity.
Reopen the issue with/reopen
.
Mark the issue as fresh with/remove-lifecycle rotten
./close
Send feedback to tektoncd/plumbing.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
from cli.
/remove-lifecycle stale
from cli.
/remove-lifecycle rotten
from cli.
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close
.
/lifecycle stale
Send feedback to tektoncd/plumbing.
from cli.
I built a simplified form of this into github.com/mattmoor/mink. It now support uploading a multi-arch version of kontext, and I've used it to run kaniko builds against clusters on amd64 and arm64 on Tekton.
/lifecycle frozen
from cli.
Related Issues (20)
- Migrate off `pipelineResources` for cli HOT 2
- Support for `minimal` to-be-removed `EmbeddedStatus` HOT 6
- tkn taskrun list is throwing error regarding cluster scope permissions
- Do not mark tkn bundle as experimental HOT 5
- Listing Pipelines breaks when using both `--all-namespaces` and `--output yaml` HOT 1
- tkn returning error and exit code 1 deleting pipelineruns when argument --keep is equal to existing pipelineruns HOT 1
- Task and Pipeline Run - Ability to set name from CLI HOT 4
- task&pipeline sign&verify shouldn't need kube config HOT 3
- TestEventListenerE2E depends upon a bug HOT 2
- tkn pr export is not exporting properly HOT 1
- Add support for annotating image manifest for OCI bundles HOT 4
- `tkn tr delete --keep <n>` does not work when pipelineruns are present HOT 3
- issue with keep and keep-since in taskrun and in pipelinerun HOT 2
- Support Tekton cli installation on Windows using winget HOT 4
- `tkn p start <pipeline-name> --showlog` shows logs of only one taskrun HOT 10
- tkn pr logs has problems if resolver was involved in the pipelinerun HOT 2
- Failed PipelineRuns should show info about their TaskRuns when describing them `tkn pr describe` HOT 5
- tkn cli fails to produce logs for older versions of the operator HOT 11
- typo in CLI v0.31.0 release notes HOT 2
- tkn p start --timeout command is failing to start the pipeline HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cli.