Publish the ecr-credential-provider as a container image

Question

Publish the ecr-credential-provider as a container image

kon-angelo opened this issue a year ago · 8 comments

What would you like to be added:
Requesting to publish the ecr-credential-provider as a container image.

Why is this needed:
The use cases are similar to #512 and to be able to consume the binary without needing to build it ourselves.

The request for the container instead of just the binary is because the containers more or less provide an established way of distribution, and because it makes it easy to fulfil compliance requirements e.g. vulnerability scannings etc.

Note: I can take over the task to provide the changes (makefile, dockerfile etc.), but it would be nice if the maintainers provide a buy-in with regards to idea, and the publishing channels (official k8s.io registry, awslabs).

/kind feature

Answer 1 · 2024-01-11T08:14:33.000Z

This issue is currently awaiting triage.

If cloud-provider-aws contributors determine this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Answer 2 · 2024-01-11T11:03:17.000Z

I don't think a container image is the optimal way to distribute this tool. This binary is available on artifacts.k8s.io, we just need to automate/generate the release notes here to point to it, document it, etc.:

https://artifacts.k8s.io/binaries/cloud-provider-aws/v1.29.0/linux/amd64/ecr-credential-provider-linux-amd64

Answer 3 · 2024-01-11T11:55:16.000Z

This binary is available on artifacts.k8s.io

Thank you! I was not aware.

I don't think a container image is the optimal way to distribute this tool.

The container approach does have some advantages. A proper multi-arch build image basically abstracts the issue of picking the correct version and it also streamlines the consumption e.g. some binaries may be compressed or not. In an environment like a k8s node where you are guaranteed to have a container runtime, the CR can offload part of the process. It's a convenience so to say.

Answer 4 · 2024-01-12T08:26:18.000Z

I do like the multi-arch magic, but having to pull the binary out of the container image is pretty awkward IMO. I can imagine some scenarios when you might want to grab the latest ecr-credential-provider at runtime on each node, but baking it in during the node image build process has it's benefits (the node image can be tested as a package deal, you know you're using a consistent version of the binary across all your nodes, etc.).

If you want to add the ecr-credential-provider to the CCM container image, I'm not opposed; but I think the preferred source should be artifacts.k8s.io (and if you're up for making that easier to discover, it'd be appreciated!)

Answer 5 · 2024-01-13T10:23:55.000Z

@cartermckinnon I very much liked your idea and created a pull request that adds the ecr binary to the cloud-provider image.

With regards to the discovery/visibility, can you please outline some more concrete ideas (here, or you can reach in slack) and let me see what I can contribute.

Answer 6 · 2024-01-13T20:15:31.000Z

So the way this works today:

We increment the version.txt file on a given branch to get a new tag created.
Container images and artifacts are built async.
We open k8s.io PR's to promote the images/artifacts from the staging env to the prod env.

I think we're missing a final step to create a GitHub release with references to the images/artifacts. We need some type of tool/automation for that. That may already exist, or we may just be "doing it wrong" with the new registry/artifacts.k8s.io setup. I'll start a thread in the release-eng channel, I think they would know...

Answer 7 · 2024-04-12T21:02:11.000Z

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue as fresh with /remove-lifecycle stale
Close this issue with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

Answer 8 · 2024-05-12T21:20:36.000Z

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue as fresh with /remove-lifecycle rotten
Close this issue with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten