In container only #55
Conversation
Signed-off-by: Scott Rigby <[email protected]>
Signed-off-by: Scott Rigby <[email protected]>
…ion) Signed-off-by: Scott Rigby <[email protected]>
scottrigby
force-pushed
the
in-container-only
branch
from
ffbe8ca to
e45d379
Compare
…ntrypoint Taskfile Signed-off-by: Scott Rigby <[email protected]>
…ainer Signed-off-by: Scott Rigby <[email protected]>
…ntainer Signed-off-by: Scott Rigby <[email protected]>
Signed-off-by: Scott Rigby <[email protected]>
Signed-off-by: Scott Rigby <[email protected]>
Signed-off-by: Scott Rigby <[email protected]>
Signed-off-by: Scott Rigby <[email protected]>
|
Since there's a few PRs waiting on the guts of this to land, I suggest we merge it asap and open a second PR to address any documentation concerns. |
…ner-only Merge upstream/main into in-container-only
Signed-off-by: Scott Rigby <[email protected]>
Signed-off-by: Scott Rigby <[email protected]>
…reful. WDYT? Signed-off-by: Scott Rigby <[email protected]>
| # Install yq | ||
| && BINARY=yq_linux_amd64 \ | ||
| && VERSION=v4.45.1 \ | ||
| && curl -Ls https://github.com/mikefarah/yq/releases/download/${VERSION}/${BINARY}.tar.gz -O \ |
There was a problem hiding this comment.
from #59, Chris asks "Why did you move yq out of the package manager and into manual install? Are we using something that's so new it's not in packages yet?"
There was a problem hiding this comment.
I believe this is because the packaged yq in ubuntu is ancient.
| - '{{.CONTAINER_RUNTIME}} ps | grep -q "{{.DEV_CONTAINER_NAME}}"' | ||
| vars: [CONTAINER_NAME, IMAGE_NAME] | ||
| deps: | ||
| - task: check-image-exists |
There was a problem hiding this comment.
See Chris' comment #59 (comment)
"The security implications of this are a bit concerning, although if it's necessary it's not something I would loose sleep over.
Can you explain why kubectl port-forward is needed? Is this running port-forward from within the container, or external to the container? Is there a reason you can't just expose a port rather than use host networking?"
There was a problem hiding this comment.
I'm not sure I entirely understand what security implications we're referencing here? we're running a container that we build ourselves with a few tools that we would have otherwise been running on our hosts without any sandboxing.
The primary vector for compromise here might be a MITM attack against the registry we're pushing an image to, but I'm not entirely sure on the utility of storing the dev workflow image in an online registry to begin with, my preference would have been to keep the build in the local image cache.
There was a problem hiding this comment.
I just mean that using host networking bypasses the containerization, however I think this comment is kind of moot after this mornings standup if we're moving to just run on the host anyway and leaving containers as an advanced topic.
|
In a recent CRE sync the team dislikes all of the working syntax options we found so far to make taskfile play nicely with running tasks with args inside containers. They add extra complexity and require explanation to users who want to modify or add tasks. I also proposed the idea of making a simple example repo with only deployment patterns, and i'll do that when i get a little time--once i do, something like this could be added there for discussion. |
4 participants
Collaboration during today's meeting with @hedge-sparrow, @banjoh and @0xJMart
Update: made some larger cleanups.
This PR: