[3.16] implement alpine official container registry via gitlab
Presently, the Alpine official container image is distributed by Docker, but there have been some historical problems with this:
- getting new images updated on Docker's container registry has some variable amount of lag
- the container image has not been signed in 2 years, this seems to be related to the Mirantis split, presumably whoever was signing the official images in Docker's registry left with the Mirantis side of the split.
The container image signing problem is concerning to me, in my opinion, it means that building a container from scratch
, and downloading our minirootfs directly and verifying that with GPG is a better practice, than actually using the official image. Accordingly, this is not up to the standard that we want in the Alpine community for the container base image, as it is not signed.
Given these points, and the fact that we have deployed GitLab which supports running a container registry, I think it makes sense to publish our own. We can then sign the images with cosign
, which is the standard way of doing it for kubernetes images. (Docker itself does not have any signing integration except for their notary service, which as noted above, has not been signing anything for the past 2 years.)
As such I propose that from 3.16 onwards, we publish our own container images and self-host them. We should keep the Docker container registry distribution channel for now, but work to deprecate it as an official source of truth for Alpine images, this could be done in 3.17 or 3.18.