Enable Container Registry GitOps

[qcaas-nhs-sjt]

Enable GitOps on Container Registries so that they build automatically when the key branches are updated

[qcaas-nhs-sjt]

@vvcb @m1p1h rather irritatingly Azure ACR agent pools are not supported in UK South and as this is a private repository github actions cannot see it without more runners. Our policies won't let me release it into north europe (despite it not containing any sensitive data) as a result I cannot implement gitops as planned. Am investigating other options now

[vvcb]

@qcaas-nhs-sjt - this was always a problem. The only way I got around this previously was to make ACR available on the public network, run az acr build and then make it private again ❗ There probably is a better way but I never got around to investigating 😞 .

There are a few options described here. We can always ask Phoenix/Microsoft re how we solve this.

[qcaas-nhs-sjt]

made some progress on this, but not fully working yet:

I've created a gitrunner scaleobject using keda, that will spin up github job runners as needed, these can talk to the azure container registry as they are on the same network. An example of this is on the docker-datascience-notebook repository.

This does appear to be largely working but the container images are so large that they are reaching the resource limits for the container so it cannot currently finish the build process. To account for this I'm going to look at creating a second node pool specifically for the job runners to keep them isolated from the rest of the compute resources.

Will hopefully finish this up on thursday

[vvcb]

Should we reach out to Microsoft support for advice? We can't be the only ones facing this issue.

[qcaas-nhs-sjt]

I'm happy to talk this through with MS but from experience I suspect microsoft will advise us to either:

• use github runners inside of our environment which is what we are doing. I am happy for us to talk to MS about it though
• create an exception to the policy and create the azure container registry inside of North/West Europe region where ACR agent pools are available. Though this will require a little bit of a rework to get it working properly and there may be issues with talking about this.
• create an exception to the policy and make the container registry public. In theory so long as we're not storing any patient data or anything else sensitive in the registry (which we shouldn't be) this shouldn't expose any issues.

of course if you go down the route of the last of these I would question why we would want Azure Container Registries anyway as we could simply post these open source projects directly into dockerhub where they can be used by anyone that wants them.

Whatever we do we need to have clear guidelines and guardrails to say what is acceptable to store inside of a registry and what is not.