eks-anywhere icon indicating copy to clipboard operation
eks-anywhere copied to clipboard

Published 20 hours ago • verified publisher icon aws

[FL-33] Fix registry mirror on BottleRocket when ociNamespaces is presented

Open jiayiwang7 opened this issue 1 year ago • 0 comments

Bug

When ociNamespaces is presented but without public.ecr.aws registry specified, the registry mirror configuration will not be passed to the BottleRocket setting and all the EKS-A artifacts used for cluster provisioning would still be pulled from public ECR registry.

Root Cause

EKS-A generates the CAPI template from EKS-A spec. When user uses registryMirrorConfiguration with ociNamespaces specified in EKS-A cluster spec, if the default public.ecr.aws is not in the ociNamespaces list, we fail to parse the registryMirrorConfiguration.endpoint and the endpoint will be "" in CAPI template (this bug might be introduced by the OCI feature support): https://github.com/aws/eks-anywhere/blob/ccfc25e68794e7476c092af46f4ab5bb80581b62/pkg/clusterapi/registry_mirror.go#L72

When the endpoint is empty, the registryMirrorTemplate in BottleRocket setting will all be ignored: https://github.com/abhay-krishna/cluster-api/blob/06a4bf0368897ae359836833505dbc236a395d52/bootstrap/kubeadm/internal/bottlerocket/bootstrap.go#L156-L158, and none of the registry mirror config will be in the userdata used to bootstrap the node.

Solution

  1. Add a validation to fail when ociNamespaces is presented in cluster spec but without public.ecr.aws registry.
  2. Revisit the ociNamespaces design and figure out a less confusing, better flow.

jiayiwang7 avatar Aug 07 '23 18:08 jiayiwang7