k8s.io icon indicating copy to clipboard operation
k8s.io copied to clipboard

Published 20 hours ago verified publisher icon kubernetes

[Umbrella issue] Building AWS infrastructure for registry.k8s.io

Open ameukam opened this issue 2 years ago • 11 comments

Part of:

  • #3411

Follow up of:

  • https://github.com/kubernetes-sigs/oci-proxy/issues/22

Following AWS folx: https://github.com/kubernetes-sigs/oci-proxy/issues/22#issuecomment-1084011545.

The AWS infrastructure will mainly serve as a hosting environment for image layers of the container images produced by the Kubernetes Project. We should:

  • [x] Get the list of AWS buckets where we want to replicate the image layers : https://github.com/kubernetes-sigs/oci-proxy/issues/38#issuecomment-1085369923
  • [x] https://github.com/kubernetes/k8s.io/issues/3595
  • [ ] Create a IAM role with permissions to write to the buckets
  • [ ] Create a user with access keys using the IAM role
    • From https://kubernetes.slack.com/archives/CCK68P2Q2/p1650407982934869. Created in https://github.com/cncf-infra/aws-infra

ameukam avatar Mar 30 '22 20:03 ameukam

cc @dims @jaypipes

cc @kubernetes/release-engineering

/kind feature /area artifacts /area infra /area release-eng /sig release

/milestone v1.24

ameukam avatar Mar 31 '22 08:03 ameukam

Closing https://github.com/kubernetes/k8s.io/issues/3541 in favour of this new ticket.

but bringing some of the conversation forward:

Is there an agreed upon naming scheme?

I know that @eddiezane had reserved some buckets at some point @jaypipes. Might look into that, and how we might extend it to have -REGION or similar.

hh avatar Mar 31 '22 20:03 hh

From the #k8s-infra-meeting yesterday:

AI : Create iam-role / CNCF specific for publication, the only thing with write permissions to these buckets. k8s-infra-writer

hh avatar Mar 31 '22 20:03 hh

IMHO we should try to follow some aspects of the infrastructure created for @kubernetes/release-engineering: https://github.com/kubernetes/sig-release/blob/master/release-engineering/gcp.md #release-engineering .

  • Reuse the created account where we will do active development taking into consideration https://github.com/kubernetes-sigs/promo-tools/issues/533 and can optionally be leveraged for e2e testing. It is not necessary to create one bucket per region; a single bucket per continent (asia, eu, us) would be enough for now.
  • Create a new production-only AWS account with only the buckets, roles, and groups required to host the container images. Only AWS organization administrators should access this account.

ameukam avatar Apr 07 '22 20:04 ameukam

This PR address the teraform of S3 buckets: https://github.com/kubernetes/k8s.io/pull/3605

riaankleinhans avatar Apr 08 '22 00:04 riaankleinhans

I thought Jay had decided on a list of about 10 regions?

Also, let's ensure we put forward a similar document to https://github.com/kubernetes/sig-release/blob/master/release-engineering/gcp.md #release-engineering in the coming weeks.

hh avatar Apr 11 '22 01:04 hh

Correct determine which AWS regions should serve the image layers #38 The following regions should serve the image layers:

  • us-west-2
  • eu-west-1
  • us-east-1
  • eu-central-1
  • us-east-2
  • ap-southeast-1
  • us-west-1
  • ap-northeast-1
  • ap-south-1

riaankleinhans avatar Apr 11 '22 18:04 riaankleinhans

/milestone v1.25

ameukam avatar May 12 '22 03:05 ameukam

/milestone v.126

ameukam avatar Aug 19 '22 22:08 ameukam

@ameukam: The provided milestone is not valid for this repository. Milestones in this repository: [v1.24, v1.25, v1.26]

Use /milestone clear to clear the milestone.

In response to this:

/milestone v.126

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Aug 19 '22 22:08 k8s-ci-robot

/milestone v1.26

ameukam avatar Aug 19 '22 22:08 ameukam

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Nov 17 '22 23:11 k8s-triage-robot

/remove-lifecycle rotten /milestone v1.27

ameukam avatar Nov 18 '22 11:11 ameukam

/remove-lifecycle stale

ameukam avatar Nov 18 '22 11:11 ameukam

[ ] Create a IAM role with permissions to write to the buckets

@ameukam, this was completed some time ago https://github.com/cncf-infra/aws-infra/pull/10

[ ] Create a user with access keys using the IAM role

we are using federated identity for authenticating https://github.com/cncf-infra/aws-infra/pull/15

BobyMCbobs avatar Nov 20 '22 21:11 BobyMCbobs

Thanks @BobyMCbobs @ameukam look like this is done. Should we close the issue or are there more TOD's to add to the issue?

riaankleinhans avatar Nov 20 '22 21:11 riaankleinhans

/close

ameukam avatar Nov 25 '22 16:11 ameukam

@ameukam: Closing this issue.

In response to this:

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Nov 25 '22 16:11 k8s-ci-robot