opensearch-build icon indicating copy to clipboard operation
opensearch-build copied to clipboard

Published 20 hours ago • verified publisher icon opensearch-project

Add Cloudfront cache invalidation after each promotion

Open peterzhuamazon opened this issue 1 year ago • 6 comments

Add Cloudfront cache invalidation after each promotion.

We are currently manually invalidate the caches, need a mechanism to do so after running promote-repos.

Thanks.

Acceptance Criteria:

  • Save cloudfront id in the secret manager
  • Use the id to make a call with awscli to invalidate based on major version:
/releases/bundle/opensearch-dashboards/1.x/*
/releases/bundle/opensearch/1.x/*

or

/releases/bundle/opensearch-dashboards/2.x/*
/releases/bundle/opensearch/2.x/*

......
  • Execute this after the https://build.ci.opensearch.org/job/distribution-promote-repos/ workflow is done.

peterzhuamazon avatar Dec 01 '23 19:12 peterzhuamazon

All the S3 upload happens via jenkins. Found an inbuilt cloudfront invalidation for AWS jenkins plugin https://plugins.jenkins.io/pipeline-aws/#plugin-content-cfinvalidate We need to incorporate this with all the upload steps to Prod bucket: https://github.com/search?q=repo%3Aopensearch-project%2Fopensearch-build-libraries%20ARTIFACT_PRODUCTION_BUCKET_NAME&type=code

gaiksaya avatar Jan 05 '24 20:01 gaiksaya

What caches are we invalidating? It feels like most things should have a permanent URI that doesn't have files changing underneath. The only one would be for the index file in distributions that handles the redirect to latest?

dblock avatar Jan 09 '24 16:01 dblock

The redirect to latest is a different set up (all things CI). This is about artifacts.opensearch.org. Whenever a new artifact is uploaded to the bucket looks we are not invalidating the cache today which results in delay in availability of the artifacts.

gaiksaya avatar Jan 09 '24 17:01 gaiksaya

The invalidation here is mainly on the metadata files for YUM and APT repo, as part of the end call of https://build.ci.opensearch.org/job/distribution-promote-repos/.

Maybe this too: https://build.ci.opensearch.org/job/publish-opensearch-min-snapshots/

peterzhuamazon avatar Feb 05 '24 19:02 peterzhuamazon

Maybe we can add cfInvalidate(distribution:'someDistributionId', paths:['/*'], waitForCompletion: true) after this line https://github.com/opensearch-project/opensearch-build-libraries/blob/2.0.2/vars/promoteRepos.groovy#L213

We will need to do AWS CLI to retrieve the CloudFront Distribution Id first, maybe something like this ? aws cloudfront list-distributions | jq -r '.DistributionList.Items[].Id' or aws cloudfront list-distributions | jq -r '.DistributionList.Items[]|select(.Aliases.Items[] == "ci.opensearch.org")|.Id'

Do we expect to have more than one CloudFront distribution created on this CI account?

jordarlu avatar Feb 06 '24 21:02 jordarlu

Maybe we can add cfInvalidate(distribution:'someDistributionId', paths:['/*'], waitForCompletion: true) after this line https://github.com/opensearch-project/opensearch-build-libraries/blob/2.0.2/vars/promoteRepos.groovy#L213

We will need to do AWS CLI to retrieve the CloudFront Distribution Id first, maybe something like this ? aws cloudfront list-distributions | jq -r '.DistributionList.Items[].Id' or aws cloudfront list-distributions | jq -r '.DistributionList.Items[]|select(.Aliases.Items[] == "ci.opensearch.org")|.Id'

Do we expect to have more than one CloudFront distribution created on this CI account?

In our case we can just save the id in secret manager as it is fixed. And retrieve the id just like any other secrets.

peterzhuamazon avatar Mar 18 '24 18:03 peterzhuamazon

@gaiksaya and @peterzhuamazon can we close this? @getsaurabh02

prudhvigodithi avatar Sep 05 '24 15:09 prudhvigodithi

We should, it has already been resolve in this PR:

  • https://github.com/opensearch-project/opensearch-build/pull/4753

Thanks.

peterzhuamazon avatar Sep 05 '24 18:09 peterzhuamazon