Migrate away from google.com gcp project kubebuilder

[camilamacedo86]

What do you want to happen?

Description

Today we use GCP and have a project, kubebuilder. We need to move this infrastructure as described in this task: kubernetes/k8s.io#2647. Currently, the GCP infra is used to build some artefacts.

kube-rbac-proxy images

These images are used to build a sidecar for the manager, see:

kubebuilder/testdata/project-v2/config/default/manager_auth_proxy_patch.yaml

Lines 11 to 13 in 3044376

	containers:
	- name: kube-rbac-proxy
	image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1

To know how they are built, you can check it here.

kubebuilder-tools

The kubebuilder tools ship the required binaries to test the projects using EnvTest. We scaffold a target to download them in the projects as well:

kubebuilder/testdata/project-v4/Makefile

Lines 57 to 59 in 3044376

	.PHONY: test
	test: manifests generate fmt vet envtest ## Run tests.
	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" go test ./... -coverprofile cover.out

To know how they are built, you can check it here

Goal

This task aims to migrate the infrastructure used to build and provide them from the new location.

Motivation

To know more about see: https://kubernetes.io/blog/2020/05/27/an-introduction-to-the-k8s-infrastructure-working-group/

Impact

The projects built so far will still need to work on the images scaffold
It is a breaking change and can indeed break the workloads running on the cluster (in the case of the proxy image).

So, we will need to work on providing those from the new places, see if we can also make a copy from all artefacts built and provide so for to the new place, and communicate asap.

IMPORTANT: We should not stop building in the old/current infrastructure until we stop using it. Therefore, that means we need to build in both for a time. I would also suggest that you build these artefacts in the new infrastructure.

What do we need to do

• - Create the new infrastructure - Create infrastructure for kubebuilder artifacts kubernetes/k8s.io#4586
• - Add the jobs to start to build and produce the artefacts in the new infra : https://github.com/kubernetes/test-infra/pull/29351/files
• - Ensure that we will have a target to build the image using GCP and another using the new infra, see; ✨ add new build for new k8s registry infra-prow #3362
• - Make a copy from all that is provided today in the current locations to the new one
• - Update go/v3 and go/v4 scaffolds to gather the image from the new locations
• - Update go/v3 and go/v4 makefile target to download the kubebuilder-tools from the new location
• - Update kubebuilder docs to point out the new location
• - Could you please check if the controller runtime will not be impacted and address the required changes? If they are using those artefacts for the tests, then those tests need to update to gather them from the new location.
• - Communicate broadly to the community and ask for they to update their project to gather them from the new location
• - disable the jobs that runs in the current infrastructure

References

kubernetes/k8s.io#2647
kubernetes/k8s.io#4586

Extra Labels

No response

[yashsingh74]

I can start looking into this.

[camilamacedo86]

HI @yashsingh74,

Thank you for looking into that. But this one is not a good first issue to work on. We will need @rpkatz help to know how to use the new infra and how to promote the assets. You might able to help us out when we have those built, and then we can start to change the docs and scaffolds to use them.

[camilamacedo86]

/assign @rikatz

[rikatz]

Hi there. I wrote something about it on a huge thread, and copy/pasted to https://docs.google.com/document/d/18EKmym3YJ0Ey3LOrQOeWh6RbnSO-odfKuMNVlHPHDmE/edit?usp=sharing (SORRY!!)

@yashsingh74 we have some subtasks here, as:

• Create on https://github.com/kubernetes-sigs/kubebuilder/tree/kube-rbac-proxy-releases a new folder that will be used by the new cloudbuild. This way, we won't break the old one ;)
• Create on https://github.com/kubernetes/test-infra/tree/master/config/jobs/image-pushing a new prowjob to monitor PRs merged on this branch/directory and trigger the cloudbuild. You can use https://github.com/kubernetes/test-infra/blob/master/config/jobs/image-pushing/k8s-staging-ingress-nginx.yaml#L1-L25 as an example

We are going to need to tweak some minor stuff on build script, like pushing to the right repository, etc, using proper substitutions on cloudbuild, etc.

@camilamacedo86 If you and @varshaprasad96 I would like to do the "image replication" work here, mostly getting the images from old repo and pushing to new staging one, so we won't start the manifest file promotion from scratch :)

[camilamacedo86]

I wanted to document the most recent status:

• We've begun updating the kube-rbac-proxy image. However, the only reason this image is being generated by us is because the project isn't under a sig (https://github.com/kubernetes/test-infra/pull/29351/files and ✨ add new build for new k8s registry infra-prow #3362). Ideally, we shouldn't have to re-tag their image but rather consume the one they provide. We're awaiting the completion of its donation so that we can use their official image. More details can be found here: Sig-Auth Pre-Acceptance 2nd Review brancz/kube-rbac-proxy#238. Therefore, I would like to advogated in favor of kubebuilder no longer be responsable for re-tag the images and we deprecated/remove those logic asap the kube-rbac-proxy project be able to provide the images to us. c/c @bihim

• After this step, we'll still require GCP to produce the binaries used by the env test (kubebuilder-tools). Further information can be found here: https://book.kubebuilder.io/reference/artifacts.html

From the current outlook, it seems unlikely that we will be able to avoid using GCP, unless there's a proposal to change the aforementioned binaries.

[rikatz]

On kube-rbac-proxy feature, @sbueringer implemented kubernetes-sigs/controller-runtime#2407 on latest controller-runtime.

I didnt had a chance to look at it yet but have seen some talks about krp not being required anymore with this feature :)

Maybe once kubebuilder supports the new runtime, there's no need to build krp anymore and simply migrate the old images.

[rikatz]

Ah sorry just saw your latest Pr To bump controller-runtime :))) great! So disregard my comment, but maybe we can not promote krp anymore in favor of the new feature :)

[sbueringer]

@rikatz There's a lot of related information in this lengthy Slack thread: https://kubernetes.slack.com/archives/CAR30FCJZ/p1693377335373059

[camilamacedo86]

The latest update of this one is:

• Controller-Runtime maintainers are looking to try to build the envtest binaries in there (in controller-runtime or controller-tools)
• We could not make the kube-rbac-proxy image rebuild work within the new infra because it is not under the k8s umbreally yet.

Further info: https://kubernetes.slack.com/archives/CCK68P2Q2/p1711913605487359

[BenTheElder]

If there are any images other than kube-rbac-proxy that are not just being phased out, they need to be moved to registry.k8s.io sooner than later, there are docs at https://registry.k8s.io, specifically https://github.com/kubernetes/k8s.io/tree/main/registry.k8s.io#managing-kubernetes-container-registries

(We should just move them, rather than migrating to AR in a google.com internal project, we have plans in motion to migrate ~everything in Kubernetes to be solely on community controlled infra by EOY and GCR requires action by early next year anyhow. While technically we could move GCR to AR ~in-place, it makes more sense to switch to community controlled resources while we're at it)