[Umbrella issue] Building AWS infrastructure for registry.k8s.io

[ameukam]

Part of:

• [Umbrella issue] Migrate from k8s.gcr.io to registry.k8s.io #3411

Follow up of:

• determine if redirector needs to be AWS-region aware registry.k8s.io#22

Following AWS folx: kubernetes/registry.k8s.io#22 (comment).

The AWS infrastructure will mainly serve as a hosting environment for image layers of the container images produced by the Kubernetes Project. We should:

• Get the list of AWS buckets where we want to replicate the image layers : determine which AWS regions should serve the image layers registry.k8s.io#38 (comment)
• Create S3 buckets in AWS regions #3595
• Create a IAM role with permissions to write to the buckets
• Create a user with access keys using the IAM role
  • From https://kubernetes.slack.com/archives/CCK68P2Q2/p1650407982934869. Created in https://github.com/cncf-infra/aws-infra
  • Allow trusted cluster serviceaccount to assume s3writer role cncf-infra/aws-infra#15

[ameukam]

cc @dims @jaypipes

cc @kubernetes/release-engineering

/kind feature
/area artifacts
/area infra
/area release-eng
/sig release

/milestone v1.24

[hh]

Closing #3541 in favour of this new ticket.

but bringing some of the conversation forward:

Is there an agreed upon naming scheme?

I know that @eddiezane had reserved some buckets at some point @jaypipes. Might look into that, and how we might extend it to have -REGION or similar.

[hh]

From the #k8s-infra-meeting yesterday:

AI : Create iam-role / CNCF specific for publication, the only thing with write permissions to these buckets. k8s-infra-writer

[ameukam]

IMHO we should try to follow some aspects of the infrastructure created for @kubernetes/release-engineering: https://github.com/kubernetes/sig-release/blob/master/release-engineering/gcp.md #release-engineering .

• Reuse the created account where we will do active development taking into consideration Copy images to AWS regions kubernetes-sigs/promo-tools#533 and can optionally be leveraged for e2e testing. It is not necessary to create one bucket per region; a single bucket per continent (asia, eu, us) would be enough for now.
• Create a new production-only AWS account with only the buckets, roles, and groups required to host the container images. Only AWS organization administrators should access this account.

[riaankleinhans]

This PR address the teraform of S3 buckets:
#3605

[hh]

I thought Jay had decided on a list of about 10 regions?

Also, let's ensure we put forward a similar document to https://github.com/kubernetes/sig-release/blob/master/release-engineering/gcp.md #release-engineering in the coming weeks.

[riaankleinhans]

Correct determine which AWS regions should serve the image layers #38
The following regions should serve the image layers:

• us-west-2
• eu-west-1
• us-east-1
• eu-central-1
• us-east-2
• ap-southeast-1
• us-west-1
• ap-northeast-1
• ap-south-1

[ameukam]

/milestone v1.25

[ameukam]

/milestone v.126

[k8s-ci-robot]

@ameukam: The provided milestone is not valid for this repository. Milestones in this repository: [v1.24, v1.25, v1.26]

Use /milestone clear to clear the milestone.

In response to this:

/milestone v.126

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[ameukam]

/milestone v1.26

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[ameukam]

/remove-lifecycle rotten
/milestone v1.27

[ameukam]

/remove-lifecycle stale

[BobyMCbobs]

[ ] Create a IAM role with permissions to write to the buckets

@ameukam, this was completed some time ago
cncf-infra/aws-infra#10

[ ] Create a user with access keys using the IAM role

we are using federated identity for authenticating
cncf-infra/aws-infra#15

[riaankleinhans]

Thanks @BobyMCbobs
@ameukam look like this is done. Should we close the issue or are there more TOD's to add to the issue?

[ameukam]

/close

[k8s-ci-robot]

@ameukam: Closing this issue.

In response to this:

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.