imageLookupFormat should support Kubernetes versions with build metadata, e.g. +fips

[dkoshkin]

/kind feature

Describe the solution you'd like

I'm trying to use imageLookupFormat: my-ami-{{.BaseOS}}-fips-release-?{{.K8sVersion}}-* with a custom AMIs and a Kubernetes version that has some build metadata v1.21.8+fips.0.
AWS AMIs do not support + in the name, and when we build our AMIs using Packer we use clean_resource_name to format the name, which replaces unsupported characters with a -.

So the AMI name ends up being something like my-ami-rhel-8.2-1.21.8-fips.0-1641416145 but the AMI that is being searched for is my-ami-rhel-8.2-?1.21.8+fips.0-* (note the + vs -)

The code that is handling this is here, but its only handling an optional v prefix and no other changes.

Anything else you would like to add:

Originally asked in Slack https://kubernetes.slack.com/archives/CD6U2V71N/p1641571157011400 and discussed 01/10/2022 CAPA meeting.

Environment:

• Cluster-api-provider-aws version: https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases/tag/v0.7.2
• Kubernetes version: (use kubectl version):
• OS (e.g. from /etc/os-release):

[k8s-ci-robot]

@dkoshkin: This issue is currently awaiting triage.

If CAPA/CAPI contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[sedefsavas]

There is a change in the AMI name, search logic specifically needs to handle + to - conversion.
With a generic logic, not sure if this specific case can be solved.

Runtime-extensions proposal in cluster-api might be useful to solve this issue: an extension can generate a replaced regex and then that regex is used in CAPA AMI search.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue or PR with /reopen
• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

[k8s-ci-robot]

@k8s-triage-robot: Closing this issue.

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue or PR with /reopen
• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[sedefsavas]

/reopen
/lifecycle active
/assign @dkoshkin

[k8s-ci-robot]

@sedefsavas: Reopened this issue.

In response to this:

/reopen
/lifecycle active
/assign @dkoshkin

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[dlipovetsky]

For reference:

Constraints: 3-128 alphanumeric characters, parentheses (()), square brackets ([]), spaces ( ), periods (.), slashes (/), dashes (-), single quotes ('), at-signs (@), or underscores(_)
-- https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateImage.html

[dlipovetsky]

In my view, this issue is due to only using the AMI name to look up the AMI. Characters in AMI names are limited, as linked above.

What if we use a set of tags to look up the AMI? AMI tags accept any UTF-8 characters.

Two examples:

1. We could expand the AWSMachine spec:

imageLookupTags:
   - KubernetesVersion: "{{ .K8sVersion }}"

When the controller reconciles the AWSMachine, it gets the version from the corresponding Machine object, and evaluates the above to:

imageLookupTags:
   - KubernetesVersion: "1.21.8+fips.0"

This would match an AMI with the following tag:

aws.infrastructure.cluster.x-k8s.io/kubernetes-version: 1.21.8+fips.0

2. We could let the user configure CAPA to use the current name-based, or a new tag-based implementation.

The AWSMachine spec would not change. When using the tag-based implementation

imageLookupFormat: "my-ami-{{.BaseOS}}-fips-release-?{{.K8sVersion}}-*"
imageLookupBaseOS: rhel-8.2

This would match an AMI with the following tag:

aws.infrastructure.cluster.x-k8s.io/image: my-ami-rhel-8.2-1.21.8+fips.0-1641416145

A downside is that a set of tags is not immutable or unique, whereas an AMI name is.

Therefore, CAPA would need to fail if it finds more than one image matching the set of tags.

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue with /reopen
• Mark this issue as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

[k8s-ci-robot]

@k8s-triage-robot: Closing this issue, marking it as "Not Planned".

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue with /reopen
• Mark this issue as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.