Add support for ECR as the kubernetes repo #68
Conversation
k8s-ci-robot
added
cncf-cla: yes
|
/hold I think this use case is really specific, I think we need a mechanism to enable this, but it shouldn't be part of the core image-builder. |
k8s-ci-robot
added
the
do-not-merge/hold
|
@moshloop I don't think the use case is that specific. I'm making a few assumptions. Please let me know where you think my assumption is incorrect. Assumption 1 -- Amazon Elastic Container Registry has widespread usage with AWS customers. Assumption 2 -- Many (not an insignificant amount) users of There may be a number of reasons why users would want to use their own or custom container images:
Any CAPA user that wants to use custom container images AND wants to use ECR would need the capability introduced in this PR. I also think there is a valid use case to say this capability belongs in core
Would be interested in your thoughts. |
|
I agree that the use case is valid, my concern is in the path to achieving the end goal. If we add an option to disable pre-pulling the images then it opens up other approaches:
If this is urgent and 1 is not suitable, then I am not opposed to merging this with a TODO deprecated comment to remove once the extension mechanism is available. |
|
@moshloop this will eventually be fixed once containerd/containerd#6637 is closed. ECR is a pretty popular container registry with users on AWS so I believe this PR should be treated as urgent if we want to foster utilization of |
k8s-ci-robot
added
the
lgtm
|
Travis PTAL /assign @codenrhoden |
|
/lgtm I'd like to see the suggested comments incorporated so we don't lose the future TODO. I think this would also satisfy @moshloop request and according to #68 (comment), I'd like to see this one go in before the first tag. I know of end-users that will want this capability. |
|
/assign @aaroniscode PTAL |
k8s-ci-robot
removed
the
lgtm
|
thanks everyone for your feedback and review. I've incorporated the suggestions. I also rebased on master and tested using k8s 1.16.2 and private images on ECR. |
|
/lgtm Moshe, does this look good to you? |
k8s-ci-robot
added
the
lgtm
|
ping @moshloop |
|
/unhold |
k8s-ci-robot
removed
the
do-not-merge/hold
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: aaroniscode, moshloop The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
Support already exists for a user to choose a private repository to use for the Kubernetes container images. For Cluster API AWS (CAPA), users may choose to leverage Amazon's hosted Docker container registry: Elastic Container Registry (ECR).
One use case for this is to use the VMware signed binaries. A user may may wish to push the VMware container images to ECR and create the CAPA AMI with the images pre-pulled.
kubeadmdoesn't currently support authenticating with ECR: kubernetes/kubeadm#1820.This PR makes the following changes:
iam_instance_profilethat can assigned to the Packer builder. ECR is a private repository and requires IAM permissions assigned for access.providersrole up earlier in the process. This is because theawscliis used to log into ECR and pull the images. Initially it was installed AFTER the kubernetes role. I read through theprovidersrole and didn't see any issues with the change in ordering, but it would be good to have a second set of eyes confirm the ordering change is not an issue.kubernetes_container_registryis a Elastic Container Registry. If so, a new set of ansible tasksecrpull.ymllogs into ECR and obtains temporary credentials. Then each image is pulled using the temporary credentials./assign @detiber