Use ECR as an external registry during 'Zarf Init' #1594
Comments
…ushes (#1590) ## Description This PR creates a tunnel per image push (making it easier to implement concurrency - may do that in this PR if we can confirm that issues are mitigated) moves the CRC from the image name to the tag and changes the UI to use a progressbar instead of a spinner for better user feedback. ## Related Issue Relates to #1568 , #1433, #1218, #1364 This also will make #1594 slightly easier. (See aws/containers-roadmap#853) Fixes: #1541 ## Type of change - [X] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [X] Test, docs, adr added or updated as needed - [X] [Contributor Guide Steps](https://github.com/defenseunicorns/zarf/blob/main/CONTRIBUTING.md#developer-workflow) followed
|
This might be something to look into (CredentialProviderConfig): https://cloud-provider-aws.sigs.k8s.io/credential_provider/ |
|
Ideas: This could be solved with something like a preDeploy hook and the ability to inspect a package for a list of images and repos. (would keep things out of the zarf code). We could also have a long running pod that we call out to in a standardized way We could include AWS specific code inside of Zarf. |
We may want to document setting up an IAM role (that can be assumed) as a pre-requisite and have zarf be opinionated to use assume-role so it doesn't need to worry about static creds and rotations |
Relates to #1594 This PR adapts the way that Zarf saves the package-secrets so that the secrets are now updated more frequently and can be used as an indicator of what a package is about to (and is the process of) deploying. These more frequently updated secrets can be viewed and acted upon by a webhook such as `Pepr`. As Zarf updates the secrets, it will check to see if a webhook has mutated the component webhook `status` of the secret to `Running` and respectfully wait for the webhook to change the `status` of the secret back to indicate whatever non-async work has been completed. The `--skip-webhooks` flag can be used to tell Zarf to skip checking/waiting for webhooks to complete during package deployments: `zarf package deploy [package tarball] --skip-webhooks` --------- Co-authored-by: Wayne Starr <Racer159@users.noreply.github.com> Co-authored-by: Lucas Rodriguez <lucas.rodriguez@defenseunicorns.com> Co-authored-by: Lucas Rodriguez <lucas.rodriguez9616@gmail.com>
|
Noting that the solution for this will be implemented in this repo: |
Is your feature request related to a problem? Please describe.
As Ashton I want an easy way to deploy Zarf configured with ECR as an external registry so that I can take advantage of the HA benefits of running a registry out of the cluster in AWS.
Describe the solution you'd like
zarf initwith an ECR registry domain configuredprivate-registrycredentials up to date.Additional context
ECR has a few 'unique' quirks that make it difficult to use as an external registry at the moment.
ECR credentials are only valid for 12 hours, so something within clusters would have to refresh the zarf image pull secrets so that the kubelet is able to authenticate and pull images from ECR during package deployments.
ECR registries do not have the ability to 'push to create' repositories that do not exist yet. Since Zarf packages will be pushing all sorts of images into the registry when the package is being deployed, this is a pretty big blocker.
Using ECR as an external registry would be really useful for a lot of people so we should implement some solution to the two issues above.
The text was updated successfully, but these errors were encountered: