Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Image swap registry when using ECR cross region? #660

Open
jetersen opened this issue Feb 9, 2024 · 6 comments
Open

Image swap registry when using ECR cross region? #660

jetersen opened this issue Feb 9, 2024 · 6 comments

Comments

@jetersen
Copy link

jetersen commented Feb 9, 2024
edited
Loading

We currently rely on GitOps for our deployments so changing the image registry for our US located deployment in Git is less interesting for checking for updates.

However running image swapper for our US Cluster we would like to swap our EU registry out with our registry in the US region that uses cross region replica. How can I achieve this in the configuration options?

The docs are not very clear on cross region and does not currently seem to support multiple filters and targets per filter.

I would potentially also like to have multiple sources based on different filters and targets with different lifecycle policy.
Instead of running two image swappers.

Cause I would like to copy all non ECR images to ECR and only keep a few images around.
While for images using our ECR registry we want different rules.

This is our current config:

logLevel: info
logFormat: json
imageSwapPolicy: always
imageCopyPolicy: delayed
imageCopyDeadline: 60s

source:

  filters:
  - jmespath: "contains(container.image, '.dkr.ecr.') && contains(container.image, '.amazonaws.com')"

target:
  type: aws
  aws:
    accountId: "snip"
    region: "eu-west-1"
    ecrOptions:
      accessPolicy: |
        {
          "Statement": [
            {
              "Sid": "AllowCrossAccountPull",
              "Effect": "Allow",
              "Principal": {
                "AWS": "*"
              },
              "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability"
              ],
              "Condition": {
                "StringEquals": {
                  "aws:PrincipalOrgID": "SNIP"
                }
              }
            }
          ],
          "Version": "2008-10-17"
        }
      lifecyclePolicy: |
        {
          "rules": [
            {
              "rulePriority": 1,
              "description": "Rule 1",
              "selection": {
                "tagStatus": "untagged",
                "countType": "sinceImagePushed",
                "countUnit": "days",
                "countNumber": 1
              },
              "action": {
                "type": "expire"
              }
            },
            {
              "rulePriority": 2,
              "description": "Rule 2",
              "selection": {
                "tagStatus": "any",
                "countType": "imageCountMoreThan",
                "countNumber": 5
              },
              "action": {
                "type": "expire"
              }
            }
          ]
        }
@estahn
Copy link
Owner

estahn commented Feb 12, 2024
edited
Loading

@jetersen Just to summarise for my understanding. You would like to change the source address based on certain criteria?

Example:

  • Source: 123456789012.dkr.ecr.eu-west-1.amazonaws.com/mservice:42
  • k8s-image-swapper Result: 123456789012.dkr.ecr.us-east-1.amazonaws.com/mservice:42

In case the image is missing in US East (us-east-1), would that be written to ECR eu-west-1 from the US cluster?

@jetersen
Copy link
Author

jetersen commented Feb 12, 2024
edited
Loading

Yes that is exactly what I want to achieve in addition to delayed copying open source images in the hope that eu to us replication already has copied image

The image is not missing as it would be replicated by AWS cross region replication.

So eu-west-1 registry is the source of truth and us-east-1 is our replica registry.

Potentially if image swapper could check for us-east-1 availability if not simply do not mutate and once next pod rolls around it would then start mutating because the image got replicated

@estahn
Copy link
Owner

estahn commented Feb 13, 2024
edited
Loading

Got it. I think this would partially work as follows:

Cluster US:

  • ImageSwapPolicy: exists
  • ImageCopyPolicy: none

What is missing is some way to alter the source address, e.g.

source:
  filters:
  - jmespath: "contains(container.image, '.dkr.ecr.') && contains(container.image, '.amazonaws.com')"

  preprocessor:
  - replace:
       from: dkr.ecr.eu-west-1.amazonaws.com
       to: dkr.ecr.us-east-1.amazonaws.com

Do you think that would work for your use-case?

@estahn estahn mentioned this issue Feb 13, 2024
Open
@jetersen
Copy link
Author

jetersen commented Feb 13, 2024
edited
Loading

Oh ya a preprocessor step you could as long as it follows the normal path to check if the modified source image exists and if it does do nothing. I think that should work for my use case 👏
That should help with most of the rate limiting issues we seen.

@wosiu
Copy link

wosiu commented Jun 20, 2024

@jetersen I think this: https://github.com/jainishshah17/tugger?tab=readme-ov-file#configure
does exactly what you need.
I look at k8s-image-swapper as a tool for mimicking pull-through cache, because it pulls and pushes image into regional pull-through cache. What you need is just mutating a registry, which I think the linked admission webhook is better with its flexibility.

@jetersen
Copy link
Author

But image swapper is an admission webhook already 😅 Why do I need another?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@estahn @jetersen @wosiu