Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Tracking/Request] Access AWS through CNCF credits #8

Closed
nikimanoledaki opened this issue Nov 22, 2023 · 28 comments
Closed

[Tracking/Request] Access AWS through CNCF credits #8

nikimanoledaki opened this issue Nov 22, 2023 · 28 comments

Comments

@nikimanoledaki
Copy link
Contributor

nikimanoledaki commented Nov 22, 2023

Unblocks #1

What is needed?

We need to open a Servicedesk ticket to get access to AWS so that we can use the credits offered by AWS for the CNCF: https://github.com/cncf/servicedesk#how-can-i-use-the-computing-infrastructure-provided-by-the-cncf

Why is it needed?

This will enable the Green Reviews WG to create an S3 bucket to store the OpenTofu state for the Equinix Metal infrastructure & k3s-created cluster.

See also:

Who can access this?

AWS access can be limited to the TAG ENV leads for now, which is what we are doing with the Equinix infrastructure as well.

@jeefy
Copy link

jeefy commented Nov 22, 2023

Ping @vielmetti -- does Equinix have an s3-compatible object storage offering that we can leverage here? It feels kinda weird and inefficient needing Provider A around to store state for Provider B.

@Callisto13
Copy link

Callisto13 commented Nov 27, 2023

Equinix does technically have s3 object storage, but it is not part of or tied into Metal (you can't just click around in your customer console and "get" object storage in the same way you can through AWS and the like). The s3 storage from Equinix is part of managed services, meaning it is not built or provided by the company. In this case the provider is Netapp, and the managed service offered through Equinix is basically StorageGrid. It is only available in the Netherlands, although I think another EU metro is going to be added "soon". The only way I can see to get it right now is via a sales call, and I believe Equinix will connect it all up with the customer's other services (like Equinix Fabric etc). I am not sure what the user experience is like, how the docs are, what the cost would be, or whether there is a fixed contract term (I am finding out these things), but my gut would say AWS would be an easier choice.

If you would like to stay within Metal, and don't mind the maintenance overhead, another option would be to deploy an extra Metal server which is optimised for storage (basically choose one with large disks) and run MinIO on it. Or you could run object storage in the kubernetes cluster itself, again with MinIO or similar.

@nikimanoledaki lmk if you need anything else 👍

@rossf7
Copy link
Contributor

rossf7 commented Nov 27, 2023

Thanks @Callisto13! Since the s3 storage is not part of Metal I also think AWS is going to be the easier choice.

Object storage is a better fit rather than a dedicated server because we just need to store the tofu state but we can't run it inside the cluster due to the usual chicken egg problem fun :)

@nikimanoledaki
Copy link
Contributor Author

nikimanoledaki commented Dec 4, 2023

Thank you all for your valuable input! Access to AWS for S3 would be the simplest solution with the least amount of overhead, which would be best in our case given that this is a community-led project so time and effort are limited.

Unfortunately, object storage access currently blocks the cluster provisioning PR and the rest of the WG's pipeline implementation. 🙁

@jeefy @vielmetti, we would appreciate your feedback and help with unblocking this! Thank you 😊

@vielmetti
Copy link

There are a couple of tools that provide S3 compatible object storage. One or more of them might be appropriate for your needs. @Callisto13 referenced Minio - but I guess what I'd like to know first is how much storage you need (megabytes, gigabytes, terabytes)?

I am OOO until 12/11 and I know @jeefy is away but we hopefully can make some progress.

@rossf7
Copy link
Contributor

rossf7 commented Dec 5, 2023

but I guess what I'd like to know first is how much storage you need (megabytes, gigabytes, terabytes)?

@jeefy @vielmetti We only need a small amount of storage. Currently the tofu state file is 10kb in the S3 bucket I tested with. It might grow a bit but not above the megabytes range.

cc @nikimanoledaki

@vielmetti
Copy link

@rossf7 Is OpenTofu limited to only using the S3 protocol, or are there other file storage / file retrieval options available? Trying to understand what's possibly variable in the configuration, e.g. can this be done with a web server of some kind instead.

Very obviously "let's spin up a dedicated server to store a 10kb file" is not a reasonable option.

I am looking at https://opentofu.org/docs/language/settings/backends/configuration which appears to be the relevant docs for the relevant configs, and it looks like there's more than one useful option.

@vielmetti
Copy link

I reached out to the "OpenTofu Community" Slack to ask for someone there to weigh in on the backend configuration options question.

@rossf7
Copy link
Contributor

rossf7 commented Dec 6, 2023

Hi @vielmetti, thanks for reaching out to the OpenTofu Slack. I also joined there and good idea to see if there is another backend we can use.

@rossf7
Copy link
Contributor

rossf7 commented Dec 8, 2023

@vielmetti thanks again for reaching out in the OpenTofu Slack. The feedback was very helpful and we could use a cloud backend instead of S3. https://opentofu.org/docs/cli/cloud/settings

One of the Spacelift cofounders kindly offered we could use their service for free since we are a CNCF project. I'm going to try this out to see how it compares with using S3.

I've added an item to discuss this at the next WG meeting (Wed 13 December @ 17:00 CET).

@rossf7
Copy link
Contributor

rossf7 commented Dec 14, 2023

Hi @jeefy I investigated using Spacelift as an alternative and we discussed it during the WG meeting yesterday and with @vielmetti. We feel using an S3 bucket from AWS is a better solution.

We could use the Spacelift CLI to manage the state. However under the hood Spacelift uses an AWS S3 bucket and we would be adding a 3rd party service as a dependency for the WG.

With an AWS S3 bucket we can use the OpenTofu CLI directly. This aligns with the goal we have of using CNCF projects when possible for our stack.

cc @nikimanoledaki @leonardpahlke @AntonioDiTuri

@nikimanoledaki
Copy link
Contributor Author

Thank you @rossf7 & @vielmetti for syncing and looking into this.

@jeefy we would really appreciate your help with unblocking this, please! Thank you.

@nikimanoledaki nikimanoledaki moved this from Backlog to Under Review in TAG-Environmental-Sustainability Jan 9, 2024
@nikimanoledaki
Copy link
Contributor Author

nikimanoledaki commented Jan 10, 2024

@leonardpahlke, hi! Could you report back with updates about the service desk ticket, please? Thank you for your help with unblocking this :)

@jeefy
Copy link

jeefy commented Jan 10, 2024

I'm getting out of the way lol. @idvoretskyi Would you mind tackling setting this up? :)

@idvoretskyi
Copy link

@jeefy sure!

@idvoretskyi
Copy link

@nikimanoledaki can you please assign this to me?

@nikimanoledaki
Copy link
Contributor Author

Thank you for looking into this @jeefy & @idvoretskyi! 🙌

@nikimanoledaki
Copy link
Contributor Author

nikimanoledaki commented Jan 17, 2024

@idvoretskyi which next steps would you recommend? Would it help if we opened a Service Desk issue to track this? :)

@jeefy
Copy link

jeefy commented Jan 29, 2024

Quick update, redirected this from @idvoretskyi to someone from LF IT to unblock the request, bucket should be created shortly. :) Thanks!

@ynwa99
Copy link

ynwa99 commented Jan 29, 2024

Hello @nikimanoledaki -- My name is Shah and I'm with LF IT. I created a bucket named tag-environmental-sustainability within the CNCF AWS account. By default the bucket blocks all public access. How would you like to best access the bucket? Are there any particular users or a group alias you want me to assign IAM permissions to for this bucket?

@leonardpahlke
Copy link
Member

Thank you so much @jeefy and @ynwa99 ! Could we name the bucket tag-env-green-reviews-open-tofu to better capture the use case / purpose of the bucket.

@leonardpahlke
Copy link
Member

@ynwa99 — regarding access @cncf-tags/tag-env-leads + @cncf-tags/tag-env-wg-green-reviews-leads is the group that could have access. Not sure how you usually maintain this list. For this useccase it may be a bit overhead. And it may be just easier to create a one technical user with just CLI access to this one bucket which we can use in our gitops worflow.

@nikimanoledaki nikimanoledaki moved this from Under Review to In Progress in TAG-Environmental-Sustainability Jan 30, 2024
@ynwa99
Copy link

ynwa99 commented Jan 31, 2024

For access, when you say "one technical user", is there a specific person you had in mind?

@leonardpahlke
Copy link
Member

Not really. We just need one user. This can be sort of a technical user. tag-environmental-sustainability-tech-user or similar & CLI creds.

@leonardpahlke
Copy link
Member

I opened a service desk issue to get a 1Password account to store the credentials

@ynwa99
Copy link

ynwa99 commented Feb 5, 2024

Hi Leo, thanks for chatting with me on Slack a bit more about this request. I'm happy to say there is now an S3 bucket in the CNCF AWS account available for the TAG env sustainability team to use. The bucket name is tag-env-green-reviews-open-tofu and the username is tag-env-technical-user

How would you like me to share the access key credentials?

@leonardpahlke
Copy link
Member

thanks! If thats ok, you can send me the creds via Slack DM. We will get a 1Password account for the TAG but that will likely take a bit. see cncf/tag-env-sustainability#336

@rossf7
Copy link
Contributor

rossf7 commented Feb 7, 2024

We've switched to use the new S3 bucket for the cluster. Thanks all for the help with this!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment