-
Notifications
You must be signed in to change notification settings - Fork 111
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AMI tags not shared between accounts #353
Comments
StackOverflow to the rescue yet again https://stackoverflow.com/questions/46396906/aws-cross-account-shared-ami-tags-not-showing-up ...points to https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-restrictions ...specifically
Which basically means tags on public resources are useless. sigh |
So revert #314 (and the other tags?) and back to the drawing board? We can also leave them in AWS for just the rh-dev or other blessed accounts if we want, but the installer shouldn't be looking at them. |
We are also publishing a JSON file with AMI IDs to S3 after our own tests pass (same criteria for the I think the tagging of the |
Yes, although I'm not sure how to square that with different internal/public release cadence. More discussion on this starting here. |
If we wish to maintain the idea that the official API is the AMI JSON files, we could publish multiple variants of the JSON per release channel ( |
So would the buildmaster AMIs be mostly internal, while the alpha and stable AMIs would always be public? Otherwise things seem sticky. For example, if the alpha AMI was private, there would be no way for an external caller to ask "what's the most recent public alpha AMI?". |
Hmm...I didn't know we were targeting having multiple public release channels. Or for that matter, an internal + public version of each release channel. I guess it would help to know how many release channels/variants we are on the hook for. And if we need an internal and public version of each. |
For now we're just targeting to have one public stream. We know we will add more later but specifics over them haven't been worked out yet. |
So basically, "we're fine with the installer as it stands and don't need openshift/installer#409 or other ways to select RHCOS channels"? And you folks can just grant access to whatever internal account (or make the image public) to release it to those users. |
For customer production usage, yes. There will be one stream now and possibly more later. For people doing testing, kicking the tires, or CI systems, then tagging is as important as noted IMHO. |
Right. We can figure that out when we get multiple public streams.
Can't we cover this use-case with a combination of granting accounts access to private AMIs (like we used to do before #304) and an explicit AMI override before calling the installer (so no installer lookup)? Then whoever is doing testing can either ride the bleeding edge in their testing account (so still a single stream, just different from the public stream) or pin to a specific AMI they want to test before it gets promoted to being a public AMI. |
👍
That sounds reasonable to me. Let me tag in @miabbott and/or @dm0- for a second opinion. |
Makes sense to me. I think in this scenario, making the AMIs truly public would then be owned by OpenShift (who had completed some level of additional testing against the AMI). Going back to the tagging proposal from #150 (and #201):
...an |
Issues go stale after 90d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle stale |
Stale issues rot after 30d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle rotten |
Rotten issues close after 30d of inactivity. Reopen the issue by commenting /close |
@openshift-bot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Spun off from discussion in #314, which landed the tags. Here are two acounts, rh-dev and the one we use for CI:
rh-dev sees alpha tags on AMIs, while CI does not:
Get the actual AMI ID:
The AMI is public:
But I can't describe it from the CI account:
The AMI is there for listing:
Comparing the
descibe-images
output between accounts:So why are those tags not visible to me in the CI account?
CC @miabbott
The text was updated successfully, but these errors were encountered: