Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Publish nightly and release Docker images to public ECR #2465

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

arthurbdiniz
Copy link
Contributor

Signed-off-by: Arthur Diniz [email protected]

What this PR does / why we need it:

This PR adds the feature to push nightly and release Docker images to AWS public ECR.

Which issue this PR fixes: #2370

Special notes for your reviewer:

From the kong organization side, it's necessary to:

  • Create an IAM programmatic user inside AWS. Saving ACCESS_KEY_ID and SECRET_ACCESS_KEY to GitHub secrets as AWS_ECR_ACCESS_KEY_ID and AWS_ECR_SECRET_ACCESS_KEY variables.
  • Create a public ECR repository and add an alias to it.

The IAM user needs to have a policy attached with permissions to the registry and to the specific repository. For this you can follow the official AWS documentation.

Example of policy I have used:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowPush",
            "Effect": "Allow",
            "Action": [
                "ecr-public:BatchCheckLayerAvailability",
                "ecr-public:PutImage",
                "ecr-public:InitiateLayerUpload",
                "ecr-public:UploadLayerPart",
                "ecr-public:CompleteLayerUpload",
                "ecr-public:GetAuthorizationToken"
            ],
            "Resource": [
                "arn:aws:ecr-public::000000000000:repository/kubernetes-ingress-controller"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ecr-public:GetAuthorizationToken",
                "sts:GetServiceBearerToken"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

PR Readiness Checklist:

To validate this PR I have tested it inside my own AWS account and DockerHub:

GitHub actions job

image

ECR

image

Docker Hub

image

Complete these before marking the PR as ready to review:

  • the CHANGELOG.md release notes have been updated to reflect any significant (and particularly user-facing) changes introduced by this PR

@arthurbdiniz arthurbdiniz requested a review from a team as a code owner May 5, 2022 17:04
@CLAassistant
Copy link

CLAassistant commented May 5, 2022

CLA assistant check
All committers have signed the CLA.

@rainest
Copy link
Contributor

rainest commented May 5, 2022

Our team doesn't have the ability to create repos or provision keys/IAM users ourselves, but I've asked the team that manages our AWS infrastructure about this.

For my own reference, this is tracked internally as partner-engineering-team#93

@rainest rainest added the blocked label May 5, 2022
@pvalkone
Copy link

pvalkone commented Jun 6, 2022

Our team doesn't have the ability to create repos or provision keys/IAM users ourselves, but I've asked the team that manages our AWS infrastructure about this.

@rainest Any updates to share on this? I'm looking forward to having KIC images hosted on Public ECR.

@shaneutt
Copy link
Contributor

Checkin in on this one?

@mheap mheap self-assigned this May 5, 2023
@mheap mheap removed their assignment Dec 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants