From b71b500d570424f1400ec91a039d0ffdbd811af6 Mon Sep 17 00:00:00 2001 From: Yuanshun Dong <123429070+ysdongAmazon@users.noreply.github.com> Date: Tue, 21 Nov 2023 16:58:21 -0800 Subject: [PATCH 1/5] Update README.md for private cluster instruction (#743) --- config/helm/appmesh-controller/README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/config/helm/appmesh-controller/README.md b/config/helm/appmesh-controller/README.md index 6123871f..4067e8e1 100644 --- a/config/helm/appmesh-controller/README.md +++ b/config/helm/appmesh-controller/README.md @@ -90,6 +90,10 @@ helm upgrade -i appmesh-controller eks/appmesh-controller \ The [configuration](#configuration) section lists the parameters that can be configured during installation. +**Note** +If you want to start the controller in the EKS private cluster, enable the app mesh and service discovery VPC endpoints to the linked private subnet first. Also accountId is a required field now as `--set accountId=$AWS_ACCOUNT_ID`. +More troubleshooting please see: https://docs.aws.amazon.com/eks/latest/userguide/private-clusters.html (ECR VPC endpoint doc says ECR VPC endpoint [does not support public repo](https://docs.aws.amazon.com/AmazonECR/latest/userguide/vpc-endpoints.html). It's outdated information.) + **Note** Make sure that the Envoy proxies have the following IAM policies attached for the Envoy to authenticate with AWS App Mesh and fetch it's configuration - https://raw.githubusercontent.com/aws/aws-app-mesh-controller-for-k8s/master/config/iam/envoy-iam-policy.json From ed3fb7c47e627b3f6de3efd889ee5e6cf012da86 Mon Sep 17 00:00:00 2001 From: BennettJames Date: Tue, 21 Nov 2023 17:59:58 -0800 Subject: [PATCH 2/5] Fix prod release action. Some regions were accidentally deleted (#744) Co-authored-by: Bennett Sala --- .github/workflows/prod-release.yaml | 91 +++++++++++++++++++++++++++++ 1 file changed, 91 insertions(+) diff --git a/.github/workflows/prod-release.yaml b/.github/workflows/prod-release.yaml index 54a62e67..b599a5a8 100644 --- a/.github/workflows/prod-release.yaml +++ b/.github/workflows/prod-release.yaml @@ -37,6 +37,97 @@ jobs: docker pull "${SRC}-linux_amd64" docker pull "${SRC}-linux_arm64" + - name: Deploy Images To ECR Public + uses: ./.github/actions/push-image + with: + src_host: "${{ secrets.BETA_AWS_ACCOUNT }}.dkr.ecr.us-west-2.amazonaws.com" + dst_host: "public.ecr.aws" + image_tag: "${{ github.event.inputs.tag }}" + dst_image_name: "appmesh/appmesh-controller" + region: "us-west-2" + role: "${{ secrets.PROD_AWS_ROLE }}" + + - name: Deploy Images to PDX + uses: ./.github/actions/push-image + with: + src_host: "${{ secrets.BETA_AWS_ACCOUNT }}.dkr.ecr.us-west-2.amazonaws.com" + dst_host: "${{ secrets.PROD_AWS_ACCOUNT }}.dkr.ecr.us-west-2.amazonaws.com" + image_tag: "${{ github.event.inputs.tag }}" + region: "us-west-2" + role: "${{ secrets.PROD_AWS_ROLE }}" + + - name: Deploy Images to BAH + uses: ./.github/actions/push-image + with: + src_host: "${{ secrets.BETA_AWS_ACCOUNT }}.dkr.ecr.us-west-2.amazonaws.com" + dst_host: "${{ secrets.PROD_BAH_AWS_ACCOUNT }}.dkr.ecr.me-south-1.amazonaws.com" + image_tag: "${{ github.event.inputs.tag }}" + region: "me-south-1" + role: "${{ secrets.PROD_BAH_AWS_ROLE }}" + + - name: Deploy Images to CPT + uses: ./.github/actions/push-image + with: + src_host: "${{ secrets.BETA_AWS_ACCOUNT }}.dkr.ecr.us-west-2.amazonaws.com" + dst_host: "${{ secrets.PROD_CPT_AWS_ACCOUNT }}.dkr.ecr.af-south-1.amazonaws.com" + image_tag: "${{ github.event.inputs.tag }}" + region: "af-south-1" + role: "${{ secrets.PROD_CPT_AWS_ROLE }}" + + - name: Deploy Images to HKG + uses: ./.github/actions/push-image + with: + src_host: "${{ secrets.BETA_AWS_ACCOUNT }}.dkr.ecr.us-west-2.amazonaws.com" + dst_host: "${{ secrets.PROD_HKG_AWS_ACCOUNT }}.dkr.ecr.ap-east-1.amazonaws.com" + image_tag: "${{ github.event.inputs.tag }}" + region: "ap-east-1" + role: "${{ secrets.PROD_HKG_AWS_ROLE }}" + + - name: Deploy Images to MXP + uses: ./.github/actions/push-image + with: + src_host: "${{ secrets.BETA_AWS_ACCOUNT }}.dkr.ecr.us-west-2.amazonaws.com" + dst_host: "${{ secrets.PROD_MXP_AWS_ACCOUNT }}.dkr.ecr.eu-south-1.amazonaws.com" + image_tag: "${{ github.event.inputs.tag }}" + region: "eu-south-1" + role: "${{ secrets.PROD_MXP_AWS_ROLE }}" + + - name: Deploy Images to CGK + uses: ./.github/actions/push-image + with: + src_host: "${{ secrets.BETA_AWS_ACCOUNT }}.dkr.ecr.us-west-2.amazonaws.com" + dst_host: "${{ secrets.PROD_CGK_AWS_ACCOUNT }}.dkr.ecr.ap-southeast-3.amazonaws.com" + image_tag: "${{ github.event.inputs.tag }}" + region: "ap-southeast-3" + role: "${{ secrets.PROD_CGK_AWS_ROLE }}" + + - name: Deploy Images to BJS + uses: ./.github/actions/push-image + with: + src_host: "${{ secrets.BETA_AWS_ACCOUNT }}.dkr.ecr.us-west-2.amazonaws.com" + dst_host: "${{ secrets.PROD_BJS_AWS_ACCOUNT }}.dkr.ecr.cn-north-1.amazonaws.com.cn" + image_tag: "${{ github.event.inputs.tag }}" + region: "cn-north-1" + role: "${{ secrets.PROD_BJS_AWS_ROLE }}" + + - name: Deploy Images to ZHY + uses: ./.github/actions/push-image + with: + src_host: "${{ secrets.BETA_AWS_ACCOUNT }}.dkr.ecr.us-west-2.amazonaws.com" + dst_host: "${{ secrets.PROD_ZHY_AWS_ACCOUNT }}.dkr.ecr.cn-northwest-1.amazonaws.com.cn" + image_tag: "${{ github.event.inputs.tag }}" + region: "cn-northwest-1" + role: "${{ secrets.PROD_ZHY_AWS_ROLE }}" + + - name: Deploy Images to TLV + uses: ./.github/actions/push-image + with: + src_host: "${{ secrets.BETA_AWS_ACCOUNT }}.dkr.ecr.us-west-2.amazonaws.com" + dst_host: "${{ secrets.PROD_TLV_AWS_ACCOUNT }}.dkr.ecr.il-central-1.amazonaws.com" + image_tag: "${{ github.event.inputs.tag }}" + region: "il-central-1" + role: "${{ secrets.PROD_TLV_AWS_ROLE }}" + - name: Deploy Images to PDT uses: ./.github/actions/push-image with: From b7715a5ef4701396e63241a6a9a81060da32bba2 Mon Sep 17 00:00:00 2001 From: Ben Du <5668844+bendu@users.noreply.github.com> Date: Wed, 22 Nov 2023 11:46:51 -0800 Subject: [PATCH 3/5] Update test docker image URIs (#745) --- test/integration/sidecar-v1.22/sidecar_stack.go | 3 ++- test/integration/sidecar/sidecar_stack.go | 7 ++++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/test/integration/sidecar-v1.22/sidecar_stack.go b/test/integration/sidecar-v1.22/sidecar_stack.go index ae77cb45..3d2761b9 100644 --- a/test/integration/sidecar-v1.22/sidecar_stack.go +++ b/test/integration/sidecar-v1.22/sidecar_stack.go @@ -3,6 +3,7 @@ package sidecar_v1_22 import ( "context" "fmt" + "github.com/aws/aws-app-mesh-controller-for-k8s/pkg/inject" appmesh "github.com/aws/aws-app-mesh-controller-for-k8s/apis/appmesh/v1beta2" @@ -17,7 +18,7 @@ import ( ) const ( - defaultImage = "public.ecr.aws/b7m0w2t6/color-be-app:2.0.2" + defaultImage = "public.ecr.aws/e4i4k4a4/appmesh-k8s-test:color-be-app" ) type SidecarStack struct { diff --git a/test/integration/sidecar/sidecar_stack.go b/test/integration/sidecar/sidecar_stack.go index 915d2864..c945e0d4 100644 --- a/test/integration/sidecar/sidecar_stack.go +++ b/test/integration/sidecar/sidecar_stack.go @@ -3,9 +3,10 @@ package sidecar import ( "context" "fmt" - "github.com/aws/aws-app-mesh-controller-for-k8s/pkg/inject" "time" + "github.com/aws/aws-app-mesh-controller-for-k8s/pkg/inject" + appmesh "github.com/aws/aws-app-mesh-controller-for-k8s/apis/appmesh/v1beta2" "github.com/aws/aws-app-mesh-controller-for-k8s/test/framework" "github.com/aws/aws-sdk-go/aws" @@ -22,8 +23,8 @@ import ( ) const ( - defaultFrontendImage = "public.ecr.aws/b7m0w2t6/color-fe-app:2.0.3" - defaultBackendImage = "public.ecr.aws/b7m0w2t6/color-be-app:2.0.2" + defaultFrontendImage = "public.ecr.aws/e4i4k4a4/appmesh-k8s-test:color-fe-app" + defaultBackendImage = "public.ecr.aws/e4i4k4a4/appmesh-k8s-test:color-be-app" ) type SidecarStack struct { From 5a8bba57f282be7e283fa577dd20fba4962e743f Mon Sep 17 00:00:00 2001 From: Yuanshun Dong <123429070+ysdongAmazon@users.noreply.github.com> Date: Wed, 22 Nov 2023 13:40:32 -0800 Subject: [PATCH 4/5] Update README.md for Xray private cluster instruction (#746) * Update README.md for private cluster instruction * Update README.md for xray setting in private cluster --- config/helm/appmesh-controller/README.md | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/config/helm/appmesh-controller/README.md b/config/helm/appmesh-controller/README.md index 4067e8e1..c3044e94 100644 --- a/config/helm/appmesh-controller/README.md +++ b/config/helm/appmesh-controller/README.md @@ -92,7 +92,22 @@ The [configuration](#configuration) section lists the parameters that can be con **Note** If you want to start the controller in the EKS private cluster, enable the app mesh and service discovery VPC endpoints to the linked private subnet first. Also accountId is a required field now as `--set accountId=$AWS_ACCOUNT_ID`. -More troubleshooting please see: https://docs.aws.amazon.com/eks/latest/userguide/private-clusters.html (ECR VPC endpoint doc says ECR VPC endpoint [does not support public repo](https://docs.aws.amazon.com/AmazonECR/latest/userguide/vpc-endpoints.html). It's outdated information.) +If you want to enable X-ray tracing in private cluster, enable the X-ray VPC endpoint. Also, ECR VPC endpoint [does not support public repository](https://docs.aws.amazon.com/AmazonECR/latest/userguide/vpc-endpoints.html). Controller uses `public.ecr.aws/xray/aws-xray-daemon:latest` by default, so you need to pull this image to local and [push it into your personal ECR repository](https://docs.aws.amazon.com/AmazonECR/latest/userguide/docker-push-ecr-image.html). Set it when deploying the controller like: +``` +helm upgrade -i appmesh-controller eks/appmesh-controller \ + --namespace appmesh-system \ + --set region=$AWS_REGION \ + --set serviceAccount.create=false \ + --set serviceAccount.name=appmesh-controller \ + --set accountId=$AWS_ACCOUNT_ID \ + --set log.level=debug \ + --set tracing.enabled=true \ + --set tracing.provider=x-ray \ + --set xray.image.repository={your-account-id}.dkr.ecr.{your-region}.amazonaws.com/{your-repository} \ + --set xray.image.tag={your-xray-daemon-image-tag} +``` +Verify if the X-ray daemon being injected successfully when binding application deployment with virtual node/gateway. +More troubleshooting please see: https://docs.aws.amazon.com/eks/latest/userguide/private-clusters.html **Note** Make sure that the Envoy proxies have the following IAM policies attached for the Envoy to authenticate with AWS App Mesh and fetch it's configuration From e8ce998f0355a17a000e36ce852c9299ea98531e Mon Sep 17 00:00:00 2001 From: Ben Du <5668844+bendu@users.noreply.github.com> Date: Wed, 22 Nov 2023 14:09:50 -0800 Subject: [PATCH 5/5] Rehome remaining ecr public images (#747) --- test/e2e/fishapp/dynamic_stack.go | 31 ++++++++++--------- .../fishapp/load/dynamic_stack_load_test.go | 3 +- .../sidecar-v1.22/sidecar_stack.go | 1 + test/integration/sidecar/sidecar_stack.go | 5 ++- test/integration/timeout/timeout_stack.go | 8 +++-- test/integration/tls/tls_stack.go | 8 +++-- .../virtualnode/virtualnode_test.go | 8 +++-- 7 files changed, 40 insertions(+), 24 deletions(-) diff --git a/test/e2e/fishapp/dynamic_stack.go b/test/e2e/fishapp/dynamic_stack.go index 937cf0ae..1238b52f 100644 --- a/test/e2e/fishapp/dynamic_stack.go +++ b/test/e2e/fishapp/dynamic_stack.go @@ -42,21 +42,22 @@ const ( connectivityCheckUniformDistributionSL = 0.001 // Significance level that traffic to targets are uniform distributed. AppContainerPort = 9080 HttpProxyContainerPort = 8899 - defaultAppImage = "public.ecr.aws/e6v3k1j4/colorteller:v1" - defaultHTTPProxyImage = "abhinavsingh/proxy.py:latest" - caCertScript = "certs/ca_certs.sh" - nodeCertScript = "certs/node_certs.sh" - genericNodeCertCfgFile = "certs/node_cert.cfg" - certsBasePath = "certs/" - certsCfgFileSuffix = "_cert.cfg" - certChainSuffix = "_cert_chain.pem" - certKeySuffix = "_key.pem" - caCertFile = "ca_cert.pem" - envoyCACertPath = "/certs/ca_cert.pem" - certCleanupScript = "certs/cleanup.sh" - sdsDeployScript = "certs/sds_provider.sh" - registerAgentIdentity = "certs/register_agent_entry.sh" - registerWorkloadIdentity = "certs/register_workload_entry.sh" + // From https://github.com/aws/aws-app-mesh-examples/tree/main/examples/apps/colorapp/src/colorteller + defaultAppImage = "public.ecr.aws/e4i4k4a4/appmesh-k8s-test:colorteller" + defaultHTTPProxyImage = "abhinavsingh/proxy.py:latest" + caCertScript = "certs/ca_certs.sh" + nodeCertScript = "certs/node_certs.sh" + genericNodeCertCfgFile = "certs/node_cert.cfg" + certsBasePath = "certs/" + certsCfgFileSuffix = "_cert.cfg" + certChainSuffix = "_cert_chain.pem" + certKeySuffix = "_key.pem" + caCertFile = "ca_cert.pem" + envoyCACertPath = "/certs/ca_cert.pem" + certCleanupScript = "certs/cleanup.sh" + sdsDeployScript = "certs/sds_provider.sh" + registerAgentIdentity = "certs/register_agent_entry.sh" + registerWorkloadIdentity = "certs/register_workload_entry.sh" ) var ( diff --git a/test/e2e/fishapp/load/dynamic_stack_load_test.go b/test/e2e/fishapp/load/dynamic_stack_load_test.go index b38ba813..40912684 100644 --- a/test/e2e/fishapp/load/dynamic_stack_load_test.go +++ b/test/e2e/fishapp/load/dynamic_stack_load_test.go @@ -45,7 +45,8 @@ const ( connectivityCheckUniformDistributionSL = 0.001 // Significance level that traffic to targets are uniform distributed. AppContainerPort = 9080 HttpProxyContainerPort = 8899 - //defaultAppImage = "public.ecr.aws/e6v3k1j4/colorteller:v1" + // From https://github.com/aws/aws-app-mesh-examples/tree/main/examples/apps/colorapp/src/colorteller + //defaultAppImage = "public.ecr.aws/e4i4k4a4/appmesh-k8s-test:colorteller" defaultAppImage = "python:3.9" defaultHTTPProxyImage = "abhinavsingh/proxy.py:latest" caCertScript = "certs/ca_certs.sh" diff --git a/test/integration/sidecar-v1.22/sidecar_stack.go b/test/integration/sidecar-v1.22/sidecar_stack.go index 3d2761b9..31214be3 100644 --- a/test/integration/sidecar-v1.22/sidecar_stack.go +++ b/test/integration/sidecar-v1.22/sidecar_stack.go @@ -18,6 +18,7 @@ import ( ) const ( + // From https://github.com/aws/aws-app-mesh-controller-for-k8s/tree/master/test/integration/test_app/sidecar-backend defaultImage = "public.ecr.aws/e4i4k4a4/appmesh-k8s-test:color-be-app" ) diff --git a/test/integration/sidecar/sidecar_stack.go b/test/integration/sidecar/sidecar_stack.go index c945e0d4..fa69168a 100644 --- a/test/integration/sidecar/sidecar_stack.go +++ b/test/integration/sidecar/sidecar_stack.go @@ -23,8 +23,11 @@ import ( ) const ( + // From https://github.com/aws/aws-app-mesh-controller-for-k8s/tree/master/test/integration/test_app/sidecar-frontend defaultFrontendImage = "public.ecr.aws/e4i4k4a4/appmesh-k8s-test:color-fe-app" - defaultBackendImage = "public.ecr.aws/e4i4k4a4/appmesh-k8s-test:color-be-app" + + // From https://github.com/aws/aws-app-mesh-controller-for-k8s/tree/master/test/integration/test_app/sidecar-backend + defaultBackendImage = "public.ecr.aws/e4i4k4a4/appmesh-k8s-test:color-be-app" ) type SidecarStack struct { diff --git a/test/integration/timeout/timeout_stack.go b/test/integration/timeout/timeout_stack.go index ed8a36e8..42bba0ae 100644 --- a/test/integration/timeout/timeout_stack.go +++ b/test/integration/timeout/timeout_stack.go @@ -28,8 +28,12 @@ import ( const ( //If you're not able to access below images, try to build them based on the app code under "timeout_app" //directory and push it to any accessible ECR repo and update the below values - defaultFrontEndImage = "public.ecr.aws/e6v3k1j4/appmesh-test-feapp:v1" - defaultBackEndImage = "public.ecr.aws/e6v3k1j4/appmesh-test-beapp:v1" + + // From https://github.com/aws/aws-app-mesh-controller-for-k8s/tree/master/test/integration/test_app/frontend + defaultFrontEndImage = "public.ecr.aws/e4i4k4a4/appmesh-k8s-test:testapp-frontend" + + // From https://github.com/aws/aws-app-mesh-controller-for-k8s/tree/master/test/integration/test_app/backend + defaultBackEndImage = "public.ecr.aws/e4i4k4a4/appmesh-k8s-test:testapp-backend" timeoutTest = "timeout-e2e" AppContainerPort = 8080 diff --git a/test/integration/tls/tls_stack.go b/test/integration/tls/tls_stack.go index 34226e98..4ef57601 100644 --- a/test/integration/tls/tls_stack.go +++ b/test/integration/tls/tls_stack.go @@ -31,8 +31,12 @@ import ( const ( //If you're not able to access below images, try to build them based on the app code under "timeout_app" //directory and push it to any accessible ECR repo and update the below values - defaultFrontEndImage = "public.ecr.aws/e6v3k1j4/appmesh-test-feapp:v1" - defaultBackEndImage = "public.ecr.aws/e6v3k1j4/appmesh-test-beapp:v1" + + // From https://github.com/aws/aws-app-mesh-controller-for-k8s/tree/master/test/integration/test_app/frontend + defaultFrontEndImage = "public.ecr.aws/e4i4k4a4/appmesh-k8s-test:testapp-frontend" + + // From https://github.com/aws/aws-app-mesh-controller-for-k8s/tree/master/test/integration/test_app/backend + defaultBackEndImage = "public.ecr.aws/e4i4k4a4/appmesh-k8s-test:testapp-backend" tlsTest = "tls-e2e" AppContainerPort = 8080 diff --git a/test/integration/virtualnode/virtualnode_test.go b/test/integration/virtualnode/virtualnode_test.go index 801a7bef..9f469216 100644 --- a/test/integration/virtualnode/virtualnode_test.go +++ b/test/integration/virtualnode/virtualnode_test.go @@ -3,6 +3,9 @@ package virtualnode_test import ( "context" "fmt" + "sync" + "time" + appmeshk8s "github.com/aws/aws-app-mesh-controller-for-k8s/pkg/k8s" "github.com/aws/aws-app-mesh-controller-for-k8s/test/framework/k8s" "github.com/aws/aws-sdk-go/aws" @@ -15,8 +18,6 @@ import ( apierrs "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/types" "k8s.io/client-go/kubernetes" - "sync" - "time" appmesh "github.com/aws/aws-app-mesh-controller-for-k8s/apis/appmesh/v1beta2" "github.com/aws/aws-app-mesh-controller-for-k8s/pkg/algorithm" @@ -31,7 +32,8 @@ import ( ) const ( - defaultAppImage = "public.ecr.aws/e6v3k1j4/colorteller:v1" + // From https://github.com/aws/aws-app-mesh-examples/tree/main/examples/apps/colorapp/src/colorteller + defaultAppImage = "public.ecr.aws/e4i4k4a4/appmesh-k8s-test:colorteller" AppContainerPort = 8080 )