production deployment should be gitops

[BenTheElder]

We auto deploy the registry-sandbox instance, and everything for that is configured either in k8s.io terraform, or in the make rule backing make deploy / the cloudbuild.yml for this repo.

The production configuration currently seems to only be partially source controlled, the production (registry.k8s.io) cloud run deployment appears to still be manually submitted by @ameukam

Now that kubernetes has migrated, we really ought to fix this kubernetes/kubernetes#109938 (comment)

[ameukam]

/assign
/sig k8s-infra
/priority important-soon
/milestone v1.25
/area artifacts

[k8s-ci-robot]

@ameukam: The label(s) area/artifacts cannot be applied, because the repository doesn't have them.

In response to this:

/assign
/sig k8s-infra
/priority important-soon
/milestone v1.25
/area artifacts

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[BenTheElder]

in addition: staging should match production as closely as possible, except for the image revision, and toggling environment variable overrides for gating new functionality

we have a limited / false sense of performance when the regions don't match because then we're talking to much more distant AWS regions https://kubernetes.slack.com/archives/CCK68P2Q2/p1659742065287909

[BenTheElder]

rough outline:

• add a service account with permission to deploy this
• setup a GCB postsubmit on k8s.io repo to do terraform apply of oci-proxy-prod

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle rotten
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[ameukam]

/remove-lifecycle rotten
/milestone clear
/lifecycle frozen

[BenTheElder]

we are deploying from terraform in git for production, but manually.

also, we have skew in that the sandbox instance does not use the production config or terraform.

I'd like us to start by getting the sandbox instance to be the production deployment configs w/ some variable overrides passed in, and then look at automating deploying to prod once that's working.

[BenTheElder]

Small change towards this in kubernetes/k8s.io#4922

[BenTheElder]

Will not implement this until after #181

[BenTheElder]

The prod deployment is totally checked in, however we're still requiring humans to roll it out and be ready to quickly revert.

That's fine, the same people we'd have approve changes have access to rollout.

Importantly: staging is completely automated and leads any production rollouts, which will reflect staging when we're comfortable.

Everything is in git now, other than staging automatically updating to the latest image just pushed when deploying.