CORS-4336: Add CI jobs for AWS European Sovereign Cloud (EUSC)#75568
CORS-4336: Add CI jobs for AWS European Sovereign Cloud (EUSC)#75568liweinan wants to merge 1 commit intoopenshift:mainfrom
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@liweinan: This pull request references CORS-4336 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@liweinan, Interacting with pj-rehearseComment: Once you are satisfied with the results of the rehearsals, comment: |
...t/openshift-tests-private/openshift-openshift-tests-private-release-4.22__amd64-nightly.yaml
Outdated
Show resolved
Hide resolved
| cluster_profile: aws-eusc-qe | ||
| env: | ||
| BASE_DOMAIN: qe.devcluster.openshift.com | ||
| AWS_EUSC_REGION: eusc-de-east-1 |
There was a problem hiding this comment.
The regions was retrieved via cluster profile (lease resource), it's configured by your adding aws-eusc-qe cluster profile PR, https://github.com/openshift/release/pull/75441/changes#diff-aa86f662b34188da9ad50af7c05ef19dfa48af3c726cd882949002cf9112eed9R119
There was a problem hiding this comment.
@liweinan AWS_EUSC_REGION is not required, the region is determined by cluster profile
ci-operator/step-registry/cluster-profiles/cluster-profiles-config.yaml
Outdated
Show resolved
Hide resolved
...ipi/private/provision/cucushift-installer-rehearse-aws-eusc-ipi-private-provision-chain.yaml
Show resolved
Hide resolved
...ipi/private/provision/cucushift-installer-rehearse-aws-eusc-ipi-private-provision-chain.yaml
Outdated
Show resolved
Hide resolved
...ipi/private/provision/cucushift-installer-rehearse-aws-eusc-ipi-private-provision-chain.yaml
Outdated
Show resolved
Hide resolved
ci-operator/step-registry/ipi/conf/aws/eusc-ami/ipi-conf-aws-eusc-ami-commands.sh
Outdated
Show resolved
Hide resolved
|
@liweinan as we discussed offline, for the new partition we need three types of cluster:
|
| steps: | ||
| cluster_profile: aws-eusc-qe | ||
| env: | ||
| BASE_DOMAIN: qe.devcluster.openshift.com |
There was a problem hiding this comment.
This public domain is being used by another AWS account, you can apply a new one from PGE team.
There was a problem hiding this comment.
request submitted: https://issues.redhat.com/browse/DPP-19749
|
@yunjiang29 Thanks for the review! I'll refactor this PR today. |
liweinan
force-pushed
the
add-aws-eusc-ci-jobs
branch
from
24fed80 to
de00d69
Compare
|
@liweinan, Interacting with pj-rehearseComment: Once you are satisfied with the results of the rehearsals, comment: |
|
@yunjiang29 Thanks for the detailed review! I'll update the PR recordingly. |
|
@liweinan, Interacting with pj-rehearseComment: Once you are satisfied with the results of the rehearsals, comment: |
Address yunfei's review comments on PR openshift#75568: 1. Job naming convention: - Rename jobs from -f60 to -f7 suffix (non-destructive tests) - Update cron schedule to standard f7 pattern: 7,14,23,30 2. Private cluster configuration: - Add complete private cluster setup with bastion host - Add VPC, security groups, and proxy configuration - Set PUBLISH=Internal for private cluster access - Add minimal IAM permission provisioning - Follow pattern from cucushift-installer-rehearse-aws-ipi-private-provision 3. AMI configuration fix: - Replace deprecated compute.platform.aws.amiID field - Use platform.aws.defaultMachinePlatform.amiID instead
liweinan
force-pushed
the
add-aws-eusc-ci-jobs
branch
from
4b73bfe to
7f83d83
Compare
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: liweinan The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@liweinan, Interacting with pj-rehearseComment: Once you are satisfied with the results of the rehearsals, comment: |
1. Job naming convention:
- Rename jobs from -f60 to -f7 suffix (non-destructive tests)
- Update cron schedule to standard f7 pattern: 7,14,23,30
2. Private cluster configuration:
- Add complete private cluster setup with bastion host
- Add VPC, security groups, and proxy configuration
- Set PUBLISH=Internal for private cluster access
- Add minimal IAM permission provisioning
- Follow pattern from cucushift-installer-rehearse-aws-ipi-private-provision
3. AMI configuration fix:
- Replace deprecated compute.platform.aws.amiID field
- Use platform.aws.defaultMachinePlatform.amiID instead
4. Generalize step registry components for reusability:
- Enhance ipi-conf-aws-custom-endpoints to support multiple AWS partitions
* Add AWS_DOMAIN_SUFFIX env var (defaults to amazonaws.com)
* Support amazonaws.eu for EUSC, amazonaws.com.cn for China
* Allow full URLs for maximum flexibility
- Make ipi-conf-aws-eusc-ami more generic
* Support AWS_CUSTOM_AMI_ID for general use
* Maintain AWS_EUSC_AMI_ID for backward compatibility
* Can be used for EUSC, China, GovCloud, or custom AMI scenarios
- Use generic steps in EUSC provision chain with partition-specific config
- Remove obsolete ipi-conf-aws-eusc-endpoints (replaced by generic version)
liweinan
force-pushed
the
add-aws-eusc-ci-jobs
branch
from
7f83d83 to
55daf83
Compare
|
@liweinan, Interacting with pj-rehearseComment: Once you are satisfied with the results of the rehearsals, comment: |
There was a problem hiding this comment.
@yunjiang29 I have to modify this script to support different domains.
There was a problem hiding this comment.
We can get domain suffix easily by command:
aws --region "$REGION" ec2 describe-regions --region-names "$REGION" --query 'Regions[0].Endpoint' --output text | cut -d'.' -f3-
so these configs can be removed https://github.com/openshift/release/pull/75568/changes#diff-fde735f85451233f34780c5cb0f24459d18ba0307c6b0ae3718292de6792f106R23-R40
1. Job naming convention:
- Rename jobs from -f60 to -f7 suffix (non-destructive tests)
- Update cron schedule to standard f7 pattern: 7,14,23,30
2. Private cluster configuration:
- Add complete private cluster setup with bastion host
- Add VPC, security groups, and proxy configuration
- Set PUBLISH=Internal for private cluster access
- Add minimal IAM permission provisioning
- Follow pattern from cucushift-installer-rehearse-aws-ipi-private-provision
3. Generalize step registry components for maximum reusability:
a) Enhance ipi-conf-aws-custom-endpoints for all AWS partitions:
- Add AWS_DOMAIN_SUFFIX env var (defaults to amazonaws.com)
- Support amazonaws.eu (EUSC), amazonaws.com.cn (China)
- Allow full URLs for maximum flexibility
- Remove obsolete ipi-conf-aws-eusc-endpoints step
b) Extend ipi-conf-aws to support custom AMI configuration:
- Add AWS_AMI_ID env var for custom RHCOS AMI
- Useful for EUSC, China, GovCloud, or any partition without public AMIs
- Fix deprecated amiID field -> defaultMachinePlatform.amiID
- Auto-detection still works for C2S/SC2S
- Remove obsolete ipi-conf-aws-eusc-ami step
c) EUSC provision chain now uses only generic steps with env config
This refactoring reduces code duplication (net -59 lines) and makes step
components reusable across all AWS partitions.
liweinan
force-pushed
the
add-aws-eusc-ci-jobs
branch
from
55daf83 to
c6c4827
Compare
|
@liweinan, Interacting with pj-rehearseComment: Once you are satisfied with the results of the rehearsals, comment: |
|
Relative PRs merged: #75441 / openshift/ci-tools#4973 |
| test: | ||
| - chain: openshift-e2e-test-qe-destructive | ||
| workflow: cucushift-installer-rehearse-aws-usgov-ipi-private-workers-marketplace | ||
| - as: aws-eusc-ipi-private-f7 |
There was a problem hiding this comment.
As mentioned in this comment, can we add some other feature to this job?
And we also needs a destructive job.
There was a problem hiding this comment.
please see what steps are required for a private cluster: cucushift-installer-rehearse-aws-ipi-private-deprovision
There was a problem hiding this comment.
Let's split them into two variables: CONTROL_PLANE_AMI and COMPUTE_AMI, it's more flexible.
@liweinan please add more jobs according to this comment, thanks |
|
@yunjiang29 Thanks for the detailed review! I'll update this PR accordingly. |
liweinan
force-pushed
the
add-aws-eusc-ci-jobs
branch
from
c6c4827 to
852afa1
Compare
openshift-ci
bot
added
the
do-not-merge/invalid-owners-file
liweinan
force-pushed
the
add-aws-eusc-ci-jobs
branch
from
852afa1 to
368daf6
Compare
openshift-ci
bot
removed
the
do-not-merge/invalid-owners-file
liweinan
force-pushed
the
add-aws-eusc-ci-jobs
branch
from
368daf6 to
f68d948
Compare
Implement comprehensive CI infrastructure for AWS EUSC partition in eusc-de-east-1 region. Job coverage (9 jobs): - Common IPI: aws-eusc-ipi-f7, aws-eusc-ipi-f28-destructive, aws-eusc-ipi-fips-f7 - Private: aws-eusc-ipi-private-f7, aws-eusc-ipi-private-f28-destructive, aws-eusc-ipi-private-fips-f7 - Disconnected: aws-eusc-ipi-disconnected-private-f7 - STS: aws-eusc-ipi-sts-f7 - KMS: aws-eusc-ipi-byo-kms-f7 Key features: - Dynamic service endpoint auto-detection from AWS API - Split AMI variables (CONTROL_PLANE_AMI, COMPUTE_AMI) for flexible configuration - Complete private cluster deprovision cleanup (bastion, security groups, stacks, S3) - Support for FIPS-enabled clusters - Disconnected (air-gapped) private cluster support - STS (Security Token Service) authentication with OIDC - Custom KMS key encryption for etcd - Both non-destructive (f7) and destructive (f28) test variants Technical implementation: - Cluster profile: aws-eusc with automatic region detection - Custom RHCOS AMI support for control plane and compute nodes separately - Endpoint auto-detection from AWS API (no hardcoded values) - Manual credentials mode for CCO - Minimal IAM permissions - Mirror registry for disconnected environments - Backward compatible with existing AWS partitions Workflows created: - cucushift-installer-rehearse-aws-eusc-ipi (common IPI) - cucushift-installer-rehearse-aws-eusc-ipi-private (private cluster) - cucushift-installer-rehearse-aws-eusc-ipi-disconnected-private (disconnected) - cucushift-installer-rehearse-aws-eusc-ipi-sts (STS authentication) - cucushift-installer-rehearse-aws-eusc-ipi-byo-kms (custom KMS key) Signed-off-by: Wei Li <weli@redhat.com>
liweinan
force-pushed
the
add-aws-eusc-ci-jobs
branch
from
f68d948 to
91e80dc
Compare
|
[REHEARSALNOTIFIER]
A total of 16195 jobs have been affected by this change. The above listing is non-exhaustive and limited to 25 jobs. A full list of affected jobs can be found here Interacting with pj-rehearseComment: Once you are satisfied with the results of the rehearsals, comment: |
|
@liweinan: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
There was a problem hiding this comment.
| (e.g., China). When "" (default), uses installer's built-in AMI for the region, |
3 participants
Implement continuous integration support for AWS EUSC partition (aws-eusc) in eusc-de-east-1 region. Includes cluster profile definition, service endpoints configuration, custom AMI handling, and periodic test jobs.
This enables OpenShift testing on AWS's new European Sovereign Cloud infrastructure, which requires explicit endpoint configuration and custom RHCOS AMIs not available in public regions.