Skip to content

Added ECR design document#647

Open
psav wants to merge 3 commits into
mainfrom
psav/add_ecr_design
Open

Added ECR design document#647
psav wants to merge 3 commits into
mainfrom
psav/add_ecr_design

Conversation

@psav

@psav psav commented Jun 25, 2026

Copy link
Copy Markdown
Collaborator

Summary by CodeRabbit

  • Documentation
    • Added a design document outlining the move of platform and control plane images from Quay.io to AWS ECR.
    • Described the target image sets, expected image resolution flow, and a shared ECR authentication approach.
    • Captured operational impacts, security and reliability considerations, and open questions for follow-up.

Co-authored-by: claude-sonnet-4-6 <claude-sonnet-4-6@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Warning

Review limit reached

@psav, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 33 minutes and 17 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift-online/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 82bd74b7-1481-4773-8187-ef77f0fc1918

📥 Commits

Reviewing files that changed from the base of the PR and between 6b754d7 and 5ff1e95.

📒 Files selected for processing (1)
  • docs/design/ecr-image-migration.md

Walkthrough

Adds a design document for migrating ROSA Regional Platform image consumption from Quay.io to AWS ECR. The document describes the image sets, HyperShift image resolution changes, mirroring pipeline extension, ECR authentication, consequences, and open questions.

Changes

ECR image migration design

Layer / File(s) Summary
Framing and alternatives
docs/design/ecr-image-migration.md
Introduces the migration goal, constraints, assumptions, and rejected registry alternatives.
Image sets and resolution
docs/design/ecr-image-migration.md
Separates the two image sets and describes HyperShift image resolution changes for HCP dataplane images.
Mirroring pipeline
docs/design/ecr-image-migration.md
Describes extending the OCP mirroring pipeline to carry platform image lists into regional ECR.
ECR authentication
docs/design/ecr-image-migration.md
Defines ECR authentication requirements for MC/RC node pools and HCP dataplane pods.
Consequences and follow-up
docs/design/ecr-image-migration.md
Lists the stated consequences, cross-cutting concerns, and open questions for the migration.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately reflects the main change: adding an ECR design document.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch psav/add_ecr_design

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/design/ecr-image-migration.md`:
- Around line 9-12: The repository-placement decision is inconsistent between
the summary and the open question, so update the affected design sections to
agree on a single choice. Use the language in the migration summary and the
later “shared vs separate repositories” discussion to either confirm that
platform images use the same regional ECR repositories as OCP images or
explicitly mark that as undecided, and make the wording consistent across the
document.
- Around line 145-162: The image pull flow block is still ASCII art with an
unlabeled fence, which should be replaced with a Mermaid diagram in this
markdown doc. Convert the diagram in the design section to Mermaid syntax,
preserving the same nodes and flows shown by the image pull flow and clearly
representing the kubelet, node IAM role, ECR credential provider, ECR regional
images, and the HCP control plane pods with existing HyperShift auth. Use the
diagram’s existing labels and structure so it remains readable in markdown.
- Around line 131-135: The ECR IAM policy description in the MC/RC node pools
and system components section incorrectly suggests both actions can be scoped to
repository-level resources. Update the wording to distinguish
`ecr:GetAuthorizationToken` as requiring Resource `*` and `ecr:BatchGetImage` as
limited to specific repository ARNs, using the same paragraph in the design doc
so the policy scope is described correctly.
- Around line 136-143: The HCP dataplane pod auth description is too vague and
reads like a static pull secret approach, so update the Hosted Clusters section
to explicitly define the dynamic ECR authentication mechanism. In the ECR image
migration design, clarify how HyperShift Operator-managed auth will refresh
tokens for HCP pods (for example via AWS Pod Identity/IRSA or an operator-driven
rotation flow), and make sure the wording around “existing pull secret handling”
does not imply a non-rotating imagePullSecrets setup.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 6c799f7d-585f-486f-939b-ad165a9a1ba4

📥 Commits

Reviewing files that changed from the base of the PR and between 337be0f and 6b754d7.

📒 Files selected for processing (1)
  • docs/design/ecr-image-migration.md

Comment thread docs/design/ecr-image-migration.md
Comment thread docs/design/ecr-image-migration.md
Comment thread docs/design/ecr-image-migration.md Outdated
Comment thread docs/design/ecr-image-migration.md Outdated
- Reconcile repository-placement: clarify that platform images use the
  same regional ECR repo structure as OCP images (already decided);
  narrow open question 4 to naming/namespace conventions within that
  shared structure

- Fix IAM policy scope: ecr:GetAuthorizationToken requires Resource '*'
  (account-level action, cannot be scoped to repository ARNs);
  ecr:BatchGetImage/GetDownloadUrlForLayer should use repo-scoped ARNs

- Define dynamic auth for HCP pods: replace vague 'pull secret handling'
  with explicit requirement for Pod Identity / IRSA-based dynamic token
  rotation; explain why static imagePullSecrets are unsuitable (12h expiry)

- Convert ASCII art diagram to Mermaid as required by repo conventions
fix: address CodeRabbit review comments on ECR image migration design doc

## Summary

Migrate all images consumed by the ROSA Regional Platform — both the Hosted Control Plane (HCP)

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Migrate all images consumed by the ROSA Regional Platform — both the Hosted Control Plane (HCP)
Migrate all images consumed by ROSA Hyperfleet — both the Hosted Control Plane (HCP)

Migrate all images consumed by the ROSA Regional Platform — both the Hosted Control Plane (HCP)
dataplane images and the platform operational images (kubeapplier, hyperfleet-operator, etc.) —
from Quay.io to Amazon ECR. OCP images already mirrored to ECR by the OpenShift release process
are reused directly. Platform images built via Konflux are mirrored into the same regional ECR

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@psav it just occurred to me that there might be an additional latency (waiting for the image landing in ECR) if we use this process instead of pushing our images directly from Konflux.

Let's say you merge to main, then our AWS CodePipelines for the intetration environment are triggered immediately and ArgoCD tries to pull the new image, but it's not there yet. Have you considered this flow, what would happen here?

I see a separation between the OCP payload, which is fine to be async and latency in having it in ECR doesn't matter, vs our development images, that would need to land in ECR asap.

Hosted Clusters. ECR image sourcing must therefore be achieved without setting this flag.
- Platform images (kubeapplier, hyperfleet-operator, and others) must be available in the same
regional ECR repositories as OCP images so that MC/RC workloads can pull them without public
internet egress.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is it worth to explain WHY this is needed/desired?

management, storage provisioning, replication, and a new failure domain. Rejected.

2. **Use ECR for dataplane images only, retain Quay for infra images**: Introduces two
paths for obtaining images. Rejected.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. Push to ECR from konflux directly?


### Mirroring: Extending the OCP Pipeline for Platform Images

OCP already operates a mirroring pipeline that replicates release images from Quay to regional ECR

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OCP? or ROSA?

The preferred approach is a dynamic credential mechanism such as AWS Pod Identity (EKS Pod
Identity Associations) or IRSA (IAM Roles for Service Accounts), which allows the HyperShift
Operator to obtain short-lived ECR tokens on demand without operator intervention. An
investigation should determine which mechanism integrates most cleanly with HyperShift's

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

agreed, this is the sticky point. How do you give access to the data plane to access our private registry? How does it work today with ROSA?. This is the main thing that I think should be hashed out in this design doc.

requirements; extending it to cover platform images increases its blast radius.
- ECR repository provisioning (IAM policies, lifecycle rules, replication configuration) must be
managed per region and per image set, adding Terraform/IaC surface area.
- Forcing HyperShift to pull from ECR without `--zero-egress` requires either upstream changes or

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But is this not supported today by ROSA?

### Operability

- The mirroring pipeline extension must be automated. Manual mirroring of platform images is not
acceptable at the cadence of Konflux builds.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't understand this sentence

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants