Update patching branch to same height as master (#749)

* Update README.md for private cluster instruction (#743)

* Fix prod release action. Some regions were accidentally deleted (#744)

Co-authored-by: Bennett Sala <[email protected]>

* Update test docker image URIs (#745)

* Update README.md for Xray private cluster instruction (#746)

* Update README.md for private cluster instruction

* Update README.md for xray setting in private cluster

* Rehome remaining ecr public images (#747)

---------

Co-authored-by: BennettJames <[email protected]>
Co-authored-by: Bennett Sala <[email protected]>
Co-authored-by: Ben Du <[email protected]>

.github/workflows/prod-release.yaml

@@ -37,6 +37,97 @@ jobs:
           docker pull "${SRC}-linux_amd64" 
           docker pull "${SRC}-linux_arm64"
 
+      - name: Deploy Images To ECR Public
+        uses: ./.github/actions/push-image
+        with:
+          src_host: "${{ secrets.BETA_AWS_ACCOUNT }}.dkr.ecr.us-west-2.amazonaws.com"
+          dst_host: "public.ecr.aws"
+          image_tag: "${{ github.event.inputs.tag }}"
+          dst_image_name: "appmesh/appmesh-controller"
+          region: "us-west-2"
+          role: "${{ secrets.PROD_AWS_ROLE }}"
+
+      - name: Deploy Images to PDX
+        uses: ./.github/actions/push-image
+        with:
+          src_host: "${{ secrets.BETA_AWS_ACCOUNT }}.dkr.ecr.us-west-2.amazonaws.com"
+          dst_host: "${{ secrets.PROD_AWS_ACCOUNT }}.dkr.ecr.us-west-2.amazonaws.com"
+          image_tag: "${{ github.event.inputs.tag }}"
+          region: "us-west-2"
+          role: "${{ secrets.PROD_AWS_ROLE }}"
+
+      - name: Deploy Images to BAH
+        uses: ./.github/actions/push-image
+        with:
+          src_host: "${{ secrets.BETA_AWS_ACCOUNT }}.dkr.ecr.us-west-2.amazonaws.com"
+          dst_host: "${{ secrets.PROD_BAH_AWS_ACCOUNT }}.dkr.ecr.me-south-1.amazonaws.com"
+          image_tag: "${{ github.event.inputs.tag }}"
+          region: "me-south-1"
+          role: "${{ secrets.PROD_BAH_AWS_ROLE }}"
+
+      - name: Deploy Images to CPT
+        uses: ./.github/actions/push-image
+        with:
+          src_host: "${{ secrets.BETA_AWS_ACCOUNT }}.dkr.ecr.us-west-2.amazonaws.com"
+          dst_host: "${{ secrets.PROD_CPT_AWS_ACCOUNT }}.dkr.ecr.af-south-1.amazonaws.com"
+          image_tag: "${{ github.event.inputs.tag }}"
+          region: "af-south-1"
+          role: "${{ secrets.PROD_CPT_AWS_ROLE }}"
+
+      - name: Deploy Images to HKG
+        uses: ./.github/actions/push-image
+        with:
+          src_host: "${{ secrets.BETA_AWS_ACCOUNT }}.dkr.ecr.us-west-2.amazonaws.com"
+          dst_host: "${{ secrets.PROD_HKG_AWS_ACCOUNT }}.dkr.ecr.ap-east-1.amazonaws.com"
+          image_tag: "${{ github.event.inputs.tag }}"
+          region: "ap-east-1"
+          role: "${{ secrets.PROD_HKG_AWS_ROLE }}"
+
+      - name: Deploy Images to MXP
+        uses: ./.github/actions/push-image
+        with:
+          src_host: "${{ secrets.BETA_AWS_ACCOUNT }}.dkr.ecr.us-west-2.amazonaws.com"
+          dst_host: "${{ secrets.PROD_MXP_AWS_ACCOUNT }}.dkr.ecr.eu-south-1.amazonaws.com"
+          image_tag: "${{ github.event.inputs.tag }}"
+          region: "eu-south-1"
+          role: "${{ secrets.PROD_MXP_AWS_ROLE }}"
+
+      - name: Deploy Images to CGK
+        uses: ./.github/actions/push-image
+        with:
+          src_host: "${{ secrets.BETA_AWS_ACCOUNT }}.dkr.ecr.us-west-2.amazonaws.com"
+          dst_host: "${{ secrets.PROD_CGK_AWS_ACCOUNT }}.dkr.ecr.ap-southeast-3.amazonaws.com"
+          image_tag: "${{ github.event.inputs.tag }}"
+          region: "ap-southeast-3"
+          role: "${{ secrets.PROD_CGK_AWS_ROLE }}"
+
+      - name: Deploy Images to BJS
+        uses: ./.github/actions/push-image
+        with:
+          src_host: "${{ secrets.BETA_AWS_ACCOUNT }}.dkr.ecr.us-west-2.amazonaws.com"
+          dst_host: "${{ secrets.PROD_BJS_AWS_ACCOUNT }}.dkr.ecr.cn-north-1.amazonaws.com.cn"
+          image_tag: "${{ github.event.inputs.tag }}"
+          region: "cn-north-1"
+          role: "${{ secrets.PROD_BJS_AWS_ROLE }}"
+
+      - name: Deploy Images to ZHY
+        uses: ./.github/actions/push-image
+        with:
+          src_host: "${{ secrets.BETA_AWS_ACCOUNT }}.dkr.ecr.us-west-2.amazonaws.com"
+          dst_host: "${{ secrets.PROD_ZHY_AWS_ACCOUNT }}.dkr.ecr.cn-northwest-1.amazonaws.com.cn"
+          image_tag: "${{ github.event.inputs.tag }}"
+          region: "cn-northwest-1"
+          role: "${{ secrets.PROD_ZHY_AWS_ROLE }}"
+
+      - name: Deploy Images to TLV
+        uses: ./.github/actions/push-image
+        with:
+          src_host: "${{ secrets.BETA_AWS_ACCOUNT }}.dkr.ecr.us-west-2.amazonaws.com"
+          dst_host: "${{ secrets.PROD_TLV_AWS_ACCOUNT }}.dkr.ecr.il-central-1.amazonaws.com"
+          image_tag: "${{ github.event.inputs.tag }}"
+          region: "il-central-1"
+          role: "${{ secrets.PROD_TLV_AWS_ROLE }}"
+
       - name: Deploy Images to PDT
         uses: ./.github/actions/push-image
         with:

config/helm/appmesh-controller/README.md

@@ -90,6 +90,25 @@ helm upgrade -i appmesh-controller eks/appmesh-controller \
 
 The [configuration](#configuration) section lists the parameters that can be configured during installation.
 
+**Note**
+If you want to start the controller in the EKS private cluster, enable the app mesh and service discovery VPC endpoints to the linked private subnet first. Also accountId is a required field now as `--set accountId=$AWS_ACCOUNT_ID`.   
+If you want to enable X-ray tracing in private cluster, enable the X-ray VPC endpoint. Also, ECR VPC endpoint [does not support public repository](https://docs.aws.amazon.com/AmazonECR/latest/userguide/vpc-endpoints.html). Controller uses `public.ecr.aws/xray/aws-xray-daemon:latest` by default, so you need to pull this image to local and [push it into your personal ECR repository](https://docs.aws.amazon.com/AmazonECR/latest/userguide/docker-push-ecr-image.html). Set it when deploying the controller like:
+```
+helm upgrade -i appmesh-controller eks/appmesh-controller \
+    --namespace appmesh-system \
+    --set region=$AWS_REGION \
+    --set serviceAccount.create=false \
+    --set serviceAccount.name=appmesh-controller \
+    --set accountId=$AWS_ACCOUNT_ID \
+    --set log.level=debug \
+    --set tracing.enabled=true \
+    --set tracing.provider=x-ray \
+    --set xray.image.repository={your-account-id}.dkr.ecr.{your-region}.amazonaws.com/{your-repository} \
+    --set xray.image.tag={your-xray-daemon-image-tag} 
+```
+Verify if the X-ray daemon being injected successfully when binding application deployment with virtual node/gateway.   
+More troubleshooting please see: https://docs.aws.amazon.com/eks/latest/userguide/private-clusters.html 
+
 **Note**
 Make sure that the Envoy proxies have the following IAM policies attached for the Envoy to authenticate with AWS App Mesh and fetch it's configuration
 - https://raw.githubusercontent.com/aws/aws-app-mesh-controller-for-k8s/master/config/iam/envoy-iam-policy.json

test/e2e/fishapp/dynamic_stack.go

@@ -42,21 +42,22 @@ const (
 	connectivityCheckUniformDistributionSL = 0.001 // Significance level that traffic to targets are uniform distributed.
 	AppContainerPort                       = 9080
 	HttpProxyContainerPort                 = 8899
-	defaultAppImage                        = "public.ecr.aws/e6v3k1j4/colorteller:v1"
-	defaultHTTPProxyImage                  = "abhinavsingh/proxy.py:latest"
-	caCertScript                           = "certs/ca_certs.sh"
-	nodeCertScript                         = "certs/node_certs.sh"
-	genericNodeCertCfgFile                 = "certs/node_cert.cfg"
-	certsBasePath                          = "certs/"
-	certsCfgFileSuffix                     = "_cert.cfg"
-	certChainSuffix                        = "_cert_chain.pem"
-	certKeySuffix                          = "_key.pem"
-	caCertFile                             = "ca_cert.pem"
-	envoyCACertPath                        = "/certs/ca_cert.pem"
-	certCleanupScript                      = "certs/cleanup.sh"
-	sdsDeployScript                        = "certs/sds_provider.sh"
-	registerAgentIdentity                  = "certs/register_agent_entry.sh"
-	registerWorkloadIdentity               = "certs/register_workload_entry.sh"
+	// From https://github.com/aws/aws-app-mesh-examples/tree/main/examples/apps/colorapp/src/colorteller
+	defaultAppImage          = "public.ecr.aws/e4i4k4a4/appmesh-k8s-test:colorteller"
+	defaultHTTPProxyImage    = "abhinavsingh/proxy.py:latest"
+	caCertScript             = "certs/ca_certs.sh"
+	nodeCertScript           = "certs/node_certs.sh"
+	genericNodeCertCfgFile   = "certs/node_cert.cfg"
+	certsBasePath            = "certs/"
+	certsCfgFileSuffix       = "_cert.cfg"
+	certChainSuffix          = "_cert_chain.pem"
+	certKeySuffix            = "_key.pem"
+	caCertFile               = "ca_cert.pem"
+	envoyCACertPath          = "/certs/ca_cert.pem"
+	certCleanupScript        = "certs/cleanup.sh"
+	sdsDeployScript          = "certs/sds_provider.sh"
+	registerAgentIdentity    = "certs/register_agent_entry.sh"
+	registerWorkloadIdentity = "certs/register_workload_entry.sh"
 )
 
 var (

test/e2e/fishapp/load/dynamic_stack_load_test.go

@@ -45,7 +45,8 @@ const (
 	connectivityCheckUniformDistributionSL = 0.001 // Significance level that traffic to targets are uniform distributed.
 	AppContainerPort                       = 9080
 	HttpProxyContainerPort                 = 8899
-	//defaultAppImage                        = "public.ecr.aws/e6v3k1j4/colorteller:v1"
+	// From https://github.com/aws/aws-app-mesh-examples/tree/main/examples/apps/colorapp/src/colorteller
+	//defaultAppImage                        = "public.ecr.aws/e4i4k4a4/appmesh-k8s-test:colorteller"
 	defaultAppImage          = "python:3.9"
 	defaultHTTPProxyImage    = "abhinavsingh/proxy.py:latest"
 	caCertScript             = "certs/ca_certs.sh"

test/integration/sidecar-v1.22/sidecar_stack.go

@@ -3,6 +3,7 @@ package sidecar_v1_22
 import (
 	"context"
 	"fmt"
+
 	"github.com/aws/aws-app-mesh-controller-for-k8s/pkg/inject"
 
 	appmesh "github.com/aws/aws-app-mesh-controller-for-k8s/apis/appmesh/v1beta2"
@@ -17,7 +18,8 @@ import (
 )
 
 const (
-	defaultImage = "public.ecr.aws/b7m0w2t6/color-be-app:2.0.2"
+	// From https://github.com/aws/aws-app-mesh-controller-for-k8s/tree/master/test/integration/test_app/sidecar-backend
+	defaultImage = "public.ecr.aws/e4i4k4a4/appmesh-k8s-test:color-be-app"
 )
 
 type SidecarStack struct {

test/integration/sidecar/sidecar_stack.go

@@ -3,9 +3,10 @@ package sidecar
 import (
 	"context"
 	"fmt"
-	"github.com/aws/aws-app-mesh-controller-for-k8s/pkg/inject"
 	"time"
 
+	"github.com/aws/aws-app-mesh-controller-for-k8s/pkg/inject"
+
 	appmesh "github.com/aws/aws-app-mesh-controller-for-k8s/apis/appmesh/v1beta2"
 	"github.com/aws/aws-app-mesh-controller-for-k8s/test/framework"
 	"github.com/aws/aws-sdk-go/aws"
@@ -22,8 +23,11 @@ import (
 )
 
 const (
-	defaultFrontendImage = "public.ecr.aws/b7m0w2t6/color-fe-app:2.0.3"
-	defaultBackendImage  = "public.ecr.aws/b7m0w2t6/color-be-app:2.0.2"
+	// From https://github.com/aws/aws-app-mesh-controller-for-k8s/tree/master/test/integration/test_app/sidecar-frontend
+	defaultFrontendImage = "public.ecr.aws/e4i4k4a4/appmesh-k8s-test:color-fe-app"
+
+	// From https://github.com/aws/aws-app-mesh-controller-for-k8s/tree/master/test/integration/test_app/sidecar-backend
+	defaultBackendImage = "public.ecr.aws/e4i4k4a4/appmesh-k8s-test:color-be-app"
 )
 
 type SidecarStack struct {

test/integration/timeout/timeout_stack.go

@@ -28,8 +28,12 @@ import (
 const (
 	//If you're not able to access below images, try to build them based on the app code under "timeout_app"
 	//directory and push it to any accessible ECR repo and update the below values
-	defaultFrontEndImage = "public.ecr.aws/e6v3k1j4/appmesh-test-feapp:v1"
-	defaultBackEndImage  = "public.ecr.aws/e6v3k1j4/appmesh-test-beapp:v1"
+
+	// From https://github.com/aws/aws-app-mesh-controller-for-k8s/tree/master/test/integration/test_app/frontend
+	defaultFrontEndImage = "public.ecr.aws/e4i4k4a4/appmesh-k8s-test:testapp-frontend"
+
+	// From https://github.com/aws/aws-app-mesh-controller-for-k8s/tree/master/test/integration/test_app/backend
+	defaultBackEndImage = "public.ecr.aws/e4i4k4a4/appmesh-k8s-test:testapp-backend"
 
 	timeoutTest      = "timeout-e2e"
 	AppContainerPort = 8080

test/integration/tls/tls_stack.go

@@ -31,8 +31,12 @@ import (
 const (
 	//If you're not able to access below images, try to build them based on the app code under "timeout_app"
 	//directory and push it to any accessible ECR repo and update the below values
-	defaultFrontEndImage = "public.ecr.aws/e6v3k1j4/appmesh-test-feapp:v1"
-	defaultBackEndImage  = "public.ecr.aws/e6v3k1j4/appmesh-test-beapp:v1"
+
+	// From https://github.com/aws/aws-app-mesh-controller-for-k8s/tree/master/test/integration/test_app/frontend
+	defaultFrontEndImage = "public.ecr.aws/e4i4k4a4/appmesh-k8s-test:testapp-frontend"
+
+	// From https://github.com/aws/aws-app-mesh-controller-for-k8s/tree/master/test/integration/test_app/backend
+	defaultBackEndImage = "public.ecr.aws/e4i4k4a4/appmesh-k8s-test:testapp-backend"
 
 	tlsTest          = "tls-e2e"
 	AppContainerPort = 8080

test/integration/virtualnode/virtualnode_test.go

@@ -3,6 +3,9 @@ package virtualnode_test
 import (
 	"context"
 	"fmt"
+	"sync"
+	"time"
+
 	appmeshk8s "github.com/aws/aws-app-mesh-controller-for-k8s/pkg/k8s"
 	"github.com/aws/aws-app-mesh-controller-for-k8s/test/framework/k8s"
 	"github.com/aws/aws-sdk-go/aws"
@@ -15,8 +18,6 @@ import (
 	apierrs "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/kubernetes"
-	"sync"
-	"time"
 
 	appmesh "github.com/aws/aws-app-mesh-controller-for-k8s/apis/appmesh/v1beta2"
 	"github.com/aws/aws-app-mesh-controller-for-k8s/pkg/algorithm"
@@ -31,7 +32,8 @@ import (
 )
 
 const (
-	defaultAppImage  = "public.ecr.aws/e6v3k1j4/colorteller:v1"
+	// From https://github.com/aws/aws-app-mesh-examples/tree/main/examples/apps/colorapp/src/colorteller
+	defaultAppImage  = "public.ecr.aws/e4i4k4a4/appmesh-k8s-test:colorteller"
 	AppContainerPort = 8080
 )