Integrating ROSA and AWS ECR
Ryan Niksch (AWS) and Charlotte Fung (Red Hat) discuss how customers can combine their existing Amazon Web Services Elastic Container Registry implementations with Red Hat OpenShift Service on AWS (ROSA).
To learn more about applying Red Hat applications for your business, please visit our Learning Hub.
Ryan Nick (00:00):
Greetings. My name is Ryan Nick. I'm a principal solutions architect with Amazon Web Service (AWS). Joining me today is Charlotte from Red Hat. Charlotte, say hi.
Charlotte Fung (00:09):
Hi, everybody. My name is Charlotte Fung and I'm a Managed OpenShift Black Belt at Red Hat. Thank you for having me here, Ryan.
Ryan Nick (00:16):
Absolute pleasure. Right. OpenShift, and more specifically the Red Hat OpenShift Service on AWS, or ROSA. Many customers are moving their OpenShift investments to AWS. OpenShift historically had a container registry built into the OpenShift platform, so you can take your container images and actually store them in that internal OpenShift registry. That said, many of the customers I work with have already invested in their own container storage in investments. Many of them are using AWS services, one of them being the Elastic Container Registry, ECR. So what about customers that want to take advantage of AWS ECR or are already using ECR? Can they store their containers in ECR and still consume them from OpenShift? And what building blocks, what components are needed to facilitate this? I think it's worth noting that whether they're using the Internal Container registry or whether they're using something like ECR, they behave in very similar manners. They're still a push and pull of those images. It's really about: how do they authenticate to the ECR platform?
Charlotte Fung (01:56):
That's absolutely correct. So the great thing with ROSA is, even though it's very opinionated, it gives you that option. It's very extensible. You can integrate it with different...
Ryan Nick (02:06):
The choice customers had...
Integrating Elastic Container Registry with Red Hat Openshift Service on AWS
Charlotte Fung (02:09):
There's a lot of choices. Exactly. And being a native AWS service, it does integrate really seamlessly with AWS ECR, which is like Amazon's elastic content registry, fully managed for you. Highly secured, highly available. So it's a great choice. So, as you said, for you to use ROSA, like to use ECR with ROSA, you have the same process as a push, and there's a pull. And it's important to note that ECR has the public and private registry, but of course we recommend that you use private for your production grade, because you want it to be secure. And in order for you to pull or push, there needs to be an authentication that has to happen. And you can make use of AWS IAM.
Ryan Nick (03:09):
Okay. So there is going to be a role and a related policy that dictates how can my workloads or how can OpenShift interact, or basically meet the permissions requirements of that registry. Being able to push, being able to pull, being able to list the objects in that registry.
Charlotte Fung (03:34):
Ryan Nick (03:37):
ECR is a little different from many traditional container repositories in that the… it's not just a simple username and password. You, you're interacting with roles and policies, but there is also a short-lived credential. It cycles those credentials every 12 hours. So even if you've authenticated once, 12 hours later that authentication cycles and then you kind of need to “re-go” through that process. What is there inside OpenShift to firstly deal with this authentication and deal with that credential cycling?
Charlotte Fung (04:15):
All right. So as you mentioned, because of that short-lived token, which lasts only for 12 hours, it’s really a challenge for many users who decide to go ECR, because you either have to write scripts to do that in an, like, to automatically refresh the token.
Ryan Nick (04:36):
And then that's a script that you're sort of scheduling with something like a Cron Job historically.
Charlotte Fung (04:41):
Ryan Nick (04:42):
Charlotte Fung (04:43):
Oh, you have to do that manually, which becomes a hassle. Nobody wants to be updating tokens manually, right? So we have an operator, it is a community operator, known as ECR Secret Operator.
Ryan Nick (05:07):
And this operator updates that process. So it's essentially an operator that takes the scripted process of re authenticating to ECR and then pulls that token down and stores it as a secret internally in OpenShift.
Charlotte Fung (05:29):
Ryan Nick (05:29):
So every time that I am needing to interact with that registry, and this could be anything, this could be like OpenShift source to S2I (source-to-image) building a container, pushing it to their interaction.
Charlotte Fung (05:44):
What cannot pull in images from...
Ryan Nick (05:46):
As you're scaling or as you're deploying workloads, is it just as simple as going into the operator hub and deploying the operator, and what sort of configuration is needed over here?
Using automated operators
Charlotte Fung (05:57):
So what you need to do, as you said, you have to go into operator hub and deploy this operator. You also need to give this operator permissions. So you can go either route. I am, you can create a user for that operator and give it role policies and permissions, or you can do the STS, which is the temporary token, which would be the preferred way of authenticating the operator with your ECR. And what the operator does is it just continuously talks to the “get authorization” API to regenerate the token and then update the secret that is needed for that authentication to happen between your ROSA cluster and your repository.
Ryan Nick (06:46):
So there's a couple of things I see as a benefit here. Firstly, you have a container repository and you mentioned it's managed. What we mean by that is it will scale dynamically. You're not managing storage to store all of those container images. It's a managed service from a reliability standpoint as well that, you know AWS worries about, is that service always available? You can set up replicas, you can set up inter-region interactions. The real magic for me is this ECR secret operator that Red Hat has created, and it's really solving the problem of how do I automate the updating that 12 hour cycle secret. In the past, customers had to do this on their own.
Charlotte Fung (07:41):
Ryan Nick (07:41):
Now they've got a very simple operator coming into the effect here. Not all customers are using ECR. There are other things on the market. I think if you're looking for something from Red Hat, we're probably talking about Quay. Yeah. And Quay is also a very, very simple process to integrate with ROSA. Do we see customers investing in a common pattern here, or is it a very, very diverse mix of container repost?
Charlotte Fung (08:17):
With most of our ROSA customers., we see most of them investing in AWS (Amazon) ECR. That's like the most, because they're already using AWS products and they're kind of already familiar with those services on AWS, and it's about them using their spend commit on AWS. So it's the most frequent.
Ryan Nick (08:44):
So when I'm seeing customers migrate from on premises OpenShift to OpenShift on the cloud, the two things I'm seeing is a shift from self-managed to managed. So ROSA being an adopted service, and then again, I'm seeing a very broad adoption of AWS native services to complement their OpenShift investment.
Charlotte Fung (09:07):
Ryan Nick (09:08):
Is there anything that we have skipped over? Almost?
Charlotte Fung (09:12):
So the only thing I want to highlight is, this operator needs to be, when you create the secret, it needs to be linked to your builder, which facilitates, like, your service account.
Ryan Nick (09:24):
Charlotte Fung (09:24):
Yeah. And which is what does the automatic build for you.
Ryan Nick (09:29):
So that could be a step in an OpenShift pipelines process...
Charlotte Fung (09:35):
Ryan Nick (09:35):
Or in a more traditional sense, Jenkins, whatever. Again, lots of customer choice over here. Charlotte, again, thank you very much. Always a pleasure having you here and...
Charlotte Fung (09:48):
Thank you so much for having me, Ryan. Thank you everybody.
Ryan Nick (09:51):
And thank you for joining us.