CORS-4335: Add support for AWS European Sovereign Cloud#1360
CORS-4335: Add support for AWS European Sovereign Cloud#1360openshift-merge-bot[bot] merged 3 commits intoopenshift:masterfrom
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@tthvo: This pull request explicitly references no jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/hold I am unsure if this is the right approach. As of now, we can only support EUSC via custom service endpoint (see openshift/installer#10303) because AWS SDK v1 is EOL and doesn't support it out of the box. I don't think migrating to AWS SDK v2 is trivial at all... Please let me know if this works 🙏 |
openshift-ci
Bot
added
the
do-not-merge/hold
openshift-ci
Bot
requested review from
alebedev87,
patrickdillon and
rna-afk
tthvo
changed the title
|
@tthvo: This pull request references CORS-4335 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@tthvo: This pull request references CORS-4335 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/retest |
tthvo
force-pushed
the
eusc-support
branch
2 times, most recently
from
be85531 to
6cb9548
Compare
|
@tthvo: This pull request references CORS-4335 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/retest |
1 similar comment
|
/retest |
|
/hold cancel Tested locally with openshift/installer#10303 and the install completed successfully in EUS Cloud. |
openshift-ci
Bot
removed
the
do-not-merge/hold
|
/test e2e-aws-operator |
|
/assign |
|
would these changes be necessary at all if the operator were on v2 of the aws sdk? |
Oh no, in that case, the only commit needed is 7806b67, where we must use |
This commit adds CI infrastructure support for AWS European Sovereign Cloud (EUSC) testing using the eusc-de-east-1 region. Changes: - Add cluster-secrets-aws-eusc-qe to secret bootstrap config - Add aws-eusc-qe-quota-slice boskos resource pool with 5 quota slices in eusc-de-east-1 region - Generate updated _boskos.yaml configuration The profile uses vault secret: cluster-secrets-aws-eusc-qe Region Details: - Region: eusc-de-east-1 (Brandenburg, Germany) - Availability zones: eusc-de-east-1a, eusc-de-east-1b (2 zones only) - Note: No edge zones (Local/Wavelength) available in this region Dependencies: - Installer support: openshift/installer#10303 - Ingress operator support: openshift/cluster-ingress-operator#1360 - API support (optional): openshift/api#2708 Tested installation scenarios (from installer PR openshift#10303): - ✅ Default minimal config - ✅ Ingress NLB type - ✅ BYO Private Hosted zone - ✅ BYO KMS key - ✅ BYO VPC and subnets Installation time: ~45m26s Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
The AWS SDK v1 uses the same service ID "elasticloadbalancing" for elb and elbv2. Thus, if defined, we need to use the custom service endpoint for both.
… Cloud Add support for AWS European Sovereign Cloud (EUSC) regions by configuring Route53 and tagging clients to use eusc-de-east-1 region. Since Route 53 is not a regionalized service in EUSC, the Tagging API will only return hosted zone resources when the region is set to eusc-de-east-1.
|
/retest |
|
/payload-job periodic-ci-openshift-openshift-tests-private-release-4.22-arm64-nightly-aws-ipi-disc-priv-sts-ep-mini-perm-f14 |
|
@tthvo: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/571107c0-2873-11f1-9612-8fd63eaa95bf-0 |
|
/payload-job periodic-ci-openshift-openshift-tests-private-release-4.22-arm64-nightly-aws-ipi-disc-priv-sts-ep-mini-perm-f14 |
|
@tthvo: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/971bbbc0-2883-11f1-9822-81f95ba6698b-0 |
|
With the latest push, I have dropped commits that add support for STS custom endpoint. For that reason, EUSC install will only support |
alebedev87
left a comment
alebedev87
left a comment
There was a problem hiding this comment.
/lgtm
/approve
As agreed, the STS custom endpoint is removed from this PR. So EUSC support comes without STS for the moment (image registry is another component which has a gap for STS custom endpoint).
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: alebedev87 The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
Bot
added
the
approved
|
/assign @liweinan For verification.. |
|
/verified by liweinan |
openshift-ci-robot
added
the
verified
|
@liweinan: This PR has been marked as verified by DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/test e2e-aws-ovn-hypershift-conformance Some unrelated storage issues, retesting.. |
|
/test e2e-aws-ovn-hypershift-conformance Let's try again 😅 |
|
@tthvo: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/tide refresh It's time :D |
|
Change included in accepted release 4.22.0-0.nightly-2026-03-29-055437 |
@lihongan Thanks for the work! I retried the test jobs here: openshift/release#75568 |
This commit adds CI infrastructure support for AWS European Sovereign Cloud (EUSC) testing using the eusc-de-east-1 region. Changes: - Add cluster-secrets-aws-eusc-qe to secret bootstrap config - Add aws-eusc-qe-quota-slice boskos resource pool with 5 quota slices in eusc-de-east-1 region - Generate updated _boskos.yaml configuration Region Details: - Region: eusc-de-east-1 (Brandenburg, Germany) - Availability zones: eusc-de-east-1a, eusc-de-east-1b (2 zones only) - Note: No edge zones (Local/Wavelength) available in this region Dependencies: - Installer support: openshift/installer#10303 - Ingress operator support: openshift/cluster-ingress-operator#1360 - API support (optional): openshift/api#2708
6 participants
AWS European Sovereign Cloud support
This PR allows support for AWS European Sovereign Cloud (EUSC). The Route53 and tagging client should point to the
eusc-de-east-1region in EUSC.Note: we can only check the region prefix
eusc-because the AWS SDK v1 does not recognize the new EUSC partition and regions. Support for EUSC can, as of now, be achieved via custom service endpoint.ELB v2 custom endpoint
As mentioned, the AWS SDK v1 does not recognize the new EUSC parition and regions. It will, by default, resolve the service endpoint incorrectly. Thus, we will need to provide the service endpoint explicitly for necessary services, including ELB v2 for Network Load Balancers.
This adds custom endpoint support for ELB v2 (to create NLBs). The implementation is based on the following points.
elasticloadbalancingfor both ELB and ELB v2. See similar discussion.STS custom endpoint
This change originates from the similar reason as ELB v2 custom endpoint. We need to be able to customize the STS endpoint in order to assume role for managing shared hosted zone in EUSC.