Shield dl.k8s.io with Fastly #4528

ameukam · 2022-12-07T23:00:38Z

Part of:

Redirect dl.k8s.io traffic to a community-owned GCS bucket instead of kubernetes-release #1569

Ensure we serve binaries through Fastly

Task List

SOW needs to be signed (cc @jeefy @joannalee333)
Account has to be upgraded
Create a TLS Certificate / Enable Domain

Rollout plan:

Ensure binaries can be pulled from cdn.dl.k8s.io using kubernetes-release bucket
Send an notice informing kubernetes binaries will now be served from cdn.dl.k8s.io
Setup a community-owned bucket for the binaries: k8s-release
Change the Fastly configuration k8s-release.

/area infra
/milestone v1.27
/priority important-longterm

The text was updated successfully, but these errors were encountered:

Part of: - kubernetes#4528 In order to be able to use Fastly, we will need use a subdomain to serve the binaries built and store kubernetes-release bucket. Signed-off-by: Arnaud Meukam <ameukam@gmail.com>

Related: - kubernetes#4528 Add Fastly configuration for cdn.dl.k8s.io Signed-off-by: Arnaud Meukam <ameukam@gmail.com>

ameukam · 2023-02-04T12:04:36Z

TODO:

Add staging bucket to use with Fastly
add a periodic e2e test with KUBERNETES_CI_RELEASE_URL=cdn.dl.k8s.io
add regional periodic e2e tests to validate Fastly shielding.

Related: - kubernetes#4528 Add Fastly configuration for cdn.dl.k8s.io Add a TLS subscription for cdn.dl.k8s.io Signed-off-by: Arnaud Meukam <ameukam@gmail.com>

k8s-triage-robot · 2023-05-16T15:22:10Z

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue as fresh with /remove-lifecycle stale
Close this issue with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

ameukam · 2023-05-16T15:29:37Z

/remove-lifecycle stale

Related: - kubernetes#4528 Add Fastly configuration for cdn.dl.k8s.io Add a TLS subscription for cdn.dl.k8s.io Signed-off-by: Arnaud Meukam <ameukam@gmail.com>

Ref: kubernetes#4528 Ensure TF states for the fastly services are stored in a GCS bucket. Signed-off-by: Arnaud Meukam <ameukam@gmail.com>

Ref: kubernetes#4528 Verifiying domain ownership using ACME DNS challenge and ensure traffic is served over IPv4 and IPv6 addresses. Signed-off-by: Arnaud Meukam <ameukam@gmail.com>

Ref: kubernetes#4528 Verifiying domain ownership using ACME DNS challenge Signed-off-by: Arnaud Meukam <ameukam@gmail.com>

Ref: kubernetes#4528 This endpoint ensure we serve traffic for IPv4 and IPv6 addresses and also support encrypted traffic with Fastly TLS certificates. The DNS entry to ensure domain delegation to Fastly needs to be deleted since OctoDNS don't support CNAME type DNS records to coexist with other records per [RFC 1034](https://www.ietf.org/rfc/rfc1034.txt). See octodns/octodns#414 Signed-off-by: Arnaud Meukam <ameukam@gmail.com>

Related to: - kubernetes#4528 Following guidance from https://developer.fastly.com/learning/concepts/cache-freshness/#best-practices and remove the value set in the terraform, the first byte timeout is reduce to 15000 milliseconds. Signed-off-by: Arnaud Meukam <ameukam@gmail.com>

Related to: - kubernetes#4528 Signed-off-by: Arnaud Meukam <ameukam@gmail.com>

ameukam · 2023-09-04T13:48:23Z

We can consider this done. THere are a few optimisations to do and they already tracked

/close

k8s-ci-robot · 2023-09-04T13:48:29Z

@ameukam: Closing this issue.

In response to this:

We can consider this done. THere are a few optimisations to do and they already tracked

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

ameukam added the sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra. label Dec 7, 2022

k8s-ci-robot added area/infra Infrastructure management, infrastructure design, code in infra/ priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. labels Dec 7, 2022

k8s-ci-robot added this to the v1.27 milestone Dec 7, 2022

ameukam mentioned this issue Dec 12, 2022

dns: domain validation of cdn.dl.k8s.io #4541

Merged

ameukam added a commit to ameukam/k8s.io that referenced this issue Dec 16, 2022

fastly: Add configuration for cdn.dl.k8s.io

70bb4f5

Related: - kubernetes#4528 Add Fastly configuration for cdn.dl.k8s.io Signed-off-by: Arnaud Meukam <ameukam@gmail.com>

ameukam mentioned this issue Dec 16, 2022

fastly: Add configuration for cdn.dl.k8s.io #4555

Merged

ameukam added a commit to ameukam/k8s.io that referenced this issue Dec 23, 2022

fastly: Add configuration for cdn.dl.k8s.io

5018fb5

Related: - kubernetes#4528 Add Fastly configuration for cdn.dl.k8s.io Signed-off-by: Arnaud Meukam <ameukam@gmail.com>

ameukam self-assigned this Feb 4, 2023

ameukam added a commit to ameukam/k8s.io that referenced this issue Feb 10, 2023

fastly: Add configuration for cdn.dl.k8s.io

cdf8742

Related: - kubernetes#4528 Add Fastly configuration for cdn.dl.k8s.io Add a TLS subscription for cdn.dl.k8s.io Signed-off-by: Arnaud Meukam <ameukam@gmail.com>

ameukam mentioned this issue Feb 22, 2023

Deprecate and migrate away from gs://kubernetes-release #2396

Open

ameukam added a commit to ameukam/k8s.io that referenced this issue Feb 27, 2023

fastly: Add configuration for cdn.dl.k8s.io

71f09b1

Related: - kubernetes#4528 Add Fastly configuration for cdn.dl.k8s.io Add a TLS subscription for cdn.dl.k8s.io Signed-off-by: Arnaud Meukam <ameukam@gmail.com>

ameukam added a commit to ameukam/k8s.io that referenced this issue Apr 4, 2023

fastly: Add configuration for cdn.dl.k8s.io

c836156

Related: - kubernetes#4528 Add Fastly configuration for cdn.dl.k8s.io Add a TLS subscription for cdn.dl.k8s.io Signed-off-by: Arnaud Meukam <ameukam@gmail.com>

ameukam added a commit to ameukam/k8s.io that referenced this issue Apr 4, 2023

fastly: Add configuration for cdn.dl.k8s.io

1a58d20

Related: - kubernetes#4528 Add Fastly configuration for cdn.dl.k8s.io Add a TLS subscription for cdn.dl.k8s.io Signed-off-by: Arnaud Meukam <ameukam@gmail.com>

k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label May 16, 2023

k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label May 16, 2023

ameukam modified the milestones: v1.27, v1.28 May 16, 2023

ameukam added a commit to ameukam/k8s.io that referenced this issue May 26, 2023

fastly: Add configuration for cdn.dl.k8s.io

d98845b

Related: - kubernetes#4528 Add Fastly configuration for cdn.dl.k8s.io Add a TLS subscription for cdn.dl.k8s.io Signed-off-by: Arnaud Meukam <ameukam@gmail.com>

ameukam added a commit to ameukam/k8s.io that referenced this issue May 26, 2023

fastly: Add configuration for cdn.dl.k8s.io

0219433

Related: - kubernetes#4528 Add Fastly configuration for cdn.dl.k8s.io Add a TLS subscription for cdn.dl.k8s.io Signed-off-by: Arnaud Meukam <ameukam@gmail.com>

ameukam added a commit to ameukam/k8s.io that referenced this issue May 26, 2023

Fastly: Add a GCS bucket for Terraform remote state

6adeb0a

Ref: kubernetes#4528 Ensure TF states for the fastly services are stored in a GCS bucket. Signed-off-by: Arnaud Meukam <ameukam@gmail.com>

ameukam mentioned this issue May 26, 2023

Fastly: Add a GCS bucket for Terraform remote state #5326

Merged

ameukam added a commit to ameukam/k8s.io that referenced this issue May 26, 2023

Fastly: Add a GCS bucket for Terraform remote state

04a7f26

Ref: kubernetes#4528 Ensure TF states for the fastly services are stored in a GCS bucket. Signed-off-by: Arnaud Meukam <ameukam@gmail.com>

ameukam mentioned this issue May 27, 2023

cdn.dl.k8s.io: Add ACME challenge for Fastly TLS certificate #5332

Merged

ameukam added a commit to ameukam/k8s.io that referenced this issue May 27, 2023

cdn.dl.k8s.io: Add ACME challenge for Fastly TLS certificate

e3a2cf5

Ref: kubernetes#4528 Verifiying domain ownership using ACME DNS challenge Signed-off-by: Arnaud Meukam <ameukam@gmail.com>

ameukam mentioned this issue Jun 1, 2023

cdn.dl.k8s.io: Add Fastly endpoint for dualstack #5350

Merged

ameukam mentioned this issue Jul 17, 2023

cdn.dl.k8s.io: Force TLS redirect #5561

Merged

ameukam mentioned this issue Jul 21, 2023

cdn.dl.k8s.io: Reduce the first byte timeout #5597

Merged

ameukam added a commit to ameukam/k8s.io that referenced this issue Jul 24, 2023

dl.k8s.io: Switch to Fastly

091be3c

Related to: - kubernetes#4528 Signed-off-by: Arnaud Meukam <ameukam@gmail.com>

This was referenced Jul 24, 2023

dl.k8s.io: Switch to Fastly #5603

Merged

dl.k8s.io: Set long TTLs in Fastly cache #5629

Closed

dl.k8s.io: Inject the host in the response from the origin #5631

Closed

k8s-ci-robot closed this as completed Sep 4, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Shield dl.k8s.io with Fastly #4528

Shield dl.k8s.io with Fastly #4528

ameukam commented Dec 7, 2022 •

edited

Loading

ameukam commented Feb 4, 2023

k8s-triage-robot commented May 16, 2023

ameukam commented May 16, 2023

ameukam commented Sep 4, 2023

k8s-ci-robot commented Sep 4, 2023

Shield dl.k8s.io with Fastly #4528

Shield dl.k8s.io with Fastly #4528

Comments

ameukam commented Dec 7, 2022 • edited Loading

ameukam commented Feb 4, 2023

k8s-triage-robot commented May 16, 2023

ameukam commented May 16, 2023

ameukam commented Sep 4, 2023

k8s-ci-robot commented Sep 4, 2023

ameukam commented Dec 7, 2022 •

edited

Loading