Skip to content

fix(recipes): document aws-efa regional ECR override pattern#774

Merged
mchmarny merged 2 commits into
mainfrom
fix/aws-efa-regional-ecr-doc
May 6, 2026
Merged

fix(recipes): document aws-efa regional ECR override pattern#774
mchmarny merged 2 commits into
mainfrom
fix/aws-efa-regional-ecr-doc

Conversation

@mchmarny

@mchmarny mchmarny commented May 6, 2026

Copy link
Copy Markdown
Member

Summary

Closes #764. Non-breaking: us-west-2 stays as the in-tree default; this PR adds the documentation and override paths needed for non-us-west-2 deployments via AICR's existing --set / --dynamic mechanisms.

Motivation / Context

recipes/components/aws-efa/values.yaml pins the EFA device plugin image to 602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/aws-efa-k8s-device-plugin. AWS publishes EKS add-ons regionally — every EKS cluster pulls from its own region's private ECR over the AWS internal backbone. Customers in any region other than us-west-2 today either pay cross-region NAT egress to pull from us-west-2 or fail entirely if cross-region access is blocked.

Fixes #764. Refs #739.

Type of Change

  • Bug fix (non-breaking change that fixes an issue)
  • Documentation update

Component(s) Affected

  • Recipe data (recipes/components/aws-efa/values.yaml — comment only)
  • Docs (docs/integrator/recipe-development.md, docs/user/container-images.md)

Implementation Notes

Why documentation rather than templating. AICR's bundler doesn't process Go templates on base values files today — the override mechanisms are --set (bake-in at bundle time) and --dynamic (placeholder for install-time fill). The original issue's draft fix proposed {{ .region }} syntax in values.yaml; verifying the bundler showed that wouldn't actually work. Adding template processing on base values is a feature change with broader scope. The pragmatic fix uses the existing mechanisms.

Comment block in values.yaml explains the regional pattern and shows both override paths plus partition-aware account IDs (standard / GovCloud / China).

Recipe-development doc gets a new Regional registry overrides section under Advanced Topics with worked examples for both --set (single-region bundle) and --dynamic (one bundle, many regions) plus the partition table.

BOM doc prose flags the regional caveat in the Registries spanned section so a reader can immediately tell the us-west-2 host shown in the auto-generated table is overridable.

Auto-generated BOM table is byte-identical because in-tree defaults didn't change. Verified via md5 round-trip on make bom-docs.

Testing

unset GITLAB_TOKEN && make qualify
# Codebase qualification completed

md5sum docs/user/container-images.md
# d600e5b7a16444b0b9866eb5a1a0f9c0  docs/user/container-images.md

make bom-docs
# Updated docs/user/container-images.md (prose preserved, auto-generated section refreshed)

md5sum docs/user/container-images.md
# d600e5b7a16444b0b9866eb5a1a0f9c0  docs/user/container-images.md

Risk Assessment

  • Low — Pure docs / comment change. No code paths touched. Default image URI unchanged. Easy to revert.

Rollout notes: Existing bundles produced without an override behave identically. New deployments outside us-west-2 should follow the new doc section.

Checklist

  • Tests pass locally (make test with -race)
  • Linter passes (make lint)
  • I did not skip/disable tests to make CI green
  • I added/updated tests for new functionality (n/a — docs/comment-only)
  • I updated docs if user-facing behavior changed
  • Changes follow existing patterns in the codebase
  • Commits are cryptographically signed (git commit -S)

Closes #764. Non-breaking: us-west-2 stays as the in-tree default; this
PR adds the documentation and override paths needed for non-us-west-2
deployments via the existing --set / --dynamic mechanisms.

What's added:

- recipes/components/aws-efa/values.yaml: comment block above the
  image.repository field explaining the regional ECR pattern, the
  override paths (--set at bundle time, --dynamic at install time),
  and the partition-aware account IDs (standard / GovCloud / China).

- docs/integrator/recipe-development.md: new "Regional registry
  overrides" section under Advanced Topics with worked --set and
  --dynamic examples and the partition table.

- docs/user/container-images.md (prose): the "Regional ECR" entry in
  the Registries spanned section now flags that the us-west-2 default
  shown in the auto-generated table is overridable, with a link to the
  recipe-development doc.

What's NOT changed:

- The default image URI in values.yaml stays at us-west-2. Existing
  bundles produced without an override behave identically — no
  behavior change for current users.

- AICR's bundler does not (today) process Go templates on base values
  files, so the fix uses the existing --set / --dynamic mechanisms
  rather than introducing a new templating layer in pkg/bundler.
  Adding template processing would be a feature change with broader
  scope than this issue calls for.

The published BOM auto-generated section is therefore byte-identical to
before; only the prose changes. Verified via md5 round-trip on
make bom-docs.
@github-actions

github-actions Bot commented May 6, 2026

Copy link
Copy Markdown
Contributor

@mchmarny mchmarny enabled auto-merge (squash) May 6, 2026 10:51
@coderabbitai

This comment was marked as resolved.

@github-actions

github-actions Bot commented May 6, 2026

Copy link
Copy Markdown
Contributor

Coverage Report ✅

Metric Value
Coverage 75.1%
Threshold 70%
Status Pass
Coverage Badge
![Coverage](https://img.shields.io/badge/coverage-75.1%25-green)

No Go source files changed in this PR.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
docs/integrator/recipe-development.md (1)

70-72: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Update the Table of Contents to include the new section.

The new ### Regional registry overrides section (Line 491) is missing from the Advanced Topics ToC block, which makes navigation inconsistent in this long guide.

Suggested edit
   - [Advanced Topics](`#advanced-topics`)
     - [External Data Sources](`#external-data-sources`)
+    - [Regional registry overrides](`#regional-registry-overrides`)
As per coding guidelines: “When writing documentation… clearly structure content… and document operational clarity.”

Also applies to: 491-491

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/integrator/recipe-development.md` around lines 70 - 72, The Advanced
Topics table-of-contents block is missing the new "Regional registry overrides"
section; update the ToC by adding an entry that matches the heading text and
slug (e.g., add a bullet like "Regional registry overrides" linking to
"#regional-registry-overrides") under the "Advanced Topics" list so the new
section at heading "Regional registry overrides" is discoverable in the
document; ensure the link text exactly matches the H3 heading and the anchor
follows the repo's slug rules used elsewhere in the ToC.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@recipes/components/aws-efa/values.yaml`:
- Line 23: The comment points out a wording mismatch in the values.yaml comment
referencing "across all standard AWS partitions"; update the comment that
mentions "Account ID 602401143452" to say the account ID is stable across
standard AWS regions (or simply "AWS regions") instead of "partitions" so it
correctly reflects regional stability and avoids confusion with the partition
table below.

---

Outside diff comments:
In `@docs/integrator/recipe-development.md`:
- Around line 70-72: The Advanced Topics table-of-contents block is missing the
new "Regional registry overrides" section; update the ToC by adding an entry
that matches the heading text and slug (e.g., add a bullet like "Regional
registry overrides" linking to "#regional-registry-overrides") under the
"Advanced Topics" list so the new section at heading "Regional registry
overrides" is discoverable in the document; ensure the link text exactly matches
the H3 heading and the anchor follows the repo's slug rules used elsewhere in
the ToC.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 5d197a84-73d2-4d31-b0f2-2e6db075c055

📥 Commits

Reviewing files that changed from the base of the PR and between 76adade and 543b464.

📒 Files selected for processing (3)
  • docs/integrator/recipe-development.md
  • docs/user/container-images.md
  • recipes/components/aws-efa/values.yaml

# to pull from. The default below points at us-west-2; deploying in any other
# region requires overriding the registry's region segment.
#
# Account ID 602401143452 is stable across all standard AWS partitions.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Clarify partition wording to avoid a factual mismatch.

Line 23 says “across all standard AWS partitions,” but there is only one standard partition (aws); the stability is across standard AWS regions. Recommend rewording to avoid confusion with the partition table below.

Suggested edit
-# Account ID 602401143452 is stable across all standard AWS partitions.
+# Account ID 602401143452 is stable across standard AWS regions (partition `aws`).
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# Account ID 602401143452 is stable across all standard AWS partitions.
# Account ID 602401143452 is stable across standard AWS regions (partition `aws`).
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@recipes/components/aws-efa/values.yaml` at line 23, The comment points out a
wording mismatch in the values.yaml comment referencing "across all standard AWS
partitions"; update the comment that mentions "Account ID 602401143452" to say
the account ID is stable across standard AWS regions (or simply "AWS regions")
instead of "partitions" so it correctly reflects regional stability and avoids
confusion with the partition table below.

@mchmarny mchmarny merged commit 4489e91 into main May 6, 2026
69 checks passed
@mchmarny mchmarny deleted the fix/aws-efa-regional-ecr-doc branch May 6, 2026 11:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

fix(recipes): aws-efa hardcodes us-west-2 ECR; should template region (and partition)

2 participants