Skip to content

Latest commit

 

History

History
136 lines (114 loc) · 3.91 KB

README.md

File metadata and controls

136 lines (114 loc) · 3.91 KB

ecr-token-refresh

Refresh ECR token as Kubernetes Secret used toimagePullSecrets. It creates a secret of kubernetes.io/dockerconfigjson type.

Environment variables

Name Required Description Default
AWS_REGION yes AWS region of ECR registry -
AWS_ACCESS_KEY_ID yes AWS access key associated with an IAM user or role -
AWS_SECRET_ACCESS_KEY yes the secret key associated with the access key -
KUBE_SECRET_NAME no Name of the Secret contains image pull credential ecr-pull-secret-$AWS_REGION
KUBE_NAMESPACE no Namespace which secret applied to default

Required IAM permission for AWS_ACCESS_KEY_ID

Usage

Below shows creating ECR token in default namespace.

Create a secret of IAM credential:

kubectl create secret \
          generic ecr-credential \
          --from-literal=REGION=<YOUR_AWS_REGION> \
          --from-literal=AWS_ACCESS_KEY_ID=<YOUR_AWS_ACCESS_KEY_ID> \
          --from-literal=AWS_SECRET_ACCESS_KEY=<YOUR_AWS_SECRET_ACCESS_KEY> \
          --from-literal=KUBE_NAMESPACE=default \
          --namespace=default

Create a Service Account to authorize CronJob:

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ServiceAccount
metadata:
  name: svac-ecr
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: role-ecr
rules:
  - apiGroups: [""]
    resources:
      - secrets
    verbs:
      - get
      - create
      - delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: rb-ecr
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: role-ecr
subjects:
  - kind: ServiceAccount
    name: svac-ecr
    
---
EOF

Create ECR token refresh CronJob which runs every 6 hours:

cat <<EOF | kubectl apply -f -
apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: cronjob-ecr-token-refresh
spec:
  schedule: "0 */6 * * *"
  successfulJobsHistoryLimit: 3
  failedJobsHistoryLimit: 5
  jobTemplate:
    spec:
      template:
        spec:
          restartPolicy: Never
          serviceAccountName: svac-ecr
          containers:
            - name: ecr-token-refresh
              image: ghcr.io/gurrpi/ecr-token-refresh:v0.1.1
              imagePullPolicy: IfNotPresent
              env:
                - name: AWS_REGION
                  valueFrom:
                    secretKeyRef:
                      key: REGION
                      name: ecr-credential
                - name: AWS_ACCESS_KEY_ID
                  valueFrom:
                    secretKeyRef:
                      key: AWS_ACCESS_KEY_ID
                      name: ecr-credential
                - name: AWS_SECRET_ACCESS_KEY
                  valueFrom:
                    secretKeyRef:
                      key: AWS_SECRET_ACCESS_KEY
                      name: ecr-credential
                - name: KUBE_NAMESPACE
                  valueFrom:
                    secretKeyRef:
                      key: KUBE_NAMESPACE
                      name: ecr-credential
      backoffLimit: 1
EOF

Compatibility

Developed for Kubernetes version v1.18. Other minor version may not work.

Alternatives