This controller has a feature to renew image-pull secrets for AWS ECR. Since docker login for AWS ECR expires at 12 hours later, the controller is needed for non EKS.
This controller checks all image pull secrets every 10 second. The controller acts as the followings.
image pull secret | expiration | action |
---|---|---|
not exists | creates a new image pull secret | |
exists | valid | does nothing |
exists | expired | deletes old image pull secret and creates new one |
$ kind create cluster
$ make apply-manifests
$ make build
$ make run
$ kind create cluster
$ make apply-manifests
$ make build-image
$ make port-forward &
$ make push-image
apiVersion: v1
kind: Secret
metadata:
name: example-login-secret
labels:
supercaracal.example.com/used-by: "aws-ecr-image-pull-secret-controller"
annotations:
supercaracal.example.com/aws-ecr-image-pull-secret.name: "example-image-pull-secret"
supercaracal.example.com/aws-ecr-image-pull-secret.email: "foobar@example.com"
supercaracal.example.com/aws-ecr-image-pull-secret.aws_account_id: "000000000000"
supercaracal.example.com/aws-ecr-image-pull-secret.aws_region: "ap-northeast-1"
type: Opaque
data:
AWS_ACCESS_KEY_ID: "**********base64 encoded text**********"
AWS_SECRET_ACCESS_KEY: "**********base64 encoded text**********"
$ cp config/example-secret.yaml config/secret.yaml
$ vi config/secret.yaml
$ kubectl --context=kind-kind apply -f config/secret.yaml
$ kubectl --context=kind-kind get secrets
NAME TYPE DATA AGE
controller-token-8bmfl kubernetes.io/service-account-token 3 37m
default-token-s4wsj kubernetes.io/service-account-token 3 39m
example-image-pull-secret kubernetes.io/dockerconfigjson 1 10m
example-login-secret Opaque 2 33m
$ kubectl --context=kind-kind get secrets example-image-pull-secret -o json | jq -r .data.'".dockerconfigjson"' | base64 -d | jq .
{
"auths": {
"https://000000000000.dkr.ecr.ap-northeast-1.amazonaws.com": {
"username": "AWS",
"password": "*****************************************",
"email": "foo@example.com",
"auth": "*****************************************"
}
}
}