Allow for Registry credentials to be refreshed inside your Kubernetes cluster via ImagePullSecrets
.
- The tool runs as a pod in the
kube-system
namespace.
- It gets credentials from AWS ECR or Google Container Registry
- Next it creates a secret with credentials for your registry
- Then it sets up this secret to be used in the
ImagePullSecrets
for the default service account - Whenever a pod is created, this secret is attached to the pod
- The container will refresh the credentials by default every 60 minutes
- Enabled for use with Minikube as an addon
NOTE: This will setup credentials across ALL namespaces!
The following parameters are driven via Environment variables.
- Environment Variables:
- AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY: Credentials to access AWS.
- awsaccount: Comma separated list of AWS Account Ids.
- awsregion: (optional) Can override the default AWS region by setting this variable.
- aws-assume-role (optional) can provide a role ARN that will be assumed for getting ECR authorization tokens
Note: The region can also be specified as an arg to the binary.
- TOKEN_RETRY_TYPE: The type of Timer to use when getting a registry token fails and must be retried; "simple" or "exponential" (default: simple)
- TOKEN_RETRIES: The number of times to retry getting a registry token if an error occurred (default: 3)
- TOKEN_RETRY_DELAY: The number of seconds to delay between successive retries at getting a registry token; applies to "simple" retry timer only (default: 5)
-
Clone the repo and navigate to directory
-
Configure
-
If running on AWS EC2, make sure your EC2 instances have the following IAM permissions:
{ "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:GetRepositoryPolicy", "ecr:DescribeRepositories", "ecr:ListImages", "ecr:BatchGetImage" ], "Resource": "*" }
-
If you are not running in AWS Cloud, then you can still use this tool! Edit & create the sample secret and update values for
AWS_ACCESS_KEY_ID
,AWS_SECRET_ACCESS_KEY
,aws-account
, andaws-region
(base64 encoded).echo -n "secret-key" | base64 kubectl create -f k8s/secret.yaml
-
-
Create the replication controller.
kubectl create -f k8s/replicationController.yaml
NOTE: If running on premise, no need to provide
AWS_ACCESS_KEY_ID
orAWS_SECRET_ACCESS_KEY
since that will come from the EC2 instance. -
Use
awsecr-cred
for name ofimagePullSecrets
on yourdeployment.yaml
file.
-
Clone the repo and navigate to directory
-
Input your
application_default_credentials.json
information into thesecret.yaml
template located here: The value forapplication_default_credentials.json
can be obtained with the following command:base64 -w 0 $HOME/.config/gcloud/application_default_credentials.json
-
Create the secret in kubernetes
kubectl create -f k8s/secret.yml
-
Create the replication controller:
kubectl create -f k8s/replicationController.yaml
-
Clone the repo and navigate to directory
-
Edit the sample secret and update values for
DOCKER_PRIVATE_REGISTRY_SERVER
,DOCKER_PRIVATE_REGISTRY_USER
, andDOCKER_PRIVATE_REGISTRY_PASSWORD
(base64 encoded).echo -n "secret-key" | base64
-
Create the secret in kubernetes
kubectl create -f k8s/secret.yml
-
Create the replication controller:
kubectl create -f k8s/replicationController.yaml
If you want to hack on this project:
- Clone the repo
- Build:
make build
- Test:
make test
- Run on your machine:
go run ./main.go --kubecfg-file=<pathToKubecfgFile>
Built by UPMC Enterprises in Pittsburgh, PA. http://enterprises.upmc.com/