ecr-token-refresh
Refresh ECR token as Kubernetes Secret used toimagePullSecrets.
It creates a secret of kubernetes.io/dockerconfigjson type.
Environment variables
| Name | Required | Description | Default |
|---|---|---|---|
AWS_REGION |
yes | AWS region of ECR registry | - |
AWS_ACCESS_KEY_ID |
yes | AWS access key associated with an IAM user or role | - |
AWS_SECRET_ACCESS_KEY |
yes | the secret key associated with the access key | - |
KUBE_SECRET_NAME |
no | Name of the Secret contains image pull credential | ecr-pull-secret-$AWS_REGION |
KUBE_NAMESPACE |
no | Namespace which secret applied to | default |
Required IAM permission for AWS_ACCESS_KEY_ID
Usage
Below shows creating ECR token in default namespace.
Create a secret of IAM credential:
kubectl create secret \
generic ecr-credential \
--from-literal=REGION=<YOUR_AWS_REGION> \
--from-literal=AWS_ACCESS_KEY_ID=<YOUR_AWS_ACCESS_KEY_ID> \
--from-literal=AWS_SECRET_ACCESS_KEY=<YOUR_AWS_SECRET_ACCESS_KEY> \
--from-literal=KUBE_NAMESPACE=default \
--namespace=defaultCreate a Service Account to authorize CronJob:
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ServiceAccount
metadata:
name: svac-ecr
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: role-ecr
rules:
- apiGroups: [""]
resources:
- secrets
verbs:
- get
- create
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: rb-ecr
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: role-ecr
subjects:
- kind: ServiceAccount
name: svac-ecr
---
EOFCreate ECR token refresh CronJob which runs every 6 hours:
cat <<EOF | kubectl apply -f -
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: cronjob-ecr-token-refresh
spec:
schedule: "0 */6 * * *"
successfulJobsHistoryLimit: 3
failedJobsHistoryLimit: 5
jobTemplate:
spec:
template:
spec:
restartPolicy: Never
serviceAccountName: svac-ecr
containers:
- name: ecr-token-refresh
image: ghcr.io/gurrpi/ecr-token-refresh:v0.1.1
imagePullPolicy: IfNotPresent
env:
- name: AWS_REGION
valueFrom:
secretKeyRef:
key: REGION
name: ecr-credential
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
key: AWS_ACCESS_KEY_ID
name: ecr-credential
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
key: AWS_SECRET_ACCESS_KEY
name: ecr-credential
- name: KUBE_NAMESPACE
valueFrom:
secretKeyRef:
key: KUBE_NAMESPACE
name: ecr-credential
backoffLimit: 1
EOFCompatibility
Developed for Kubernetes version v1.18. Other minor version may not work.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent