Git Product home page Git Product logo

registry-creds's Introduction

Registry Credentials

Allow for Registry credentials to be refreshed inside your Kubernetes cluster via ImagePullSecrets.

How it works

  1. The tool runs as a pod in the kube-system namespace.
  • It gets credentials from AWS ECR, Google Container Registry, Docker private registry, or Azure Container Registry.
  • Next it creates a secret with credentials for your registry
  • Then it sets up this secret to be used in the ImagePullSecrets for the default service account
  • Whenever a pod is created, this secret is attached to the pod
  • The container will refresh the credentials by default every 60 minutes
  • Enabled for use with Minikube as an addon

NOTE: This will setup credentials across ALL namespaces!

Parameters

The following parameters are driven via Environment variables.

  • Environment Variables:
    • AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY: Credentials to access AWS.
    • awsaccount: Comma separated list of AWS Account Ids.
    • awsregion: (optional) Can override the default AWS region by setting this variable.
    • aws-assume-role (optional) can provide a role ARN that will be assumed for getting ECR authorization tokens

      Note: The region can also be specified as an arg to the binary.

    • TOKEN_RETRY_TYPE: The type of Timer to use when getting a registry token fails and must be retried; "simple" or "exponential" (default: simple)
    • TOKEN_RETRIES: The number of times to retry getting a registry token if an error occurred (default: 3)
    • TOKEN_RETRY_DELAY: The number of seconds to delay between successive retries at getting a registry token; applies to "simple" retry timer only (default: 5)
    • GCRURL: URL to Google Container Registry
    • DOCKER_PRIVATE_REGISTRY_SERVER, DOCKER_PRIVATE_REGISTRY_USER, DOCKER_PRIVATE_REGISTRY_PASSWORD: the URL, user name, and password for a Docker private registry
    • ACR_URL, ACR_CLIENT_ID, ACR_PASSWORD: the registry URL, client ID, and password to access to access an Azure Container Registry.

How to setup running in AWS

  1. Clone the repo and navigate to directory

  2. Configure

    1. If running on AWS EC2, make sure your EC2 instances have the following IAM permissions:

      {
 "Effect": "Allow",
  "Action": [
   "ecr:GetAuthorizationToken",
   "ecr:BatchCheckLayerAvailability",
   "ecr:GetDownloadUrlForLayer",
   "ecr:GetRepositoryPolicy",
   "ecr:DescribeRepositories",
   "ecr:ListImages",
   "ecr:BatchGetImage"
 ],
 "Resource": "*"
}

    2. If you are not running in AWS Cloud, then you can still use this tool! Edit & create the sample secret and update values for AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, aws-account, and aws-region (base64 encoded).

      echo -n "secret-key" | base64

kubectl create -f k8s/secret.yaml

  3. Create the replication controller.

    kubectl create -f k8s/replicationController.yaml

    NOTE: If running on premise, no need to provide AWS_ACCESS_KEY_ID or AWS_SECRET_ACCESS_KEY since that will come from the EC2 instance.

  4. Use awsecr-cred for name of imagePullSecrets on your deployment.yaml file.

How to setup running in GCR

  1. Clone the repo and navigate to directory

  2. Input your application_default_credentials.json information into the secret.yaml template located here: The value for application_default_credentials.json can be obtained with the following command:

    base64 -w 0 $HOME/.config/gcloud/application_default_credentials.json

  3. Create the secret in kubernetes

    kubectl create -f k8s/secret.yml

  4. Create the replication controller:

    kubectl create -f k8s/replicationController.yaml

How to setup running in Docker Private Registry

  1. Clone the repo and navigate to directory

  2. Edit the sample secret and update values for DOCKER_PRIVATE_REGISTRY_SERVER, DOCKER_PRIVATE_REGISTRY_USER, and DOCKER_PRIVATE_REGISTRY_PASSWORD (base64 encoded).

    echo -n "secret-key" | base64

  3. Create the secret in kubernetes

    kubectl create -f k8s/secret.yml

  4. Create the replication controller:

    kubectl create -f k8s/replicationController.yaml

How to set up Azure Container Registry

  1. Create a service principal that your Kubernetes cluster will use to access the registry.

  2. Clone the repo and navigate to the repo root

  3. Edit the sample secret and update values for ACR_URL, ACR_CLIENT_ID, and ACR_PASSWORD (base64 encoded). Use service principal application ID as the client ID, and service principal password (client secret) as the password.

    echo -n "secret-key" | base64

  4. Create the secret in kubernetes

    kubectl create -f k8s/secret.yml

  5. Create the replication controller:

    kubectl create -f k8s/replicationController.yaml

DockerHub Image

Developing Locally

If you want to hack on this project:

  1. Clone the repo
  2. Build: make build
  3. Test: make test
  4. Run on your machine: go run ./main.go --kubecfg-file=<pathToKubecfgFile>

About

Built by UPMC Enterprises in Pittsburgh, PA. http://enterprises.upmc.com/

registry-creds's People

Contributors

aaron-prindle avatar aaronbbrown avatar ajfriesen avatar alewgbl avatar jfarrelly-voysis avatar karolz-ms avatar reegnz avatar reneklacan avatar rickard-von-essen avatar secat avatar sophaskins avatar stevesloka avatar teddy-schmitz avatar turgayozgur avatar wichert avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

callmeradical andrewsykim aaron-prindle alexcouper robbyt leopoldodonnell gobengo turgayozgur aaronbbrown secat naphthalene teddy-schmitz lemaral vatit-devops kseremet luck02 hanks davidnoyes intheclouddan mauriceteunissen bobhenkel kuberchaun secopslimited rgreinho masatomo jfarrelly-voysis rickard-von-essen jeff-1amstudios just-olaakinyemi bigcentech ajfriesen bdirito jstallings rajivreddy vlaboratory cisco-sso wafflesvonmaple disciple-media ksaurabhsinha wesleyk hitomidennis freeletics shawnwhit mavencode01 biutiful msenmurugan stevenolen robertwe alewgbl stevesloka naveengiraboina prospective nvanheuverzwijn levkov ahazrat vend michaelmitchellm nv1-0 wileyday guillaumemaka lukahuang mattztech prasadkatti flanksource chandlernine santhoshsurapuram acumenix carterfieldslabs dmarkey barryduggan jmcgrath207 hlevy sstoner a-leut isgasho container-registry xlanor udyshnkr achoimet antoree neomadara gerardosero akshayks gateroot mad-mags neflyte mohag sharifelgamal adamszczepanekva jotes doddle flokli keralin ede-n zavierlau vvivid mhassan0992 zmyosper dmarjanovic jadsonreis

registry-creds's Issues

Attempting to get working

  1. What is the correct entry in the secrets.yml file for aws-assume-role if I am not using it?
    aws-assume-role: ""

  2. Why is AWS_SESSION_TOKEN in secrets.yml file twice? One is showing a value and the other isn't?

  3. What is the value for using the Docker private for imagePullSecrets?

  4. I deploy the secrets.yml file and then the replicationController but the replicator can't seem get the image upmcenterprises/registry-creds pulled into Kube. I can pull it locally to the node

Namespace:    kube-system
Selector:     name=registry-creds,version=v1.9
Labels:       version=v1.6
Annotations:  <none>
Replicas:     1 current / 1 desired
Pods Status:  0 Running / 1 Waiting / 0 Succeeded / 0 Failed
Pod Template:
  Labels:  name=registry-creds
           version=v1.9
  Containers:
   registry-creds:
    Image:      upmcenterprises/registry-creds:1.9
    Port:       <none>
    Host Port:  <none>
    Environment:
      AWS_ACCESS_KEY_ID:                 <set to the key 'AWS_ACCESS_KEY_ID' in secret 'registry-creds-ecr'>                 Optional: false
      AWS_SECRET_ACCESS_KEY:             <set to the key 'AWS_SECRET_ACCESS_KEY' in secret 'registry-creds-ecr'>             Optional: false
      awsaccount:                        <set to the key 'aws-account' in secret 'registry-creds-ecr'>                       Optional: false
      awsregion:                         <set to the key 'aws-region' in secret 'registry-creds-ecr'>                        Optional: false
      aws_assume_role:                   <set to the key 'aws-assume-role' in secret 'registry-creds-ecr'>                   Optional: false
      DOCKER_PRIVATE_REGISTRY_PASSWORD:  <set to the key 'DOCKER_PRIVATE_REGISTRY_PASSWORD' in secret 'registry-creds-dpr'>  Optional: false
      DOCKER_PRIVATE_REGISTRY_SERVER:    <set to the key 'DOCKER_PRIVATE_REGISTRY_SERVER' in secret 'registry-creds-dpr'>    Optional: false
      DOCKER_PRIVATE_REGISTRY_USER:      <set to the key 'DOCKER_PRIVATE_REGISTRY_USER' in secret 'registry-creds-dpr'>      Optional: false
    Mounts:
      /root/.config/gcloud from gcr-creds (ro)
  Volumes:
   gcr-creds:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  registry-creds-gcr
    Optional:    false
Events:
  Type    Reason            Age   From                    Message
  ----    ------            ----  ----                    -------
  Normal  SuccessfulCreate  45s   replication-controller  Created pod: registry-creds-24kfm```

I am really hoping to be able to use this tool and standardize on docker registry interactions.

Thank you for making this tool.

Allow AWS region to be specified in secret

Would be nice to allow the user to specify the region in a secret, right now it must be done via args (See #14) in the Replication Controller which requires the user to make multiple edits to enable the feature as a minikube addon.

ECR Assume Role issues

I am trying to install helm chart on bare metal K8 cluster, i am seeing below error

[root@node1 ~]# helm install registry-creds \

--set ecr.enabled=true
--set-string ecr.awsAccessKeyId="xxx"
--set-string ecr.awsSecretAccessKey="yyy"
--set-string ecr.awsAccount="gggg"
--set-string ecr.awsRegion="us-east-1"
kir4h/registry-creds
Error: unable to build kubernetes objects from release manifest: error validating "": error validating data: unknown object type "nil" in Secret.data.aws-assume-role

ErrImagePull after creating pod

Hello,

I'm trying to use your app to pull images from ecr private registry. The registry is working when I pull from docker on my local machine using asw cli as usual. I'm getting ErrImagePull error every time I try to create a pod that needs image from that registry:

$ kubectl get pod my-pod
NAME      READY     STATUS         RESTARTS   AGE
my-pod     0/1       ErrImagePull   0          8s

I've followed the next steps:

  1. Edit k8s/secret.yaml file with my obscured aws credentials (base64)
  2. Create secret:
    $ kubectl create -f k8s/secret.yaml
  3. Activate minikube awsecr-creds addon
$ minikube addons list
- dashboard: enabled
- kube-dns: enabled
- heapster: disabled
- ingress: disabled
- awsecr-creds: enabled
- addon-manager: enabled

  1. Create rc with region parameter attached as an argument args:
    "--aws-region=eu-west-1"
    $ kubectl create -f k8s/replicationController.yaml

  2. Create my-pod with image parameter pointing to my ecr
    $ kubectl create -f mypod.yaml

apiVersion: v1
kind: Pod
metadata:
    name: my-pod
spec:
  containers:
  - name: my-pod
    image: XXXXXXXXXX.dkr.ecr.eu-west-1.amazonaws.com/my-pod:latest

When I describe my-pod I can see that effectively is a credentials issue:

Failed to pull image "XXXXXXXXXX.dkr.ecr.eu-west-1.amazonaws.com/my-pod:latest": unauthorized: authentication requiredals issue:

Can you see anything wrong on the process I'm following?

Thanks

How to deploy to minikube automatically?

So, I understand how to deploy with minikube addons configure registry-creds, etc. but I want to deploy this automatically on minikube start without having to run the commands.

Minikube docs say you can put an addon into ~/.minikube/addons and it will enable the addon on startup, but it isn't clear to me what to put in that folder? The yaml files, or the golang binary, or what?

Your docs seem to indicate that I can just deploy the two yaml files in k8s folder after modifying for appropriate secret values. So just deploy the secrets and the replication controller. Will that work without having to mess with minikube addons at all?

Thanks for the clarification.

Kubernetes 1.6 RBAC support

For anyone interested who wants to use this with Kubernetes 1.6.2 and RBAC enabled using a Deployment instead of ReplicaSet for pulling images from AWS ECR, see the following snippet:

apiVersion: v1
kind: Secret
metadata:
  name: registry-creds-ecr
  namespace: kube-system
  labels:
    app: registry-creds
    cloud: ecr
data:
  AWS_ACCESS_KEY_ID: BASE64_ENCODED(AWS_ACCESS_KEY_ID)
  AWS_SECRET_ACCESS_KEY: BASE64_ENCODED(AWS_SECRET_ACCESS_KEY)
  aws-account: BASE64_ENCODED(aws-account-id)
  aws-region: BASE64_ENCODED(aws-region)
type: Opaque
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
    name: registry-creds
rules:
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - create
  - get
  - update
- apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - get
  - update
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: registry-creds
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: registry-creds
subjects:
  - kind: ServiceAccount
    name: registry-creds
    namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: registry-creds
  namespace: kube-system
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  labels:
    version: v1.7
  name: registry-creds
  namespace: kube-system
spec:
  replicas: 1
  template:
    metadata:
      labels:
        name: registry-creds
        version: v1.7
    spec:
      serviceAccountName: registry-creds
      containers:
      - image: upmcenterprises/registry-creds:1.7
        name: registry-creds
        imagePullPolicy: Always
        env:
          - name: AWS_ACCESS_KEY_ID
            valueFrom:
              secretKeyRef:
                name: registry-creds-ecr
                key: AWS_ACCESS_KEY_ID
          - name: AWS_SECRET_ACCESS_KEY
            valueFrom:
              secretKeyRef:
                name: registry-creds-ecr
                key: AWS_SECRET_ACCESS_KEY
          - name: awsaccount
            valueFrom:
              secretKeyRef:
                name: registry-creds-ecr
                key: aws-account
          - name: awsregion
            valueFrom:
              secretKeyRef:
                name: registry-creds-ecr
                key: aws-region

Watch Namespaces

Need to add a watch to namespaces, each time one is created, call the process cycle so that it gets updated with credentials.

can't retrieve images from eu.gcr.io

It works fine with gcr.io images but it fails for eu subdomain

'''rpc error: code = 2 desc = Error response from daemon: denied: Permission denied for "latest" from request'''

registry-creds stopped working

Hi,

I am using registry-creds in a fairly automated setup and it suddenly stopped working: secrets are not being created/refreshed.

The output of the registry-creds pod is as follows:

registry-creds-kbk1l registry-creds 2017/07/18 15:02:55 Starting up...
registry-creds-kbk1l registry-creds 2017/07/18 15:02:55 Using AWS Account: 709270720734
registry-creds-kbk1l registry-creds 2017/07/18 15:02:55 Using AWS Region: eu-west-1
registry-creds-kbk1l registry-creds 2017/07/18 15:02:55 Refresh Interval (minutes): 60
registry-creds-kbk1l registry-creds time="2017-07-18T15:02:55Z" level=info msg="Using InCluster k8s config"
registry-creds-kbk1l registry-creds 2017/07/18 15:02:55 Refreshing credentials...
registry-creds-kbk1l registry-creds time="2017-07-18T15:02:55Z" level=info msg="------------------ [gcr-secret] ----------------------
registry-creds-kbk1l registry-creds "
registry-creds-kbk1l registry-creds time="2017-07-18T15:02:57Z" level=info msg="Error getting secret for provider gcr-secret. Skipping secret provider! [Err: google: could not find default credentials. See https://developers.google.com/accounts/docs/application-default-credentials for more information.]"
registry-creds-kbk1l registry-creds time="2017-07-18T15:02:57Z" level=info msg="------------------ [awsecr-cred] ----------------------
registry-creds-kbk1l registry-creds "
registry-creds-kbk1l registry-creds time="2017-07-18T15:03:37Z" level=info msg="RequestError: send request failed
registry-creds-kbk1l registry-creds caused by: Post https://ecr.eu-west-1.amazonaws.com/: dial tcp: lookup ecr.eu-west-1.amazonaws.com on 10.0.0.10:53: read udp 172.17.0.3:44028->10.0.0.10:53: i/o timeout"
registry-creds-kbk1l registry-creds time="2017-07-18T15:03:37Z" level=info msg="Error getting secret for provider awsecr-cred. Skipping secret provider! [Err: RequestError: send request failed
registry-creds-kbk1l registry-creds caused by: Post https://ecr.eu-west-1.amazonaws.com/: dial tcp: lookup ecr.eu-west-1.amazonaws.com on 10.0.0.10:53: read udp 172.17.0.3:44028->10.0.0.10:53: i/o timeout]"
registry-creds-kbk1l registry-creds time="2017-07-18T15:03:37Z" level=info msg="------------------ [dpr-secret] ----------------------
registry-creds-kbk1l registry-creds "
registry-creds-kbk1l registry-creds time="2017-07-18T15:03:37Z" level=info msg="Error getting secret for provider dpr-secret. Skipping secret provider! [Err: Failed to get auth token for docker private registry: empty value for DOCKER_PRIVATE_REGISTRY_SERVER]"
registry-creds-kbk1l registry-creds 2017/07/18 15:03:37 Refreshing credentials...
registry-creds-kbk1l registry-creds time="2017-07-18T15:03:37Z" level=info msg="------------------ [gcr-secret] ----------------------
registry-creds-kbk1l registry-creds "
registry-creds-kbk1l registry-creds time="2017-07-18T15:03:37Z" level=info msg="Error getting secret for provider gcr-secret. Skipping secret provider! [Err: google: could not find default credentials. See https://developers.google.com/accounts/docs/application-default-credentials for more information.]"
registry-creds-kbk1l registry-creds time="2017-07-18T15:03:37Z" level=info msg="------------------ [awsecr-cred] ----------------------
registry-creds-kbk1l registry-creds "
registry-creds-kbk1l registry-creds time="2017-07-18T15:04:17Z" level=info msg="RequestError: send request failed
registry-creds-kbk1l registry-creds caused by: Post https://ecr.eu-west-1.amazonaws.com/: dial tcp: lookup ecr.eu-west-1.amazonaws.com on 10.0.0.10:53: read udp 172.17.0.3:54944->10.0.0.10:53: i/o timeout"
registry-creds-kbk1l registry-creds time="2017-07-18T15:04:17Z" level=info msg="Error getting secret for provider awsecr-cred. Skipping secret provider! [Err: RequestError: send request failed
registry-creds-kbk1l registry-creds caused by: Post https://ecr.eu-west-1.amazonaws.com/: dial tcp: lookup ecr.eu-west-1.amazonaws.com on 10.0.0.10:53: read udp 172.17.0.3:54944->10.0.0.10:53: i/o timeout]"
registry-creds-kbk1l registry-creds time="2017-07-18T15:04:17Z" level=info msg="------------------ [dpr-secret] ----------------------
registry-creds-kbk1l registry-creds "
registry-creds-kbk1l registry-creds time="2017-07-18T15:04:17Z" level=info msg="Error getting secret for provider dpr-secret. Skipping secret provider! [Err: Failed to get auth token for docker private registry: empty value for DOCKER_PRIVATE_REGISTRY_SERVER]"
registry-creds-kbk1l registry-creds 2017/07/18 15:04:17 Refreshing credentials...
registry-creds-kbk1l registry-creds time="2017-07-18T15:04:17Z" level=info msg="------------------ [gcr-secret] ----------------------
registry-creds-kbk1l registry-creds "
registry-creds-kbk1l registry-creds time="2017-07-18T15:04:17Z" level=info msg="Error getting secret for provider gcr-secret. Skipping secret provider! [Err: google: could not find default credentials. See https://developers.google.com/accounts/docs/application-default-credentials for more information.]"
registry-creds-kbk1l registry-creds time="2017-07-18T15:04:17Z" level=info msg="------------------ [awsecr-cred] ----------------------
registry-creds-kbk1l registry-creds "

Significant time passes between the ------------------ [awsecr-cred] ---------------------- line and the RequestError: send request failed error.

I recall having seen an announcement from AWS about deprecating a way of requesting ECR credentials for Docker (something about no-include-email, but unfortunately I can't find it right now) but that might have something to do with it?

Use Deployment instead of ReplicaController

Since ReplicationControllers got first introduced in kubernetes there appeared several more sophisticated constructs to manage a deployment.

The official docs also suggests that now Deployments is the preferred way over ReplicationControllers to set things up: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/

Would you be open to accept a PR that changes the current ReplicaController way of deployment to use apps/v1 Deployment instead?

AWS region

Hi,

What is the way to change default AWS region us-east-1 in secret.yaml file?

Our ECR is located in eu-central-1. Each time when new token is generated, I see the following records in awsecr-creds secret:

.dockerconfigjson:
{"auths":{"https://XXXXXXXX.dkr.ecr.us-east-1.amazonaws.com":{"auth":"QVdTOkFR............

As I result I get 401 error when RC tries to pull image from our ECR located in eu-central-1.

Thanks,
Alexey

Error starting awsecr-creds

I'm trying to start teh service and I always get this error:

InvalidSignatureException: Signature expired: 20170111T204052Z is now earlier than 20170111T225449Z (20170111T230949Z - 15 min.)
2017-01-11T20:40:53.192988848Z 	status code: 400, request id: some id

How can I fix this?

minikube not showing registry-creds as an addon

Hi,

Just installed minikube 0.15 but I don't see registry-creds as an add on. I see ecr-creds as a default add-on and i can also get registry-creds RC up and running but it doesn't seem to work while it tries to pull an image from GCR. Wondering what's wrong here.

Addons registry-creds cannot be configured for AWS Elastic Container Registry

I have also reported this at kubernetes/minikube#5753. Not sure if this is the right place to report.

The exact command to reproduce the issue:

minikube start
minikube addons configure registry-creds

The full output of the command that failed:

😄 minikube v1.5.0 on Darwin 10.15
✨ Automatically selected the 'hyperkit' driver (alternates: [virtualbox])
🔥 Creating hyperkit VM (CPUs=2, Memory=2000MB, Disk=20000MB) ...
🐳 Preparing Kubernetes v1.16.2 on Docker 18.09.9 ...
🚜 Pulling images ...
🚀 Launching Kubernetes ...
⌛ Waiting for: apiserver proxy etcd scheduler controller dns
🏄 Done! kubectl is now configured to use "minikube"

Do you want to enable AWS Elastic Container Registry? [y/n]: y
-- Enter AWS Access Key ID: my-access-key
-- Enter AWS Secret Access Key: my-secret-key
-- (Optional) Enter AWS Session Token:
-- Enter AWS Region: ap-southeast-1
-- Enter 12 digit AWS Account ID (Comma separated list): my-account-id
-- (Optional) Enter ARN of AWS role to assume:

Do you want to enable Google Container Registry? [y/n]: n

Do you want to enable Docker Registry? [y/n]: n
❌ ERROR creating registry-creds-ecr secret: Temporary Error: secrets "registry-creds-ecr" not found
❌ ERROR creating registry-creds-gcr secret: Temporary Error: secrets "registry-creds-gcr" not found
⚠️ ERROR creating registry-creds-dpr secret
✅ registry-creds was successfully configured

The output of the minikube logs command:

No logs output due to the command minikube addons configure registry-creds

The operating system version:

macOS Catalina 10.15
minikube version: v1.5.0
commit: d1151d93385a70c5a03775e166e94067791fe2d9

Cannot pull images from AWS ECR: no basic auth credentials (v0.27.0 minikube)

Environment:

  • Minikube version : 0.27.0
  • OS (e.g. from /etc/os-release): MacOS 10.12.6 High Sierra
  • VM Driver (e.g. cat ~/.minikube/machines/minikube/config.json | grep DriverName): virtualbox
  • ISO version (e.g. cat ~/.minikube/machines/minikube/config.json | grep -i ISO or minikube ssh cat /etc/VERSION): v0.26.0
  • Install tools: homebrew

What happened:
I cannot pull images from the ECR registry: "no basic auth credentials" error

What you expected to happen:
I expected to pull the image from the ECR registry after having configured registry-creds with my ID, KEY, TOKEN and AWS Region, and activating the registry-creds addon and using PullSecrets

How to reproduce it (as minimally and precisely as possible):
minikube start
minikube addons configure registry-creds => configure only with AWS ECR
minikube addons enable registry-creds
kubectl create -f deployment.yaml
=> The error occured: cannot start the container due to no basic auth credentials error.

kubectl get secrets --all-namespaces => we can see that the secret created is in kube-system and called registry-creds-ecr. I never found the awsecr-cred name for the secret as mentioned in the documentation https://github.com/upmc-enterprises/registry-creds

deployement.yaml content:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: deployment
spec:
replicas: 1
template:
metadata:
labels:
app:
spec:
containers:
- name: adserver-test
image: <MY_ACCOUNT_ID_REMOVED_HERE>.dkr.ecr.us-east-1.amazonaws.com/<IMAGE_TO_PULL>:latest
command: ["/bin/bash"]
env:
- name: TMN_ENVIRONMENT
value: "qa"
imagePullSecrets:
- name: registry-creds-ecr

Output of minikube logs (if applicable):

May 23 09:53:31 minikube kubelet[3443]: W0523 09:53:31.388519 3443 kubelet_pods.go:878] Unable to retrieve pull secret default/registry-creds-ecr for default/adserver-deployment-654f4668bf-l97n8 due to secrets "registry-creds-ecr" not found. The image pull may not succeed.

May 23 09:53:31 minikube kubelet[3443]: I0523 09:53:31.388628 3443 kuberuntime_manager.go:513] Container {Name:adserver-test Image:<MY_ACCOUNT_ID_REMOVED_HERE>.dkr.ecr.us-east-1.amazonaws.com/adserver:latest Command:[/bin/bash] Args:[] WorkingDir: Ports:[] EnvFrom:[] Env:[{Name:TMN_ENVIRONMENT Value:qa ValueFrom:nil}] Resources:{Limits:map[] Requests:map[]} VolumeMounts:[{Name:default-token-27gpt ReadOnly:true MountPath:/var/run/secrets/kubernetes.io/serviceaccount SubPath: MountPropagation:}] VolumeDevices:[] LivenessProbe:nil ReadinessProbe:nil Lifecycle:nil TerminationMessagePath:/dev/termination-log TerminationMessagePolicy:File ImagePullPolicy:Always SecurityContext:nil Stdin:false StdinOnce:false TTY:false} is dead, but RestartPolicy says that we should restart it.

May 23 09:53:32 minikube kubelet[3443]: E0523 09:53:32.229556 3443 remote_image.go:108] PullImage "<MY_ACCOUNT_ID_REMOVED_HERE>.dkr.ecr.us-east-1.amazonaws.com/adserver:latest" from image service failed: rpc error: code = Unknown desc = Error response from daemon: Get https://<MY_ACCOUNT_ID_REMOVED_HERE>.dkr.ecr.us-east-1.amazonaws.com/v2/adserver/manifests/latest: no basic auth credentials

May 23 09:53:32 minikube kubelet[3443]: E0523 09:53:32.229585 3443 kuberuntime_image.go:51] Pull image "<MY_ACCOUNT_ID_REMOVED_HERE>.dkr.ecr.us-east-1.amazonaws.com/adserver:latest" failed: rpc error: code = Unknown desc = Error response from daemon: Get https://<MY_ACCOUNT_ID_REMOVED_HERE>.dkr.ecr.us-east-1.amazonaws.com/v2/adserver/manifests/latest: no basic auth credentials

May 23 09:53:32 minikube kubelet[3443]: E0523 09:53:32.229627 3443 kuberuntime_manager.go:733] container start failed: ErrImagePull: rpc error: code = Unknown desc = Error response from daemon: Get https://<MY_ACCOUNT_ID_REMOVED_HERE>.dkr.ecr.us-east-1.amazonaws.com/v2/adserver/manifests/latest: no basic auth credentials

May 23 09:53:32 minikube kubelet[3443]: E0523 09:53:32.229648 3443 pod_workers.go:186] Error syncing pod 1d7cad94-5e6f-11e8-962c-0800278cf469 ("adserver-deployment-654f4668bf-l97n8_default(1d7cad94-5e6f-11e8-962c-0800278cf469)"), skipping: failed to "StartContainer" for "adserver-test" with ErrImagePull: "rpc error: code = Unknown desc = Error response from daemon: Get https://<MY_ACCOUNT_ID_REMOVED_HERE>.dkr.ecr.us-east-1.amazonaws.com/v2/adserver/manifests/latest: no basic auth credentials"

Add imagePullSecrets to more ServiceAccounts

After much head scratching I think I've worked out that registry-creds only adds imagePullSecrets to the default service account in each namespace.

We lock down our pods by specifying our own, more restrictive, service accounts, so we don't get the awsecr-cred automatically added and our pods fail to download their image.

Maybe it could be possible to add an annotation to a service account to get it included in registry-creds' sync?

In the meantime, I presume the best/only workaround is to explicitly add the imagePullSecrets entry to our own service account definition?

It would also be good to make this more explicit in the readme - I've just spent 2 days trying to work out why registry-creds didn't work for one of my pods when it worked for all my others.

sessions and secrets?

Hi,

Nice work! I really like your idea to use a replication controller to periodically refresh the credentials.

One concern I have with this approach is that the secret key is passed around in plaintext. Even though minikube is only intended for local VM testing I'd be worried about all copies that might occur, like into k8s or docker logs, in etcd, etc.

What do you think about extending this image to support temporary sessions via AWS STS? That way the kubernetes cluster is tied to a temporary session instead of the user. Also, the session credentials could be stored in a Kubernetes secret which the image could then use to periodically refresh the ECR token and avoid the env variable exposure.

brian

v1. Namespace is forbidden: User cannot list resource "namespaces" in API group.

Any idea why would this happen? Seems like the Go app can't list the namespaces. What can I do in this case?

It is configured for AWS ECR the same registry works fine on minikube, but in dev cluster, it doesn't.

Here is the error:

`time="2020-10-21T05:10:45Z" level=info msg="Starting up..."
time="2020-10-21T05:10:45Z" level=info msg="Using AWS Account: 81xxxxxxxx"
time="2020-10-21T05:10:45Z" level=info msg="Using AWS Region: ca-central-1"
time="2020-10-21T05:10:45Z" level=info msg="Using AWS Assume Role: arn:aws:iam::81xxxxxxx:role/xxxxxxxxxx"
time="2020-10-21T05:10:45Z" level=info msg="Refresh Interval (minutes): 60"
time="2020-10-21T05:10:45Z" level=info msg="Retry Timer: simple"
time="2020-10-21T05:10:45Z" level=info msg="Token Generation Retries: 3"
time="2020-10-21T05:10:45Z" level=info msg="Token Generation Retry Delay (se

ERROR: logging before flag.Parse: E1021 05:11:37.436054 1 reflector.go:199] github.com/upmc-enterprises/registry-creds/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:kube-system:default" cannot list resource "namespaces" in API group "" at the cluster scope`

It is on an infinite loop outputting the error above.

Automated Docker Build for Transparency

It would be nice to see the public docker image be an automated build. It would provide better transparency and security to know that the image came from the github source automatically, and wasn't modified then pushed. Also the dockerhub page is completely empty, which is not encouraging.

Consider taking a list of account ids

We use multiple AWS accounts in a hub and spoke model. The hub account has the official images while other accounts may have all sort of wild animals. Minikube is where developers are working with both experimental and official images, so it would be great to be able to pull from both.

I'd happily implement a pull-request to allow for a list (space or comma?) of account ids just as aws get-login --registry_ids permits, if it would be accepted.

Discrepancy between code and doc

underline in code

registry-creds/main.go

Line 81 in 9aa1eb2

argAWSAssumeRole = flags.String("aws_assume_role", "", `If specified AWS will assume this role and use it to retrieve tokens`)

while dash in doc

aws-assume-role (optional) can provide a role ARN that will be assumed for getting ECR authorization tokens
Note: The region can also be specified as an arg to the binary.

ECR - InvalidParameterException: Invalid parameter at 'registryIds' failed to satisfy constraint

I'm unable to make this to work in a Kubernetes 1.16. My configuration is:

apiVersion: v1
kind: Secret
metadata:
  name: registry-creds-ecr
  namespace: kube-system
  labels:
    app: registry-creds
    kubernetes.io/minikube-addons: registry-creds
    cloud: ecr
data:
  AWS_ACCESS_KEY_ID: xxx
  AWS_SECRET_ACCESS_KEY: xxx
  aws-region: xxx
type: Opaque
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: registry-creds
rules:
  - apiGroups:
      - ""
    resources:
      - namespaces
    verbs:
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - secrets
    verbs:
      - create
      - get
      - update
  - apiGroups:
      - ""
    resources:
      - serviceaccounts
    verbs:
      - get
      - update
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: registry-creds
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: registry-creds
subjects:
  - kind: ServiceAccount
    name: registry-creds
    namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: registry-creds
  namespace: kube-system

My deployment file is:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: registry-creds
  namespace: kube-system
spec:
  replicas: 1
  selector:
    matchLabels:
      name: registry-creds
  template:
    metadata:
      labels:
        name: registry-creds
    spec:
      serviceAccountName: registry-creds
      containers:
        - image: upmcenterprises/registry-creds:1.10
          name: registry-creds
          imagePullPolicy: Always
          env:
            - name: AWS_ACCESS_KEY_ID
              valueFrom:
                secretKeyRef:
                  name: registry-creds-ecr
                  key: AWS_ACCESS_KEY_ID
            - name: AWS_SECRET_ACCESS_KEY
              valueFrom:
                secretKeyRef:
                  name: registry-creds-ecr
                  key: AWS_SECRET_ACCESS_KEY
            - name: awsregion
              valueFrom:
                secretKeyRef:
                  name: registry-creds-ecr
                  key: aws-region
            - name: awsaccount
              valueFrom:
                secretKeyRef:
                  name: registry-creds-ecr
                  key: aws-account
      volumes:
        - name: gcr-creds
          secret:
            secretName: registry-creds-gcr

When the two files are deployed, then the logs from the pod are:

time="2020-03-22T03:18:09Z" level=info msg="------------------ [awsecr-cred] ------------------
" 
time="2020-03-22T03:18:09Z" level=info msg="Getting secret; try #1 of 4" 
time="2020-03-22T03:18:09Z" level=info msg="InvalidParameterException: Invalid parameter at 'registryIds' failed to satisfy constraint: 'Member must satisfy constraint: [Member must satisfy regular expression pattern: [0-9]{12}]'
	status code: 400, request id: a2acc201-35df-40c0-8cce-196f02b53e02" 
time="2020-03-22T03:18:09Z" level=error msg="Error getting secret for provider awsecr-cred. Will try again after 5.000000 seconds. [Err: InvalidParameterException: Invalid parameter at 'registryIds' failed to satisfy constraint: 'Member must satisfy constraint: [Member must satisfy regular expression pattern: [0-9]{12}]'
	status code: 400, request id: a2acc201-35df-40c0-8cce-196f02b53e02]"

The secret awsecr-cred is empty. Any thoughts on this?

No errors and no image secrets created

I was looking for this but I can't get it to work. Seems good from logs:

I0712 18:36:28.401132 1 aws_credentials.go:145] Starting up...
I0712 18:36:28.401786 1 aws_credentials.go:150] Using AWS Account: xxxxxxxxxxx
I0712 18:36:28.401854 1 aws_credentials.go:151] Refresh Interval (minutes): 715

I used you rc file and added proxy variables + AWS creds to work from a network with no outbound connectivity.

kube describe serviceaccounts default
Name: default
Namespace: default
Labels:
Mountable secrets: default-token-a4exj
Tokens: default-token-a4exj
Image pull secrets:

Since I get no errors at all... any idea ? b.t.w On Coreos 1097 and K8s 1.2.4

signal SIGSEGV when enabling add-on

I am using the awsecr-creds module that comes with Minikube 1.5.2, I assume this is the same module as registry-creds, is this correct?

When enabling the module, it crashes with SIGSEGV with the following output:

2017-01-23T08:40:05.159751323Z 2017/01/23 08:40:05 Starting up...
2017-01-23T08:40:05.159793997Z 2017/01/23 08:40:05 Using AWS Account: ccp-dev
2017-01-23T08:40:05.159799947Z 2017/01/23 08:40:05 Refresh Interval (minutes): 715
2017-01-23T08:40:05.460747090Z RequestError: send request failed
2017-01-23T08:40:05.460781321Z caused by: Post https://ecr.us-east-1.amazonaws.com/: net/http: invalid header field value "AWS4-HMAC-SHA256 Credential=AKIAISIZYQJFB6ETYFVQ\n/20170123/us-east-1/ecr/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date;x-amz-target, Signature=c8112ae126666aa4da7d58e78d3a307d7133e794c8726a561f556b52974cae8d" for key Authorization
2017-01-23T08:40:05.462956098Z panic: runtime error: invalid memory address or nil pointer dereference
2017-01-23T08:40:05.462972809Z [signal SIGSEGV: segmentation violation code=0x1 addr=0x10 pc=0x4015b1]
2017-01-23T08:40:05.462979180Z 
2017-01-23T08:40:05.462984645Z goroutine 1 [running]:
2017-01-23T08:40:05.462990079Z panic(0x13bb740, 0xc42000a030)
2017-01-23T08:40:05.462995244Z 	/usr/local/go/src/runtime/panic.go:500 +0x1a1
2017-01-23T08:40:05.463000660Z main.process()
2017-01-23T08:40:05.463005843Z 	/Users/slokas/godev/src/enterprises.io/awsecr-creds/aws_credentials.go:106 +0x91
2017-01-23T08:40:05.463011274Z main.main()
2017-01-23T08:40:05.463016437Z 	/Users/slokas/godev/src/enterprises.io/awsecr-creds/aws_credentials.go:174 +0x3b1

Invalid endpoint URI error

I configured this addon in Minikube, and it used to work, but after a recent K8S cluster teardown, I can't get it working again for pulling images from AWS.

The registry-creds pods output this:

2017-04-14T21:29:47.421759895Z " 
2017-04-14T21:29:47.421807958Z time="2017-04-14T21:29:47Z" level=info msg="InvalidEndpointURL: invalid endpoint uri
2017-04-14T21:29:47.421813864Z caused by: parse https://ecr.eu-west-1
2017-04-14T21:29:47.421816479Z .amazonaws.com/: invalid character "\n" in host name" 
2017-04-14T21:29:47.421844877Z time="2017-04-14T21:29:47Z" level=info msg="Error getting secret for provider awsecr-cred. Skipping secret provider! [Err: InvalidEndpointURL: invalid endpoint uri
2017-04-14T21:29:47.421849814Z caused by: parse https://ecr.eu-west-1
2017-04-14T21:29:47.421852247Z .amazonaws.com/: invalid character "\n" in host name]"

I double checked and the value of the awsregion env var is eu-west-1 (passed using a secret).

Any idea what is happening here?

Error for ECR credentials

When using registry-creds, the pod sometimes outputs the following error: Error getting secret for provider awsecr-cred. Skipping secret provider! [Err: InvalidSignatureException: Signature expired: 20170416T194251Z is now earlier than 20170417T123951Z (20170417T125451Z - 15 min.) (full output below).

Even after I have completely removed everything and even recreated the Minikube Kubernetes cluster.

Any idea what might cause this?

2017-04-16T19:42:51.643732971Z time="2017-04-16T19:42:51Z" level=info msg="------------------ [awsecr-cred] ----------------------
2017-04-16T19:42:51.643739771Z " 
2017-04-16T19:42:51.817820171Z time="2017-04-16T19:42:51Z" level=info msg="InvalidSignatureException: Signature expired: 20170416T194251Z is now earlier than 20170417T123951Z (20170417T125451Z - 15 min.)
2017-04-16T19:42:51.817847871Z 	status code: 400, request id: 0b8d33f4-236d-11e7-a556-d147d2308480" 
2017-04-16T19:42:51.817854771Z time="2017-04-16T19:42:51Z" level=info msg="Error getting secret for provider awsecr-cred. Skipping secret provider! [Err: InvalidSignatureException: Signature expired: 20170416T194251Z is now earlier than 20170417T123951Z (20170417T125451Z - 15 min.)
2017-04-16T19:42:51.817860571Z 	status code: 400, request id: 0b8d33f4-236d-11e7-a556-d147d2308480]"

Newly published registry-creds image (1.10) does not contain ACR (Azure) support

Repro steps:

  1. Install the registry-creds controller following standard instructions
  2. Deploy the controller
  3. Attach a shell to the controller container
  4. Run strings -n 9 registry-creds | grep acrClient

Expected: a bunch of strings that have 'acrClient' in them
Actual: nothing

For comparison, this is the result of running the same command on zpkarol/registry-creds:1.10 image that I have build for testing (it is available from Docker Hub):

karolz:~/ strings -n 9 registry-creds | grep acrClient
acrClient
*main.acrClient
main.acrClient.getAuthToken
main.(*acrClient).getAuthToken
main.acrClient.getAuthToken.stkobj
go.itab.main.acrClient,main.acrInterface
main.acrClient.getAuthToken
main.(*acrClient).getAuthToken

Looks like incorrect (old) binary was included in the 1.10 image? @stevesloka could you take a look? Thanks!

registry-creds in Minikube doesn't renew credentials before they expire.

Overall the registry-creds addon in Minikube 0.28.2 is working quite well.
However we've noticed an issue where there can be periods where our AWS ECR credentials have expired and they haven't been renewed yet.
This results in errors like so (I've substituted $AWS_ACCOUNT_ID, $IMAGE, and $TAG into the messages to anonymise them a bit):

  Normal   Pulling                29m (x4 over 30m)    kubelet, minikube  pulling image "$AWS_ACCOUNT_ID.dkr.ecr.ap-southeast-2.amazonaws.com/$IMAGE:$TAG"
  Warning  Failed                 29m (x4 over 30m)    kubelet, minikube  Failed to pull image "$AWS_ACCOUNT_ID.dkr.ecr.ap-southeast-2.amazonaws.com/$IMAGE:$TAG": rpc error: code = Unknown desc = Error response from daemon: pull access denied for $AWS_ACCOUNT_ID.dkr.ecr.ap-southeast-2.amazonaws.com/$IMAGE, repository does not exist or may require 'docker login'

If left for long enough, the credentials are renegotiated and things work again.

We can also just delete the registry-cred pod in the kube-system namespace to have it start a new pod to renegotiate the credentials without having to wait.

I'm not sure if Minikube changes the default polling of 60 mins or not, but if not, then the worst case scenario could be waiting up to an hour for new credentials to be negotiated.

Is it possible to have this module re-negotiate AWS ECR credentials prior to them expiring?

MFA usage with ECR

I am having issues running Minikube with MFA and I was wondering if this is a feature that is supported and I am just missing the implementation of it?

imagePullSecrets not created in all namespaces

i am running it in a on-prem k8s cluster.
our only registry is on ecr. so i took out the gcr and dpr configs

my deployment.yaml looks like:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: registry-creds
  namespace: kube-system
spec:
  replicas: 1
  selector:
    matchLabels:
      name: registry-creds
  template:
    metadata:
      labels:
        name: registry-creds
    spec:
      serviceAccountName: ecr-token-renew-sa
      containers:
      - image: upmcenterprises/registry-creds:1.10
        name: registry-creds
        imagePullPolicy: Always
        env:
          - name: AWS_ACCESS_KEY_ID
            valueFrom:
              secretKeyRef:
                name: registry-creds-ecr
                key: AWS_ACCESS_KEY_ID
          - name: AWS_SECRET_ACCESS_KEY
            valueFrom:
              secretKeyRef:
                name: registry-creds-ecr
                key: AWS_SECRET_ACCESS_KEY
          - name: awsaccount
            valueFrom:
              secretKeyRef:
                name: registry-creds-ecr
                key: aws-account
          - name: awsregion
            valueFrom:
              secretKeyRef:
                name: registry-creds-ecr
                key: aws-region

and I had to create a serviceAccount because the default account does not have sufficient permissions.

the pod logs shows:

time="2020-08-28T00:25:08Z" level=info msg="------------------ [awsecr-cred] ------------------
"
time="2020-08-28T00:25:08Z" level=info msg="Getting secret; try #1 of 4"
time="2020-08-28T00:25:08Z" level=info msg="Successfully got secret for provider awsecr-cred after trying 1 time(s)"
time="2020-08-28T00:25:08Z" level=info msg="------------------ [dpr-secret] ------------------

but imagePullSecret was only added in some of the namespaces. not all.

it created imagePullSecrets on 16 namespaces out of 42 that we have.

Q: Enable only one registry

Is there a way to only enable a single registry? I'm using Amazon's ECR and I don't need any of the others.

I get it working but I have extra secrets in all my namespaces that I don't use and according to the logs it's constantly trying to get creds from the other registries.

Create different credentials per namespace

Hello,

We have 2 environments on Kubernetes with different namespaces and each needs to talk to a different AWS accounts but currently that's not possible. I would like to extend this code to take a Namespace as a parameter and get the right creds per namespace.

Do you see any obvious issues with this? If not, i would appreciate it if you could point me in the right direction if possible.

Watch namespaces for changes

Right now if a new namespace is added after the plugin starts, it won't get new imagePullSecrets. Need to watch for this change and update accordingly.

Allow blacklisting of namespaces

Is there anyway to add a blacklist (or a whitelist) of namespaces that we want to allow the credentials to be synced to?

For example, secrets are also being synced to kube-public

Support for role in AWS?

We have credentials, but primarily default to using roles for these kinds of work.

I don't see any docs for assuming a role (via minikube)

Missing File

Hi,

Replication controller file is missing in Repo. Is there any change that requires to be done from our end ?

Hard coded us-east-1

Hey guys,

I tried to get the deployment running. But it seems that the initial AssumeRole Requests still goes to another region than my chosen one:

018/08/10 15:34:53 Starting up...
2018/08/10 15:34:53 Using AWS Account: 123
2018/08/10 15:34:53 Using AWS Region: eu-west-1
2018/08/10 15:34:53 Using AWS Assume Role: arn:aws:iam::aws:policy/AmazonECS_FullAccess
2018/08/10 15:34:53 Refresh Interval (minutes): 60
time="2018-08-10T15:34:53Z" level=info msg="Using InCluster k8s config"
2018/08/10 15:34:53 Refreshing credentials...
time="2018-08-10T15:34:53Z" level=info msg="------------------ [gcr-secret] ----------------------
"
time="2018-08-10T15:34:53Z" level=info msg="Error getting secret for provider gcr-secret. Skipping secret provider! [Err: google: could not find default credentials. See https://developers.google.com/accounts/docs/application-default-credentials for more information.]"
time="2018-08-10T15:34:53Z" level=info msg="------------------ [awsecr-cred] ----------------------
"
time="2018-08-10T15:34:53Z" level=info msg="RequestError: send request failed
caused by: Post https://sts.amazonaws.com/: net/http: invalid header field value "AWS4-HMAC-SHA256 Credential=X\n/20180810/us-east-1/sts/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date, Signature=6baa2440934d910ada8b435de1bc3d039e9f6ecedc144fe71fa8df0babed662b" for key Authorization"

Cheers,
Thomas

awsecr-creds pod crashes

I have set up the secret (with the AWS access key, secret access key and account id) and the replication controller in namespace kube-system, but the pod keeps crashing (CrashLoopBackOff)

2016-12-28T11:14:10.257472708Z 2016/12/28 11:14:10 Starting up...
2016-12-28T11:14:10.257526395Z 2016/12/28 11:14:10 Using AWS Account: 7########4
2016-12-28T11:14:10.257563600Z 2016/12/28 11:14:10 Refresh Interval (minutes): 715
2016-12-28T11:14:10.454424907Z InvalidParameterException: Invalid parameter at 'registryIds' failed to satisfy constraint: 'Member must satisfy constraint: [Member must satisfy regular expression pattern: [0-9]{12}]'
2016-12-28T11:14:10.454509660Z 	status code: 400, request id: c19e2b6a-ccee-11e6-9ad2-45244efed646
2016-12-28T11:14:10.457277072Z panic: runtime error: invalid memory address or nil pointer dereference
2016-12-28T11:14:10.457343399Z [signal SIGSEGV: segmentation violation code=0x1 addr=0x10 pc=0x4015b1]
2016-12-28T11:14:10.457353435Z 
2016-12-28T11:14:10.457359391Z goroutine 1 [running]:
2016-12-28T11:14:10.457364816Z panic(0x13bb560, 0xc420014020)
2016-12-28T11:14:10.457370628Z 	/usr/local/go/src/runtime/panic.go:500 +0x1a1
2016-12-28T11:14:10.457426418Z main.process()
2016-12-28T11:14:10.457437499Z 	/Users/slokas/godev/src/enterprises.io/andrew/awsecr-creds/aws_credentials.go:106 +0x91
2016-12-28T11:14:10.457443905Z main.main()
2016-12-28T11:14:10.457449377Z 	/Users/slokas/godev/src/enterprises.io/andrew/awsecr-creds/aws_credentials.go:186 +0x3c0

The (censored) contents of my secret:

apiVersion: v1
data:
  AWS_ACCESS_KEY_ID: QUtJ############E=
  AWS_SECRET_ACCESS_KEY: VGN################################lzNA==
  aws-account: N############Cg==
kind: Secret
metadata:
  creationTimestamp: 2016-12-28T11:13:06Z
  labels:
    app: awsecr-creds
    kubernetes.io/minikube-addons: awsecr-creds
    version: v1.2
  name: awsecr-creds
  namespace: kube-system
  resourceVersion: "2379"
  selfLink: /api/v1/namespaces/kube-system/secrets/awsecr-creds
  uid: 9b86eb41-ccee-11e6-b2d8-feb8681bd404
type: Opaque

(I checked and the b64 encoding of the AWS params is correct, since I can view the right contents via the minikube dashboard)

My replication controller:

apiVersion: v1
kind: ReplicationController
metadata:
  name: awsecr-creds
  namespace: kube-system
  labels:
    version: v1.2
spec:
  replicas: 1
  selector:
    name: awsecr-creds
    version: v1.2
  template:
    metadata:
      labels:
        name: awsecr-creds
        version: v1.2
    spec:
      containers:
      - image: upmcenterprises/awsecr-creds:1.2
        name: awsecr-creds
        args:
        - "--aws-region=eu-west-1"
        imagePullPolicy: Always
        env:
          - name: AWS_ACCESS_KEY_ID
            valueFrom:
              secretKeyRef:
                name: awsecr-creds
                key: AWS_ACCESS_KEY_ID
          - name: AWS_SECRET_ACCESS_KEY
            valueFrom:
              secretKeyRef:
                name: awsecr-creds
                key: AWS_SECRET_ACCESS_KEY
          - name: awsaccount
            valueFrom:
              secretKeyRef:
                name: awsecr-creds
                key: aws-account

Any idea why it is crashing?

client-go: No cached connection was available

Hi, I'm running this on AKS and it works perfectly for a day.

After that it will silently fail and when I view the pod-log I see a continuous list of the following messages each second:

ERROR: logging before flag.Parse: E0414 12:25:24.718421       1 reflector.go:199] github.com/upmc-enterprises/registry-creds/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1.Namespace: Get https://<redacted>.hcp.northeurope.azmk8s.io:443/api/v1/namespaces?resourceVersion=0: http2: no cached connection was available

It appears to originate from the k8s Go-client, where a cached connection is missing. Could it be a bug in the client or is it maybe something happening on the AKS level?

Specifically here: https://github.com/upmc-enterprises/registry-creds/blob/master/vendor/k8s.io/client-go/tools/cache/reflector.go#L198

Maybe the Go-client should be updated?

Thankful for any suggestions!

v1.4 fails when GCR not configured

Hiya! I just attempted to set up version 1.4 on one of my clusters - I ended up seeing errors like:

2017/01/24 15:56:27 Starting up...
2017/01/24 15:56:27 Using AWS Account: XXXXXXXXXXX
2017/01/24 15:56:27 Using AWS Region: us-east-1
2017/01/24 15:56:27 Refresh Interval (minutes): 2
2017/01/24 15:58:27 Refreshing credentials...
2017/01/24 15:58:27 Failed to load ecr credentials: google: could not find default credentials. See https://developers.google.com/accounts/docs/application-default-credentials for more information.

the google: could not find default credentials. See https://developers.google.com/accounts/docs/application-default-credentials for more information. part of which being puzzling, because I'm not attempting to use GCE at all.

Looking through the code, registry-creds iterates through trying both GCR and ECR on process() (https://github.com/upmc-enterprises/registry-creds/blob/master/main.go#L205-L216) but if it gets any error from either, it returns that error: https://github.com/upmc-enterprises/registry-creds/blob/master/main.go#L205-L216

I suspect that's the issue - that while I've provided an AWS account id (and thus don't hit this branch: https://github.com/upmc-enterprises/registry-creds/blob/master/main.go#L288-L290), there isn't any actual flagging off of the method not in use.

I suspect this also affects the GCR-only path, though it probably manages to set the secrets properly before exiting because it can't reach AWS

I'd be glad to put together some sort of PR for conditionally setting up secretGenerators if you like, or if you have a plan already, that'd be rad too. For the mean time, I've deployed pre-rename awsecr-creds 1.2 and things seem to be working fine.

ERROR creating `registry-creds-dpr` secret minikube addon

I'm trying to setuo our private registry to work on minikube.

After minikube is started I to configure registry-creds addon

  1. $ minikube addons configure registry-creds
Do you want to enable AWS Elastic Container Registry? [y/n]: n

Do you want to enable Google Container Registry? [y/n]: n

Do you want to enable Docker Registry? [y/n]: y
-- Enter docker registry server url: https://registry.local
-- Enter docker registry username: adrianovieira
-- Enter docker registry password: 
❌  ERROR creating `registry-creds-ecr` secret: Temporary Error: secrets "registry-creds-ecr" not found
❌  ERROR creating `registry-creds-gcr` secret: Temporary Error: secrets "registry-creds-gcr" not found
⚠️  ERROR creating `registry-creds-dpr` secret
✅  registry-creds was successfully configured

niether:

  1. $ minikube addons configure registry-creds
Do you want to enable AWS Elastic Container Registry? [y/n]: n

Do you want to enable Google Container Registry? [y/n]: n

Do you want to enable Docker Registry? [y/n]: y
-- Enter docker registry server url: registry.local
-- Enter docker registry username: adrianovieira
-- Enter docker registry password: 
❌  ERROR creating `registry-creds-ecr` secret: Temporary Error: secrets "registry-creds-ecr" not found
❌  ERROR creating `registry-creds-gcr` secret: Temporary Error: secrets "registry-creds-gcr" not found
⚠️  ERROR creating `registry-creds-dpr` secret
✅  registry-creds was successfully configured

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.