How to Create AWS ECR Secret
Bash
kubectl create secret docker-registry ecrlogin \
--docker-server=${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com \
--docker-username=AWS \
--docker-password=$(aws ecr get-login-password --profile default)
- Automate
Bash
# namespace is optional
NAMESPACE_NAME="secrets-maybe" && \
# optional
kubectl create namespace $NAMESPACE_NAME || true && \
kubectl create secret docker-registry ecrlogin \
--docker-server=${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com \
--docker-username=AWS \
--docker-password=$(aws ecr get-login-password) \
--namespace=$NAMESPACE_NAME || true && \
kubectl apply -f manifest-deployment.yml
ECR created tokens that were obtained more than 12 hours will be rejected.
- Cronjob
Bash
#!/usr/bin/env bash
kube_namespaces=($(kubectl get secret --all-namespaces | grep ecrlogin | awk '{print $1}'))
for i in "${kube_namespaces[@]}"
do
:
echo "$(date): Updating secret for namespace - $i"
kubectl delete secret ecrlogin --namespace $i
kubectl create secret docker-registry ecrlogin \
--docker-server=${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com \
--docker-username=AWS \
--docker-password=$(/usr/local/bin/aws ecr get-login-password) \
--namespace=$i
done
Bash
#open crontab file
crontab -e
#job
0 */10 * * * /usr/local/bin/aws-ecr-update-credentials.sh >> /var/log/aws-ecr-update-credentials.log 2>&1
Kubernetes Cronjob | ECR Login
YAML
apiVersion: batch/v1
kind: CronJob
metadata:
annotations:
name: ecr-cred-helper
namespace: default
spec:
concurrencyPolicy: Allow
failedJobsHistoryLimit: 1
jobTemplate:
metadata:
creationTimestamp: null
spec:
template:
metadata:
creationTimestamp: null
spec:
containers:
- command:
- /bin/sh
- -c
- |-
ACCOUNT=62XXXXXX585
REGION=eu-west-1
SECRET_NAME=aws-secret-XXXXX
[email protected]
TOKEN=`aws ecr get-login --region ${REGION} --registry-ids ${ACCOUNT} | cut -d' ' -f6`
echo "ENV variables setup done."
kubectl delete secret --ignore-not-found $SECRET_NAME
kubectl create secret docker-registry $SECRET_NAME \
--docker-server=https://${ACCOUNT}.dkr.ecr.${REGION}.amazonaws.com \
--docker-username=AWS \
--docker-password="${TOKEN}" \
--docker-email="${EMAIL}"
echo "Secret created by name. $SECRET_NAME"
kubectl patch serviceaccount default -p '{"imagePullSecrets":[{"name":"'$SECRET_NAME'"}]}'
echo "All done."
env:
- name: AWS_DEFAULT_REGION
value: eu-west-1
- name: AWS_SECRET_ACCESS_KEY
value: XXXXXXXXXXXXXXXXXXXXXXXXXXX
- name: AWS_ACCESS_KEY_ID
value: XXXXXXXXXXXXXXXX
image: odaniait/aws-kubectl:latest
imagePullPolicy: IfNotPresent
name: ecr-cred-helper
resources: {}
securityContext:
capabilities: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: Default
hostNetwork: true
restartPolicy: Never
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
schedule: 0 */6 * * *
successfulJobsHistoryLimit: 3
suspend: false
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: fabric8-rbac
subjects:
- kind: ServiceAccount
name: default # we are just giving our deafult account more access OR you can Reference to upper's `metadata.name`
namespace: default
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
Warning
Will not trigger right away.
Trigger example above