How to Create AWS ECR Secret
Bash
kubectl create secret docker-registry ecrlogin \
--docker-server=${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com \
--docker-username=AWS \
--docker-password=$(aws ecr get-login-password --profile default)
- Automate
Bash
# namespace is optional
NAMESPACE_NAME="secrets-maybe" && \
# optional
kubectl create namespace $NAMESPACE_NAME || true && \
kubectl create secret docker-registry ecrlogin \
--docker-server=${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com \
--docker-username=AWS \
--docker-password=$(aws ecr get-login-password) \
--namespace=$NAMESPACE_NAME || true && \
kubectl apply -f manifest-deployment.yml
ECR created tokens that were obtained more than 12 hours will be rejected.
- Cronjob
Bash
#!/usr/bin/env bash
kube_namespaces=($(kubectl get secret --all-namespaces | grep ecrlogin | awk '{print $1}'))
for i in "${kube_namespaces[@]}"
do
:
echo "$(date): Updating secret for namespace - $i"
kubectl delete secret ecrlogin --namespace $i
kubectl create secret docker-registry ecrlogin \
--docker-server=${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com \
--docker-username=AWS \
--docker-password=$(/usr/local/bin/aws ecr get-login-password) \
--namespace=$i
done
Bash
#open crontab file
crontab -e
#job
0 */10 * * * /usr/local/bin/aws-ecr-update-credentials.sh >> /var/log/aws-ecr-update-credentials.log 2>&1
Kubernetes Cronjob
YAML
apiVersion: v1
kind: Secret
metadata:
name: ecr-registry-helper-secrets
namespace: default
stringData:
AWS_SECRET_ACCESS_KEY: "xxxx"
AWS_ACCESS_KEY_ID: "xxx"
AWS_ACCOUNT: "xxx"
---
apiVersion: v1
kind: ConfigMap
metadata:
name: ecr-registry-helper-cm
namespace: default
data:
AWS_REGION: "xxx"
DOCKER_SECRET_NAME: ecrlogin
---
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: ecr-registry-helper
namespace: default
spec:
schedule: "0 */10 * * *"
successfulJobsHistoryLimit: 3
suspend: false
jobTemplate:
spec:
template:
spec:
serviceAccountName: sa-cron-aws-cred
containers:
- name: ecr-registry-helper
image: odaniait/aws-kubectl:latest
imagePullPolicy: IfNotPresent
envFrom:
- secretRef:
name: ecr-registry-helper-secrets
- configMapRef:
name: ecr-registry-helper-cm
command:
- /bin/sh
- -c
- |-
ECR_TOKEN=`aws ecr get-login-password --region ${AWS_REGION}`
NAMESPACE_NAME=default
kubectl delete secret --ignore-not-found $DOCKER_SECRET_NAME -n $NAMESPACE_NAME
kubectl create secret docker-registry $DOCKER_SECRET_NAME \
--docker-server=https://${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com \
--docker-username=AWS \
--docker-password="${ECR_TOKEN}" \
--namespace=$NAMESPACE_NAME
echo "Secret was successfully updated at $(date)"
restartPolicy: Never
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: sa-cron-aws-cred
namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: role-full-access-to-secrets
rules:
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["ecrlogin"]
verbs: ["delete"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: health-check-role-binding
namespace: default
subjects:
- kind: ServiceAccount
name: sa-cron-aws-cred
namespace: default
apiGroup: ""
roleRef:
kind: Role
name: role-full-access-to-secrets
apiGroup: ""
---