Last active
May 24, 2024 06:14
-
-
Save cablespaghetti/b5343b04dd5bdc68dcb62754986a34ed to your computer and use it in GitHub Desktop.
Automatic Updating Amazon ECR Credentials in Kubernetes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Get directory of script | |
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" | |
if [[ $# -ne 1 ]] | |
then | |
echo "ERROR: This script expects the namespace name to be given as an argument" | |
echo "e.g. ./ecr-cred-updater.sh my-namespace" | |
exit 1 | |
fi | |
# Steal the aws creds from the user's configuration for awscli | |
AWS_ACCESS_KEY_ID=`cat ~/.aws/credentials | grep aws_access_key_id | head -1 | cut -d'=' -f2 | sed 's/ //g'` | |
AWS_SECRET_ACCESS_KEY=`cat ~/.aws/credentials | grep aws_secret_access_key | head -1 | cut -d'=' -f2 | sed 's/ //g'` | |
if [ -z "$AWS_ACCESS_KEY_ID" ] | |
then | |
echo "ERROR: Failed to work out the AWS_ACCESS_KEY_ID" | |
exit 1 | |
fi | |
if [ -z "$AWS_SECRET_ACCESS_KEY" ] | |
then | |
echo "ERROR: Failed to work out the AWS_SECRET_ACCESS_KEY" | |
exit 1 | |
fi | |
# Fill in the variables in the yaml and run kubectl | |
cat $DIR/ecr-cred-updater.yaml | envsubst '$AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY' | kubectl apply -n ${1} -f - |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kind: Role | |
apiVersion: rbac.authorization.k8s.io/v1 | |
metadata: | |
name: ecr-cred-updater | |
rules: | |
- apiGroups: [""] | |
resources: ["secrets"] | |
verbs: ["get", "create", "delete"] | |
- apiGroups: [""] | |
resources: ["serviceaccounts"] | |
verbs: ["get", "patch"] | |
--- | |
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
name: ecr-cred-updater | |
--- | |
kind: RoleBinding | |
apiVersion: rbac.authorization.k8s.io/v1 | |
metadata: | |
name: ecr-cred-updater | |
subjects: | |
- kind: ServiceAccount | |
name: ecr-cred-updater | |
roleRef: | |
kind: Role | |
name: ecr-cred-updater | |
apiGroup: rbac.authorization.k8s.io | |
--- | |
apiVersion: batch/v1 | |
kind: Job | |
metadata: | |
name: ecr-cred-updater | |
spec: | |
backoffLimit: 4 | |
template: | |
spec: | |
serviceAccountName: ecr-cred-updater | |
terminationGracePeriodSeconds: 0 | |
restartPolicy: Never | |
containers: | |
- name: kubectl | |
image: xynova/aws-kubectl | |
command: | |
- "/bin/sh" | |
- "-c" | |
- | | |
AWS_ACCOUNT=YOUR_ACCOUNT_NUMBER_HERE | |
export AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} | |
export AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} | |
export AWS_REGION=us-east-1 | |
DOCKER_REGISTRY_SERVER=https://${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com | |
DOCKER_USER=AWS | |
DOCKER_PASSWORD=`aws ecr get-login --region ${AWS_REGION} --registry-ids ${AWS_ACCOUNT} | cut -d' ' -f6` | |
kubectl delete secret aws-registry || true | |
kubectl create secret docker-registry aws-registry \ | |
--docker-server=$DOCKER_REGISTRY_SERVER \ | |
--docker-username=$DOCKER_USER \ | |
--docker-password=$DOCKER_PASSWORD \ | |
[email protected] | |
kubectl patch serviceaccount default -p '{"imagePullSecrets":[{"name":"aws-registry"}]}' | |
--- | |
apiVersion: batch/v1beta1 | |
kind: CronJob | |
metadata: | |
name: ecr-cred-updater | |
spec: | |
schedule: "* */8 * * *" | |
successfulJobsHistoryLimit: 1 | |
failedJobsHistoryLimit: 1 | |
jobTemplate: | |
spec: | |
backoffLimit: 4 | |
template: | |
spec: | |
serviceAccountName: ecr-cred-updater | |
terminationGracePeriodSeconds: 0 | |
restartPolicy: Never | |
containers: | |
- name: kubectl | |
image: xynova/aws-kubectl | |
command: | |
- "/bin/sh" | |
- "-c" | |
- | | |
AWS_ACCOUNT=YOUR_ACCOUNT_NUMBER_HERE | |
export AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} | |
export AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} | |
export AWS_REGION=us-east-1 | |
DOCKER_REGISTRY_SERVER=https://${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com | |
DOCKER_USER=AWS | |
DOCKER_PASSWORD=`aws ecr get-login --region ${AWS_REGION} --registry-ids ${AWS_ACCOUNT} | cut -d' ' -f6` | |
kubectl delete secret aws-registry || true | |
kubectl create secret docker-registry aws-registry \ | |
--docker-server=$DOCKER_REGISTRY_SERVER \ | |
--docker-username=$DOCKER_USER \ | |
--docker-password=$DOCKER_PASSWORD \ | |
[email protected] | |
kubectl patch serviceaccount default -p '{"imagePullSecrets":[{"name":"aws-registry"}]}' |
I believe the cronjob's timing is off. The way you have it right now it would run at every minute past every 8th hour which means it'll run every minute at hours 8, 16, and 24(00). I think what you want instead is 0 */8 * * *
which means it'll run at minute 0 past every 8th hour.
I get AWS_ACCOUNT
with:
aws sts get-caller-identity --query Account --output text:latest
The ecr-cred-updater.sh
script could provide this value.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thank you very much for sharing this! It worked flawlessly. ❤️
However instead of duplicating the manifest for Job, I've left only the one for CronJob and then triggered it manually.