Last active
May 24, 2024 06:14
-
-
Save cablespaghetti/b5343b04dd5bdc68dcb62754986a34ed to your computer and use it in GitHub Desktop.
Automatic Updating Amazon ECR Credentials in Kubernetes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Get directory of script | |
| DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" | |
| if [[ $# -ne 1 ]] | |
| then | |
| echo "ERROR: This script expects the namespace name to be given as an argument" | |
| echo "e.g. ./ecr-cred-updater.sh my-namespace" | |
| exit 1 | |
| fi | |
| # Steal the aws creds from the user's configuration for awscli | |
| AWS_ACCESS_KEY_ID=`cat ~/.aws/credentials | grep aws_access_key_id | head -1 | cut -d'=' -f2 | sed 's/ //g'` | |
| AWS_SECRET_ACCESS_KEY=`cat ~/.aws/credentials | grep aws_secret_access_key | head -1 | cut -d'=' -f2 | sed 's/ //g'` | |
| if [ -z "$AWS_ACCESS_KEY_ID" ] | |
| then | |
| echo "ERROR: Failed to work out the AWS_ACCESS_KEY_ID" | |
| exit 1 | |
| fi | |
| if [ -z "$AWS_SECRET_ACCESS_KEY" ] | |
| then | |
| echo "ERROR: Failed to work out the AWS_SECRET_ACCESS_KEY" | |
| exit 1 | |
| fi | |
| # Fill in the variables in the yaml and run kubectl | |
| cat $DIR/ecr-cred-updater.yaml | envsubst '$AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY' | kubectl apply -n ${1} -f - |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| kind: Role | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| metadata: | |
| name: ecr-cred-updater | |
| rules: | |
| - apiGroups: [""] | |
| resources: ["secrets"] | |
| verbs: ["get", "create", "delete"] | |
| - apiGroups: [""] | |
| resources: ["serviceaccounts"] | |
| verbs: ["get", "patch"] | |
| --- | |
| apiVersion: v1 | |
| kind: ServiceAccount | |
| metadata: | |
| name: ecr-cred-updater | |
| --- | |
| kind: RoleBinding | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| metadata: | |
| name: ecr-cred-updater | |
| subjects: | |
| - kind: ServiceAccount | |
| name: ecr-cred-updater | |
| roleRef: | |
| kind: Role | |
| name: ecr-cred-updater | |
| apiGroup: rbac.authorization.k8s.io | |
| --- | |
| apiVersion: batch/v1 | |
| kind: Job | |
| metadata: | |
| name: ecr-cred-updater | |
| spec: | |
| backoffLimit: 4 | |
| template: | |
| spec: | |
| serviceAccountName: ecr-cred-updater | |
| terminationGracePeriodSeconds: 0 | |
| restartPolicy: Never | |
| containers: | |
| - name: kubectl | |
| image: xynova/aws-kubectl | |
| command: | |
| - "/bin/sh" | |
| - "-c" | |
| - | | |
| AWS_ACCOUNT=YOUR_ACCOUNT_NUMBER_HERE | |
| export AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} | |
| export AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} | |
| export AWS_REGION=us-east-1 | |
| DOCKER_REGISTRY_SERVER=https://${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com | |
| DOCKER_USER=AWS | |
| DOCKER_PASSWORD=`aws ecr get-login --region ${AWS_REGION} --registry-ids ${AWS_ACCOUNT} | cut -d' ' -f6` | |
| kubectl delete secret aws-registry || true | |
| kubectl create secret docker-registry aws-registry \ | |
| --docker-server=$DOCKER_REGISTRY_SERVER \ | |
| --docker-username=$DOCKER_USER \ | |
| --docker-password=$DOCKER_PASSWORD \ | |
| [email protected] | |
| kubectl patch serviceaccount default -p '{"imagePullSecrets":[{"name":"aws-registry"}]}' | |
| --- | |
| apiVersion: batch/v1beta1 | |
| kind: CronJob | |
| metadata: | |
| name: ecr-cred-updater | |
| spec: | |
| schedule: "* */8 * * *" | |
| successfulJobsHistoryLimit: 1 | |
| failedJobsHistoryLimit: 1 | |
| jobTemplate: | |
| spec: | |
| backoffLimit: 4 | |
| template: | |
| spec: | |
| serviceAccountName: ecr-cred-updater | |
| terminationGracePeriodSeconds: 0 | |
| restartPolicy: Never | |
| containers: | |
| - name: kubectl | |
| image: xynova/aws-kubectl | |
| command: | |
| - "/bin/sh" | |
| - "-c" | |
| - | | |
| AWS_ACCOUNT=YOUR_ACCOUNT_NUMBER_HERE | |
| export AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} | |
| export AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} | |
| export AWS_REGION=us-east-1 | |
| DOCKER_REGISTRY_SERVER=https://${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com | |
| DOCKER_USER=AWS | |
| DOCKER_PASSWORD=`aws ecr get-login --region ${AWS_REGION} --registry-ids ${AWS_ACCOUNT} | cut -d' ' -f6` | |
| kubectl delete secret aws-registry || true | |
| kubectl create secret docker-registry aws-registry \ | |
| --docker-server=$DOCKER_REGISTRY_SERVER \ | |
| --docker-username=$DOCKER_USER \ | |
| --docker-password=$DOCKER_PASSWORD \ | |
| [email protected] | |
| kubectl patch serviceaccount default -p '{"imagePullSecrets":[{"name":"aws-registry"}]}' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I get
AWS_ACCOUNTwith:The
ecr-cred-updater.shscript could provide this value.