Skip to content

Instantly share code, notes, and snippets.

@daniilyar

daniilyar/ecr_secrets_refresher.sh

Last active June 1, 2019 01:26
Show Gist options
  • Save daniilyar/3cd5a6ba54d4ed2114799b4dec084025 to your computer and use it in GitHub Desktop.
Save daniilyar/3cd5a6ba54d4ed2114799b4dec084025 to your computer and use it in GitHub Desktop.
Download ZIP
Script for refreshing the ECR secret in all Kubernetes namespaces
Raw
ecr_secrets_refresher.sh
#!/bin/bash
HELP_MSG="This script read the AWS credentials from the execution environment, get the docker-login scring by the AWS-CLI utility, creates the k8s secret with
this docker-login and add it as a a part of "imagePullSecrets" option to the 'default' serviceaccounts in all k8s namespaces.\n
Available arguments: '-s' for the name of the ECR secret will add, '-p' for the patchstring, '-h' for this message."
while getopts :r:p:s:a:h: option
do
case "${option}"
in
r) AWS_REGION="$OPTARG";;
p) AWS_PROFILE="$OPTARG";;
s) SECRET_NAME="$OPTARG";;
a) DO_ACCOUNTS="$OPTARG";;
h) NEED_HELP="1";;
*) NEED_HELP="1";;
esac
done
if [[ "$#" -eq 0 ]]
then
echo -e "$HELP_MSG"
exit 1
fi
if [[ "$NEED_HELP" -eq 1 ]]
then
echo -e "$HELP_MSG"
exit 1
fi
declare -r ECR_LOGIN="$(aws --region $AWS_REGION ecr get-login --no-include-email --profile $AWS_PROFILE)"
declare -r DOCKER_REGISTRY_SERVER="$(echo ${ECR_LOGIN} | awk '{print $NF}')"
declare -r DOCKER_USER="$(echo ${ECR_LOGIN} | awk '{print $4}')"
declare -r DOCKER_PASSWORD="$(echo ${ECR_LOGIN} | awk '{print $6}')"
KUBECTL="/usr/local/bin/kubectl"
export K8S_NAMESPACES=`$KUBECTL get NAMESPACE | tail -n +2 | awk '{print $1}'`
do_secret(){
if [[ ! "${SECRET_NAME}" == "None" ]]; then
for NAMESPACE in ${K8S_NAMESPACES}; do
$KUBECTL -n $NAMESPACE delete secret ${SECRET_NAME} 2>&1 || true
$KUBECTL -n $NAMESPACE create secret docker-registry ${SECRET_NAME} \
--docker-server=$DOCKER_REGISTRY_SERVER \
--docker-username=$DOCKER_USER \
--docker-password=$DOCKER_PASSWORD \
[email protected]
done
else
echo -e "$HELP_MSG"
exit 1
fi
}
do_serviceassounts(){
for NAMESPACE in ${K8S_NAMESPACES}; do
SERVICEACCOUNTS="$(kubectl -n ${NAMESPACE} get serviceaccount | tail -n +2 | awk '{print $1}')"
PATCHSTRING='{"imagePullSecrets":[{"name":"nurego-registry-secret-ecr"}, {"name":"bekitzur-registry-secret-ecr"}]}'
for ACCOUNT in ${SERVICEACCOUNTS}; do
$KUBECTL -n ${NAMESPACE} patch serviceaccount ${ACCOUNT} \
-p "${PATCHSTRING}"
done
done
}
do_secret
# do_serviceassounts
@daniilyar
Copy link
Author

daniilyar commented May 28, 2019
edited
Loading

This script supports refreshing ECR secret for 2 or more ECR registries in all namespaces of a K8s cluster.
You need to put it into cron on the first K8s master node.
Usage: the above script assumes that you have 2 registries - 'bekitzur' and 'nurego'

# crontab -e
*/30 * * * * /usr/local/bin/ecr_secrets_refresher.sh -p nurego -r us-east-1 -s nurego-registry-secret-ecr > /root/refresh_ecr_token_nurego.log 2>&1
*/30 * * * * /usr/local/bin/ecr_secrets_refresher.sh -p bekitzur -r eu-central-1 -s bekitzur-registry-secret-ecr > /root/refresh_ecr_token_bekitzur.log 2>&1

If you want different registry names, please update the script accordingly

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment