Skip to content

Instantly share code, notes, and snippets.

@tuantranf
Created September 16, 2019 03:22
Show Gist options
  • Save tuantranf/ce0eda0262f5a9e3cd0ce8538c7d9fe9 to your computer and use it in GitHub Desktop.
Save tuantranf/ce0eda0262f5a9e3cd0ce8538c7d9fe9 to your computer and use it in GitHub Desktop.
A Kubernetes cronjob to refresh ECR authentication

A Kubernetes cronjob to refresh ECR authentication

Create AWS secret

kubectl create secret generic aws-secret --from-literal=AWS_ACCOUNT= --from-literal=AWS_ACCESS_KEY_ID= --from-literal=AWS_SECRET_ACCESS_KEY= --from-literal=AWS_DEFAULT_REGION= --from-literal=AWS_REGION=

Create cronjob

#aws-registry-credential-cron.yaml
apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: aws-registry-credential-cron
spec:
  schedule: "* */8 * * *"
  successfulJobsHistoryLimit: 2
  failedJobsHistoryLimit: 2  
  jobTemplate:
    spec:
      backoffLimit: 4
      template:
        spec:
          serviceAccountName: default
          terminationGracePeriodSeconds: 0
          restartPolicy: Never
          containers:
          - name: kubectl
            imagePullPolicy: IfNotPresent
            image: xynova/aws-kubectl:latest
            envFrom:
            - secretRef:
                name: aws-secret
            command:
            - "/bin/sh"
            - "-c"
            - |
              DOCKER_REGISTRY_SERVER=https://${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com
              DOCKER_USER=AWS
              DOCKER_PASSWORD=$(aws ecr get-login --region ${AWS_REGION} --registry-ids ${AWS_ACCOUNT} | cut -d' ' -f6)
              kubectl delete secret aws-registry || true
              kubectl create secret docker-registry aws-registry \
              --docker-server=$DOCKER_REGISTRY_SERVER \
              --docker-username=$DOCKER_USER \
              --docker-password=$DOCKER_PASSWORD \
              [email protected]
              kubectl patch serviceaccount default -p '{"imagePullSecrets":[{"name":"aws-registry"}]}'

Run

kubectl create -f aws-registry-credential-cron.yaml

# trigger the first run
kubectl create job --from=cronjob/aws-registry-credential-cron aws-registry-credential-cron-manual-001
kubectl logs job/aws-registry-credential-cron-manual-001
secret "aws-registry" deleted
secret "aws-registry" created
serviceaccount "default" not patched
@tuantranf
Copy link
Author

@evgenyfadeev yes. It may have been an issue for a moment we deleted the select. We can call the kubectl edit secret command to update a secret, instead of removing it.

@tuantranf
Copy link
Author

I've had to update to AWS cli v2 instead of v1 in order to get it to work.

@DavidPerezIngeniero Thank you for sharing.
I created this gist a long time ago when I need to work with an on-premise Kubernetes cluster using AWS ECR. So maybe there are some outdated information.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment