Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Script for refreshing the ECR secret in all Kubernetes namespaces
#!/bin/bash
HELP_MSG="This script read the AWS credentials from the execution environment, get the docker-login scring by the AWS-CLI utility, creates the k8s secret with
this docker-login and add it as a a part of "imagePullSecrets" option to the 'default' serviceaccounts in all k8s namespaces.\n
Available arguments: '-s' for the name of the ECR secret will add, '-p' for the patchstring, '-h' for this message."
while getopts :r:p:s:a:h: option
do
case "${option}"
in
r) AWS_REGION="$OPTARG";;
p) AWS_PROFILE="$OPTARG";;
s) SECRET_NAME="$OPTARG";;
a) DO_ACCOUNTS="$OPTARG";;
h) NEED_HELP="1";;
*) NEED_HELP="1";;
esac
done
if [[ "$#" -eq 0 ]]
then
echo -e "$HELP_MSG"
exit 1
fi
if [[ "$NEED_HELP" -eq 1 ]]
then
echo -e "$HELP_MSG"
exit 1
fi
declare -r ECR_LOGIN="$(aws --region $AWS_REGION ecr get-login --no-include-email --profile $AWS_PROFILE)"
declare -r DOCKER_REGISTRY_SERVER="$(echo ${ECR_LOGIN} | awk '{print $NF}')"
declare -r DOCKER_USER="$(echo ${ECR_LOGIN} | awk '{print $4}')"
declare -r DOCKER_PASSWORD="$(echo ${ECR_LOGIN} | awk '{print $6}')"
KUBECTL="/usr/local/bin/kubectl"
export K8S_NAMESPACES=`$KUBECTL get NAMESPACE | tail -n +2 | awk '{print $1}'`
do_secret(){
if [[ ! "${SECRET_NAME}" == "None" ]]; then
for NAMESPACE in ${K8S_NAMESPACES}; do
$KUBECTL -n $NAMESPACE delete secret ${SECRET_NAME} 2>&1 || true
$KUBECTL -n $NAMESPACE create secret docker-registry ${SECRET_NAME} \
--docker-server=$DOCKER_REGISTRY_SERVER \
--docker-username=$DOCKER_USER \
--docker-password=$DOCKER_PASSWORD \
--docker-email=no@email.local
done
else
echo -e "$HELP_MSG"
exit 1
fi
}
do_serviceassounts(){
for NAMESPACE in ${K8S_NAMESPACES}; do
SERVICEACCOUNTS="$(kubectl -n ${NAMESPACE} get serviceaccount | tail -n +2 | awk '{print $1}')"
PATCHSTRING='{"imagePullSecrets":[{"name":"nurego-registry-secret-ecr"}, {"name":"bekitzur-registry-secret-ecr"}]}'
for ACCOUNT in ${SERVICEACCOUNTS}; do
$KUBECTL -n ${NAMESPACE} patch serviceaccount ${ACCOUNT} \
-p "${PATCHSTRING}"
done
done
}
do_secret
# do_serviceassounts
@daniilyar

This comment has been minimized.

Copy link
Owner Author

daniilyar commented May 28, 2019

This script supports refreshing ECR secret for 2 or more ECR registries in all namespaces of a K8s cluster.
You need to put it into cron on the first K8s master node.
Usage: the above script assumes that you have 2 registries - 'bekitzur' and 'nurego'

# crontab -e
*/30 * * * * /usr/local/bin/ecr_secrets_refresher.sh -p nurego -r us-east-1 -s nurego-registry-secret-ecr > /root/refresh_ecr_token_nurego.log 2>&1
*/30 * * * * /usr/local/bin/ecr_secrets_refresher.sh -p bekitzur -r eu-central-1 -s bekitzur-registry-secret-ecr > /root/refresh_ecr_token_bekitzur.log 2>&1

If you want different registry names, please update the script accordingly

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.