Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
kubernetes ecr token refresh script (all namespace)
# before apply below script, run command
# kubectl create clusterrolebinding ecr-cluster-rule --clusterrole=cluster-admin --serviceaccount=default:default
apiVersion: batch/v1beta1
kind: CronJob # Tell kuber' that this is a cronjob
metadata:
name: ecr-puller # Name of the job ,can be anything
namespace: default
spec:
concurrencyPolicy: Allow
failedJobsHistoryLimit: 1
jobTemplate:
metadata:
creationTimestamp: null
spec:
template:
metadata:
creationTimestamp: null
spec:
containers: # the conatiner that will be triggerd by cronjob
- image: odaniait/aws-kubectl:latest # the base iamge to be used to run our shell script
imagePullPolicy: IfNotPresent # as per your requirement | standard | read docs
name: ecr-puller # as per your requirement | standard | read docs
command: # our script goes here
- /bin/sh # standard | set the entry point for execution after cron triggered
- -c # standard
- |- # actuall script starts + some stuff to execute pipe script when config is sent ot kuber'
ACCOUNT={PUT_ACCOUNT} # 수정
REGION=ap-northeast-2 # custom script | your aws account region of choice
SECRET_NAME=${REGION}-ecr-registry # custom script | name of secret
EMAIL=anymail.doesnt.matter@email.com # custom script | any email address
TOKEN=`aws ecr get-login --region ${REGION} --registry-ids ${ACCOUNT} | cut -d' ' -f6` # custom script | this will call AWS ECr to gewt login password and store it in TOKEN
NAMESPACES=$(kubectl get namespaces -o=name | sed "s;^namespace/;;")
echo "ENV variables setup done."
for namespace in $NAMESPACES
do
kubectl delete secret --ignore-not-found $SECRET_NAME --namespace=$namespace
kubectl create secret docker-registry $SECRET_NAME --docker-username=AWS --docker-password="${TOKEN}" --docker-server=https://${ACCOUNT}.dkr.ecr.${REGION}.amazonaws.com --docker-email="${EMAIL}" --namespace=$namespace
kubectl patch --namespace=$namespace serviceaccount default -p '{"imagePullSecrets":[{"name":"'$SECRET_NAME'"}]}'
done
echo "All done."
env: # container | envoirnment vars needed for aws config
- name: AWS_DEFAULT_REGION # container | aws will auto detect this account region
value: ap-northeast-2
- name: AWS_SECRET_ACCESS_KEY # PUT_HERE
value: {AWS_SECRET_ACCESS_KEY}
- name: AWS_ACCESS_KEY_ID # PUT_HERE
value: {AWS_ACCESS_KEY_ID}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: Default # workload | custom | sometimes pod wont have intenet acces in 'clsuter first'
hostNetwork: true
restartPolicy: Never # workload | standard | as per requirement
schedulerName: default-scheduler # workload | standard | as per requirement
terminationGracePeriodSeconds: 30
schedule: 0 */6 * * * # workload | cron pattern | every 6 hours
successfulJobsHistoryLimit: 3
suspend: false
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment