Created
February 22, 2019 08:54
-
-
Save ebongzzang/beb6db6db3f44528b1c84d433372e10f to your computer and use it in GitHub Desktop.
kubernetes ecr token refresh script (all namespace)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# before apply below script, run command | |
# kubectl create clusterrolebinding ecr-cluster-rule --clusterrole=cluster-admin --serviceaccount=default:default | |
apiVersion: batch/v1beta1 | |
kind: CronJob # Tell kuber' that this is a cronjob | |
metadata: | |
name: ecr-puller # Name of the job ,can be anything | |
namespace: default | |
spec: | |
concurrencyPolicy: Allow | |
failedJobsHistoryLimit: 1 | |
jobTemplate: | |
metadata: | |
creationTimestamp: null | |
spec: | |
template: | |
metadata: | |
creationTimestamp: null | |
spec: | |
containers: # the conatiner that will be triggerd by cronjob | |
- image: odaniait/aws-kubectl:latest # the base iamge to be used to run our shell script | |
imagePullPolicy: IfNotPresent # as per your requirement | standard | read docs | |
name: ecr-puller # as per your requirement | standard | read docs | |
command: # our script goes here | |
- /bin/sh # standard | set the entry point for execution after cron triggered | |
- -c # standard | |
- |- # actuall script starts + some stuff to execute pipe script when config is sent ot kuber' | |
ACCOUNT={PUT_ACCOUNT} # 수정 | |
REGION=ap-northeast-2 # custom script | your aws account region of choice | |
SECRET_NAME=${REGION}-ecr-registry # custom script | name of secret | |
EMAIL=anymail.doesnt.matter@email.com # custom script | any email address | |
TOKEN=`aws ecr get-login --region ${REGION} --registry-ids ${ACCOUNT} | cut -d' ' -f6` # custom script | this will call AWS ECr to gewt login password and store it in TOKEN | |
NAMESPACES=$(kubectl get namespaces -o=name | sed "s;^namespace/;;") | |
echo "ENV variables setup done." | |
for namespace in $NAMESPACES | |
do | |
kubectl delete secret --ignore-not-found $SECRET_NAME --namespace=$namespace | |
kubectl create secret docker-registry $SECRET_NAME --docker-username=AWS --docker-password="${TOKEN}" --docker-server=https://${ACCOUNT}.dkr.ecr.${REGION}.amazonaws.com --docker-email="${EMAIL}" --namespace=$namespace | |
kubectl patch --namespace=$namespace serviceaccount default -p '{"imagePullSecrets":[{"name":"'$SECRET_NAME'"}]}' | |
done | |
echo "All done." | |
env: # container | envoirnment vars needed for aws config | |
- name: AWS_DEFAULT_REGION # container | aws will auto detect this account region | |
value: ap-northeast-2 | |
- name: AWS_SECRET_ACCESS_KEY # PUT_HERE | |
value: {AWS_SECRET_ACCESS_KEY} | |
- name: AWS_ACCESS_KEY_ID # PUT_HERE | |
value: {AWS_ACCESS_KEY_ID} | |
terminationMessagePath: /dev/termination-log | |
terminationMessagePolicy: File | |
dnsPolicy: Default # workload | custom | sometimes pod wont have intenet acces in 'clsuter first' | |
hostNetwork: true | |
restartPolicy: Never # workload | standard | as per requirement | |
schedulerName: default-scheduler # workload | standard | as per requirement | |
terminationGracePeriodSeconds: 30 | |
schedule: 0 */6 * * * # workload | cron pattern | every 6 hours | |
successfulJobsHistoryLimit: 3 | |
suspend: false | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment