frekele/ecr-cred-updater.sh

## ecr-cred-updater.sh
#!/bin/bash

# Get directory of script
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"

if [[ $# -ne 1 ]]
then
    echo "ERROR: This script expects the namespace name to be given as an argument"
    echo "e.g. ./ecr-cred-updater.sh my-namespace"
    exit 1
fi

# Steal the aws creds from the user's configuration for awscli
AWS_ACCESS_KEY_ID=`cat ~/.aws/credentials | grep aws_access_key_id | head -1 | cut -d'=' -f2 | sed 's/ //g'`
AWS_SECRET_ACCESS_KEY=`cat ~/.aws/credentials | grep aws_secret_access_key | head -1 | cut -d'=' -f2 | sed 's/ //g'`
if [ -z "$AWS_ACCESS_KEY_ID" ]
then
    echo "ERROR: Failed to work out the AWS_ACCESS_KEY_ID"
    exit 1
fi

if [ -z "$AWS_SECRET_ACCESS_KEY" ]
then
    echo "ERROR: Failed to work out the AWS_SECRET_ACCESS_KEY"
    exit 1
fi

# Fill in the variables in the yaml and run kubectl
cat $DIR/ecr-cred-updater.yaml | envsubst '$AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY' | kubectl apply -n ${1} -f -

## ecr-cred-updater.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: ecr-cred-updater
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "create", "delete"]
- apiGroups: [""]
  resources: ["serviceaccounts"]
  verbs: ["get", "patch"]
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ecr-cred-updater


---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: ecr-cred-updater
subjects:
  - kind: ServiceAccount
    name: ecr-cred-updater
roleRef:
  kind: Role
  name: ecr-cred-updater
  apiGroup: rbac.authorization.k8s.io

---
apiVersion: batch/v1
kind: Job
metadata:
  name: ecr-cred-updater
spec:
  backoffLimit: 4
  template:
    spec:
      serviceAccountName: ecr-cred-updater
      terminationGracePeriodSeconds: 0
      restartPolicy: Never
      containers:
      - name: kubectl
        image: xynova/aws-kubectl
        command:
        - "/bin/sh"
        - "-c"
        - |
          AWS_ACCOUNT=YOUR_ACCOUNT_NUMBER_HERE
          export AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
          export AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
          export AWS_REGION=us-east-1
          DOCKER_REGISTRY_SERVER=https://${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com
          DOCKER_USER=AWS
          DOCKER_PASSWORD=`aws ecr get-login --region ${AWS_REGION} --registry-ids ${AWS_ACCOUNT} | cut -d' ' -f6`
          kubectl delete secret aws-registry || true
          kubectl create secret docker-registry aws-registry \
          --docker-server=$DOCKER_REGISTRY_SERVER \
          --docker-username=$DOCKER_USER \
          --docker-password=$DOCKER_PASSWORD \
          --docker-email=no@email.local
          kubectl patch serviceaccount default -p '{"imagePullSecrets":[{"name":"aws-registry"}]}'

---
apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: ecr-cred-updater
spec:
  schedule: "* */8 * * *"
  successfulJobsHistoryLimit: 1
  failedJobsHistoryLimit: 1
  jobTemplate:
    spec:
      backoffLimit: 4
      template:
        spec:
          serviceAccountName: ecr-cred-updater
          terminationGracePeriodSeconds: 0
          restartPolicy: Never
          containers:
          - name: kubectl
            image: xynova/aws-kubectl
            command:
            - "/bin/sh"
            - "-c"
            - |
              AWS_ACCOUNT=YOUR_ACCOUNT_NUMBER_HERE
              export AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
              export AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
              export AWS_REGION=us-east-1
              DOCKER_REGISTRY_SERVER=https://${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com
              DOCKER_USER=AWS
              DOCKER_PASSWORD=`aws ecr get-login --region ${AWS_REGION} --registry-ids ${AWS_ACCOUNT} | cut -d' ' -f6`
              kubectl delete secret aws-registry || true
              kubectl create secret docker-registry aws-registry \
              --docker-server=$DOCKER_REGISTRY_SERVER \
              --docker-username=$DOCKER_USER \
              --docker-password=$DOCKER_PASSWORD \
              --docker-email=no@email.local
              kubectl patch serviceaccount default -p '{"imagePullSecrets":[{"name":"aws-registry"}]}'
	#!/bin/bash

	# Get directory of script
	DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"

	if [[ $# -ne 1 ]]
	then
	echo "ERROR: This script expects the namespace name to be given as an argument"
	echo "e.g. ./ecr-cred-updater.sh my-namespace"
	exit 1
	fi

	# Steal the aws creds from the user's configuration for awscli
	AWS_ACCESS_KEY_ID=`cat ~/.aws/credentials \| grep aws_access_key_id \| head -1 \| cut -d'=' -f2 \| sed 's/ //g'`
	AWS_SECRET_ACCESS_KEY=`cat ~/.aws/credentials \| grep aws_secret_access_key \| head -1 \| cut -d'=' -f2 \| sed 's/ //g'`
	if [ -z "$AWS_ACCESS_KEY_ID" ]
	then
	echo "ERROR: Failed to work out the AWS_ACCESS_KEY_ID"
	exit 1
	fi

	if [ -z "$AWS_SECRET_ACCESS_KEY" ]
	then
	echo "ERROR: Failed to work out the AWS_SECRET_ACCESS_KEY"
	exit 1
	fi

	# Fill in the variables in the yaml and run kubectl
	cat $DIR/ecr-cred-updater.yaml \| envsubst '$AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY' \| kubectl apply -n ${1} -f -
	kind: Role
	apiVersion: rbac.authorization.k8s.io/v1
	metadata:
	name: ecr-cred-updater
	rules:
	- apiGroups: [""]
	resources: ["secrets"]
	verbs: ["get", "create", "delete"]
	- apiGroups: [""]
	resources: ["serviceaccounts"]
	verbs: ["get", "patch"]
	---
	apiVersion: v1
	kind: ServiceAccount
	metadata:
	name: ecr-cred-updater


	---
	kind: RoleBinding
	apiVersion: rbac.authorization.k8s.io/v1
	metadata:
	name: ecr-cred-updater
	subjects:
	- kind: ServiceAccount
	name: ecr-cred-updater
	roleRef:
	kind: Role
	name: ecr-cred-updater
	apiGroup: rbac.authorization.k8s.io

	---
	apiVersion: batch/v1
	kind: Job
	metadata:
	name: ecr-cred-updater
	spec:
	backoffLimit: 4
	template:
	spec:
	serviceAccountName: ecr-cred-updater
	terminationGracePeriodSeconds: 0
	restartPolicy: Never
	containers:
	- name: kubectl
	image: xynova/aws-kubectl
	command:
	- "/bin/sh"
	- "-c"
	- \|
	AWS_ACCOUNT=YOUR_ACCOUNT_NUMBER_HERE
	export AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
	export AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
	export AWS_REGION=us-east-1
	DOCKER_REGISTRY_SERVER=https://${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com
	DOCKER_USER=AWS
	DOCKER_PASSWORD=`aws ecr get-login --region ${AWS_REGION} --registry-ids ${AWS_ACCOUNT} \| cut -d' ' -f6`
	kubectl delete secret aws-registry \|\| true
	kubectl create secret docker-registry aws-registry \
	--docker-server=$DOCKER_REGISTRY_SERVER \
	--docker-username=$DOCKER_USER \
	--docker-password=$DOCKER_PASSWORD \
	--docker-email=no@email.local
	kubectl patch serviceaccount default -p '{"imagePullSecrets":[{"name":"aws-registry"}]}'

	---
	apiVersion: batch/v1beta1
	kind: CronJob
	metadata:
	name: ecr-cred-updater
	spec:
	schedule: "* /8 * *"
	successfulJobsHistoryLimit: 1
	failedJobsHistoryLimit: 1
	jobTemplate:
	spec:
	backoffLimit: 4
	template:
	spec:
	serviceAccountName: ecr-cred-updater
	terminationGracePeriodSeconds: 0
	restartPolicy: Never
	containers:
	- name: kubectl
	image: xynova/aws-kubectl
	command:
	- "/bin/sh"
	- "-c"
	- \|
	AWS_ACCOUNT=YOUR_ACCOUNT_NUMBER_HERE
	export AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
	export AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
	export AWS_REGION=us-east-1
	DOCKER_REGISTRY_SERVER=https://${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com
	DOCKER_USER=AWS
	DOCKER_PASSWORD=`aws ecr get-login --region ${AWS_REGION} --registry-ids ${AWS_ACCOUNT} \| cut -d' ' -f6`
	kubectl delete secret aws-registry \|\| true
	kubectl create secret docker-registry aws-registry \
	--docker-server=$DOCKER_REGISTRY_SERVER \
	--docker-username=$DOCKER_USER \
	--docker-password=$DOCKER_PASSWORD \
	--docker-email=no@email.local
	kubectl patch serviceaccount default -p '{"imagePullSecrets":[{"name":"aws-registry"}]}'