kubectl create secret generic aws-secret --from-literal=AWS_ACCOUNT= --from-literal=AWS_ACCESS_KEY_ID= --from-literal=AWS_SECRET_ACCESS_KEY= --from-literal=AWS_DEFAULT_REGION= --from-literal=AWS_REGION=
#aws-registry-credential-cron.yaml
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: aws-registry-credential-cron
spec:
schedule: "* */8 * * *"
successfulJobsHistoryLimit: 2
failedJobsHistoryLimit: 2
jobTemplate:
spec:
backoffLimit: 4
template:
spec:
serviceAccountName: default
terminationGracePeriodSeconds: 0
restartPolicy: Never
containers:
- name: kubectl
imagePullPolicy: IfNotPresent
image: xynova/aws-kubectl:latest
envFrom:
- secretRef:
name: aws-secret
command:
- "/bin/sh"
- "-c"
- |
DOCKER_REGISTRY_SERVER=https://${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com
DOCKER_USER=AWS
DOCKER_PASSWORD=$(aws ecr get-login --region ${AWS_REGION} --registry-ids ${AWS_ACCOUNT} | cut -d' ' -f6)
kubectl delete secret aws-registry || true
kubectl create secret docker-registry aws-registry \
--docker-server=$DOCKER_REGISTRY_SERVER \
--docker-username=$DOCKER_USER \
--docker-password=$DOCKER_PASSWORD \
--docker-email=no@email.local
kubectl patch serviceaccount default -p '{"imagePullSecrets":[{"name":"aws-registry"}]}'
kubectl create -f aws-registry-credential-cron.yaml
# trigger the first run
kubectl create job --from=cronjob/aws-registry-credential-cron aws-registry-credential-cron-manual-001
kubectl logs job/aws-registry-credential-cron-manual-001
secret "aws-registry" deleted
secret "aws-registry" created
serviceaccount "default" not patched
https://github.com/nabsul/k8s-ecr-login-renew?tab=readme-ov-file