Skip to content

Instantly share code, notes, and snippets.

@tuantranf

tuantranf/create-aws-ecr-authentication-cronjob.md

Created September 16, 2019 03:22
Show Gist options
  • Star 9 You must be signed in to star a gist
  • Fork 3 You must be signed in to fork a gist
  • Save tuantranf/ce0eda0262f5a9e3cd0ce8538c7d9fe9 to your computer and use it in GitHub Desktop.
Save tuantranf/ce0eda0262f5a9e3cd0ce8538c7d9fe9 to your computer and use it in GitHub Desktop.
Download ZIP
A Kubernetes cronjob to refresh ECR authentication
Raw
create-aws-ecr-authentication-cronjob.md

A Kubernetes cronjob to refresh ECR authentication

Create AWS secret

kubectl create secret generic aws-secret --from-literal=AWS_ACCOUNT= --from-literal=AWS_ACCESS_KEY_ID= --from-literal=AWS_SECRET_ACCESS_KEY= --from-literal=AWS_DEFAULT_REGION= --from-literal=AWS_REGION=

Create cronjob

#aws-registry-credential-cron.yaml
apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: aws-registry-credential-cron
spec:
  schedule: "* */8 * * *"
  successfulJobsHistoryLimit: 2
  failedJobsHistoryLimit: 2  
  jobTemplate:
    spec:
      backoffLimit: 4
      template:
        spec:
          serviceAccountName: default
          terminationGracePeriodSeconds: 0
          restartPolicy: Never
          containers:
          - name: kubectl
            imagePullPolicy: IfNotPresent
            image: xynova/aws-kubectl:latest
            envFrom:
            - secretRef:
                name: aws-secret
            command:
            - "/bin/sh"
            - "-c"
            - |
              DOCKER_REGISTRY_SERVER=https://${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com
              DOCKER_USER=AWS
              DOCKER_PASSWORD=$(aws ecr get-login --region ${AWS_REGION} --registry-ids ${AWS_ACCOUNT} | cut -d' ' -f6)
              kubectl delete secret aws-registry || true
              kubectl create secret docker-registry aws-registry \
              --docker-server=$DOCKER_REGISTRY_SERVER \
              --docker-username=$DOCKER_USER \
              --docker-password=$DOCKER_PASSWORD \
              --docker-email=no@email.local
              kubectl patch serviceaccount default -p '{"imagePullSecrets":[{"name":"aws-registry"}]}'

Run

kubectl create -f aws-registry-credential-cron.yaml

# trigger the first run
kubectl create job --from=cronjob/aws-registry-credential-cron aws-registry-credential-cron-manual-001
kubectl logs job/aws-registry-credential-cron-manual-001
secret "aws-registry" deleted
secret "aws-registry" created
serviceaccount "default" not patched
@joshua-davis1
Copy link

I'm working on using this with microk8s at the moment. I don't see any reason why this would work with local kubernetes. In fact, I don't think you would need this with EKS because you can just add the policy to you EKS role.

@DavidPerezIngeniero
Copy link

I've had to update to AWS cli v2 instead of v1 in order to get it to work.

@evgenyfadeev
Copy link

Isn't there an issue that for a moment you don't have the secret? Instead of deleting maybe there is a way to update the secret in place?

@tuantranf
Copy link
Author

@evgenyfadeev yes. It may have been an issue for a moment we deleted the select. We can call the kubectl edit secret command to update a secret, instead of removing it.

@tuantranf
Copy link
Author

I've had to update to AWS cli v2 instead of v1 in order to get it to work.

@DavidPerezIngeniero Thank you for sharing.
I created this gist a long time ago when I need to work with an on-premise Kubernetes cluster using AWS ECR. So maybe there are some outdated information.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment