vxst/auto_renew_iam_regcred.yml

## auto_renew_iam_regcred.yml
# Create a secret in the target namespace:
# aws-regcred-iam:
#   account-id: string, your account id, like 1231XXXXXXXX
#   access-key-id: string, your aws access key id
#   access-key: string, your aws access key
#.  region: string, the region of the ECR repo, like ap-northeast-1
# Apply this YAML to your target namespace, trigger it.
# The regcred is saved to aws-regcred secret in the target namespace.

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: repo-secret-crud
rules:
  - apiGroups: ["*"]
    resources: ["secrets"]
    verbs: ["get", "list", "create", "update", "delete"]
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: repo-secret-crud-sa
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: repo-secret-crud
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: repo-secret-crud
subjects:
- kind: ServiceAccount
  name: repo-secret-crud-sa
---
apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: aws-registry-credential-cron
spec:
  schedule: "0 */4 * * *"
  jobTemplate:
    spec:
      template:
        spec:
          serviceAccountName: repo-secret-crud-sa
          restartPolicy: Never
          containers:
          - name: awscli
            image: amazon/aws-cli:latest
            env:
              - name: AWS_ACCESS_KEY_ID
                valueFrom:
                  secretKeyRef:
                    name: aws-regcred-iam
                    key: access-key-id
              - name: AWS_SECRET_ACCESS_KEY
                valueFrom:
                  secretKeyRef:
                    name: aws-regcred-iam
                    key: access-key
              - name: AWS_DEFAULT_REGION
                valueFrom:
                  secretKeyRef:
                    name: aws-regcred-iam
                    key: region
              - name: AWS_ACCOUNT
                valueFrom:
                  secretKeyRef:
                    name: aws-regcred-iam
                    key: account-id
            command:
              - /bin/bash
              - '-c'
              - >
                  curl -s -o /usr/local/bin/kubectl
                  https://amazon-eks.s3.us-west-2.amazonaws.com/1.19.6/2021-01-05/bin/linux/amd64/kubectl

                  chmod +x /usr/local/bin/kubectl


                  kubectl delete secret aws-regcred || true

                  kubectl create secret docker-registry aws-regcred \
                                --docker-server=https://${AWS_ACCOUNT}.dkr.ecr.${AWS_DEFAULT_REGION}.amazonaws.com \
                                --docker-username="AWS" \
                                --docker-password=`aws ecr get-login-password` \
                                --docker-email=aws@cluster.local
	# Create a secret in the target namespace:
	# aws-regcred-iam:
	# account-id: string, your account id, like 1231XXXXXXXX
	# access-key-id: string, your aws access key id
	# access-key: string, your aws access key
	#. region: string, the region of the ECR repo, like ap-northeast-1
	# Apply this YAML to your target namespace, trigger it.
	# The regcred is saved to aws-regcred secret in the target namespace.

	kind: Role
	apiVersion: rbac.authorization.k8s.io/v1
	metadata:
	name: repo-secret-crud
	rules:
	- apiGroups: ["*"]
	resources: ["secrets"]
	verbs: ["get", "list", "create", "update", "delete"]
	---
	apiVersion: v1
	kind: ServiceAccount
	metadata:
	name: repo-secret-crud-sa
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: RoleBinding
	metadata:
	name: repo-secret-crud
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: Role
	name: repo-secret-crud
	subjects:
	- kind: ServiceAccount
	name: repo-secret-crud-sa
	---
	apiVersion: batch/v1beta1
	kind: CronJob
	metadata:
	name: aws-registry-credential-cron
	spec:
	schedule: "0 /4 * *"
	jobTemplate:
	spec:
	template:
	spec:
	serviceAccountName: repo-secret-crud-sa
	restartPolicy: Never
	containers:
	- name: awscli
	image: amazon/aws-cli:latest
	env:
	- name: AWS_ACCESS_KEY_ID
	valueFrom:
	secretKeyRef:
	name: aws-regcred-iam
	key: access-key-id
	- name: AWS_SECRET_ACCESS_KEY
	valueFrom:
	secretKeyRef:
	name: aws-regcred-iam
	key: access-key
	- name: AWS_DEFAULT_REGION
	valueFrom:
	secretKeyRef:
	name: aws-regcred-iam
	key: region
	- name: AWS_ACCOUNT
	valueFrom:
	secretKeyRef:
	name: aws-regcred-iam
	key: account-id
	command:
	- /bin/bash
	- '-c'
	- >
	curl -s -o /usr/local/bin/kubectl
	https://amazon-eks.s3.us-west-2.amazonaws.com/1.19.6/2021-01-05/bin/linux/amd64/kubectl

	chmod +x /usr/local/bin/kubectl


	kubectl delete secret aws-regcred \|\| true

	kubectl create secret docker-registry aws-regcred \
	--docker-server=https://${AWS_ACCOUNT}.dkr.ecr.${AWS_DEFAULT_REGION}.amazonaws.com \
	--docker-username="AWS" \
	--docker-password=`aws ecr get-login-password` \
	--docker-email=aws@cluster.local