Allow for Registry credentials to be refreshed inside your Kubernetes cluster via ImagePullSecrets
.
- The tool runs as a pod in the
kube-system
namespace.
- It gets credentials from AWS ECR, Google Container Registry, Docker private registry, or Azure Container Registry.
- Next it creates a secret with credentials for your registry
- Then it sets up this secret to be used in the
ImagePullSecrets
for the default service account - Whenever a pod is created, this secret is attached to the pod
- The container will refresh the credentials by default every 60 minutes
- Enabled for use with Minikube as an addon
NOTE: This will setup credentials across ALL namespaces!
The following parameters are driven via Environment variables.
- Environment Variables:
- AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY: Credentials to access AWS.
- awsaccount: Comma separated list of AWS Account Ids.
- awsregion: (optional) Can override the default AWS region by setting this variable.
- aws-assume-role (optional) can provide a role ARN that will be assumed for getting ECR authorization tokens
Note: The region can also be specified as an arg to the binary.
- TOKEN_RETRY_TYPE: The type of Timer to use when getting a registry token fails and must be retried; "simple" or "exponential" (default: simple)
- TOKEN_RETRIES: The number of times to retry getting a registry token if an error occurred (default: 3)
- TOKEN_RETRY_DELAY: The number of seconds to delay between successive retries at getting a registry token; applies to "simple" retry timer only (default: 5)
- GCRURL: URL to Google Container Registry
- DOCKER_PRIVATE_REGISTRY_SERVER, DOCKER_PRIVATE_REGISTRY_USER, DOCKER_PRIVATE_REGISTRY_PASSWORD: the URL, user name, and password for a Docker private registry
- ACR_URL, ACR_CLIENT_ID, ACR_PASSWORD: the registry URL, client ID, and password to access to access an Azure Container Registry.
-
Clone the repo and navigate to directory
-
Configure
-
If running on AWS EC2, make sure your EC2 instances have the following IAM permissions:
{ "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:GetRepositoryPolicy", "ecr:DescribeRepositories", "ecr:ListImages", "ecr:BatchGetImage" ], "Resource": "*" }
-
If you are not running in AWS Cloud, then you can still use this tool! Edit the secret and update values for
AWS_ACCESS_KEY_ID
,AWS_SECRET_ACCESS_KEY
,aws-account
, andaws-region
.
NOTE: If running inside EC2, there is no need to provide
AWS_ACCESS_KEY_ID
orAWS_SECRET_ACCESS_KEY
since that will come from the instance profile.IMPORTANT: Make sure to use the
-n
flag if usingecho
to generate the base64 as otherwise a control character will cause the program to error.echo -n "secret-key" | base64
-
-
Run the following in the k8s directory:
kubectl apply -f .
-
Use
awsecr-cred
for name ofimagePullSecrets
on yourdeployment.yaml
file.
-
Clone the repo and navigate to directory
-
Input your
application_default_credentials.json
information into thesecret.yaml
template located here: The value forapplication_default_credentials.json
can be obtained with the following command:base64 -w 0 $HOME/.config/gcloud/application_default_credentials.json
-
Run the following in the k8s directory:
kubectl apply -f .
-
Clone the repo and navigate to directory
-
Edit the sample secret and update values for
DOCKER_PRIVATE_REGISTRY_SERVER
,DOCKER_PRIVATE_REGISTRY_USER
, andDOCKER_PRIVATE_REGISTRY_PASSWORD
(base64 encoded).echo -n "secret-key" | base64
-
Run the following in the k8s directory:
kubectl apply -f .
-
Create a service principal that your Kubernetes cluster will use to access the registry.
-
Clone the repo and navigate to the repo root
-
Edit the sample secret and update values for
ACR_URL
,ACR_CLIENT_ID
, andACR_PASSWORD
(base64 encoded). Use service principal application ID as the client ID, and service principal password (client secret) as the password.echo -n "secret-key" | base64
-
Run the following in the k8s directory:
kubectl apply -f .
If you want to hack on this project:
- Clone the repo
- Build:
make build
- Test:
make test
- Run on your machine:
go run ./main.go --kubecfg-file=<pathToKubecfgFile>
Built by UPMC Enterprises in Pittsburgh, PA. http://enterprises.upmc.com/