aws-ecr-image-pull-secret-controller

command module

v1.1.0 Latest Latest Go to latest Published: Oct 9, 2021 License: MIT Imports: 8 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/supercaracal/aws-ecr-image-pull-secret-controller

Links

Open Source Insights

README ¶

AWS ECR image pull secret controller

This controller has a feature to renew image-pull secrets for AWS ECR. Since docker login for AWS ECR expires at 12 hours later, the controller is needed for non EKS.

Controller's action

This controller checks all image pull secrets every 10 second. The controller acts as the followings.

image pull secret	expiration	action
not exists		creates a new image pull secret
exists	valid	does nothing
exists	expired	deletes old image pull secret and creates new one

Running controller on local host

$ kind create cluster
$ make apply-manifests
$ make build
$ make run

Running controller in cluster

$ kind create cluster
$ make apply-manifests
$ make build-image
$ make port-forward &
$ make push-image

Usage

apiVersion: v1
kind: Secret
metadata:
  name: example-login-secret
  labels:
    supercaracal.example.com/used-by: "aws-ecr-image-pull-secret-controller"
  annotations:
    supercaracal.example.com/aws-ecr-image-pull-secret.name: "example-image-pull-secret"
    supercaracal.example.com/aws-ecr-image-pull-secret.email: "foobar@example.com"
    supercaracal.example.com/aws-ecr-image-pull-secret.aws_account_id: "000000000000"
    supercaracal.example.com/aws-ecr-image-pull-secret.aws_region: "ap-northeast-1"
type: Opaque
data:
  AWS_ACCESS_KEY_ID: "**********base64 encoded text**********"
  AWS_SECRET_ACCESS_KEY: "**********base64 encoded text**********"

$ cp config/example-secret.yaml config/secret.yaml
$ vi config/secret.yaml
$ kubectl --context=kind-kind apply -f config/secret.yaml

$ kubectl --context=kind-kind get secrets
NAME                        TYPE                                  DATA   AGE
controller-token-8bmfl      kubernetes.io/service-account-token   3      37m
default-token-s4wsj         kubernetes.io/service-account-token   3      39m
example-image-pull-secret   kubernetes.io/dockerconfigjson        1      10m
example-login-secret        Opaque                                2      33m

$ kubectl --context=kind-kind get secrets example-image-pull-secret -o json | jq -r .data.'".dockerconfigjson"' | base64 -d | jq .
{
  "auths": {
    "https://000000000000.dkr.ecr.ap-northeast-1.amazonaws.com": {
      "username": "AWS",
      "password": "*****************************************",
      "email": "foo@example.com",
      "auth": "*****************************************"
    }
  }
}