Allow for AWS ECR, Google Registry, & Azure Container Registry credentials to be refreshed inside your Kubernetes cluster via ImagePullSecrets
Allow for Registry credentials to be refreshed inside your Kubernetes cluster via ImagePullSecrets
.
kube-system
namespace.ImagePullSecrets
for the default service accountNOTE: This will setup credentials across ALL namespaces!
The following parameters are driven via Environment variables.
Note: The region can also be specified as an arg to the binary.
Clone the repo and navigate to directory
Configure
If running on AWS EC2, make sure your EC2 instances have the following IAM permissions:
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:BatchGetImage"
],
"Resource": "*"
}
If you are not running in AWS Cloud, then you can still use this tool! Edit & create the sample secret and update values for AWS_ACCESS_KEY_ID
, AWS_SECRET_ACCESS_KEY
, aws-account
, and aws-region
(base64 encoded).
echo -n "secret-key" | base64
kubectl create -f k8s/secret.yaml
Create the replication controller.
kubectl create -f k8s/replicationController.yaml
NOTE: If running on premise, no need to provide
AWS_ACCESS_KEY_ID
orAWS_SECRET_ACCESS_KEY
since that will come from the EC2 instance.
Use awsecr-cred
for name of imagePullSecrets
on your deployment.yaml
file.
Clone the repo and navigate to directory
Input your application_default_credentials.json
information into the secret.yaml
template located here:
The value for application_default_credentials.json
can be obtained with the following command:
base64 -w 0 $HOME/.config/gcloud/application_default_credentials.json
Create the secret in kubernetes
kubectl create -f k8s/secret.yml
Create the replication controller:
kubectl create -f k8s/replicationController.yaml
Clone the repo and navigate to directory
Edit the sample secret and update values for DOCKER_PRIVATE_REGISTRY_SERVER
, DOCKER_PRIVATE_REGISTRY_USER
, and DOCKER_PRIVATE_REGISTRY_PASSWORD
(base64 encoded).
echo -n "secret-key" | base64
Create the secret in kubernetes
kubectl create -f k8s/secret.yml
Create the replication controller:
kubectl create -f k8s/replicationController.yaml
Create a service principal that your Kubernetes cluster will use to access the registry.
Clone the repo and navigate to the repo root
Edit the sample secret and update values for ACR_URL
, ACR_CLIENT_ID
, and ACR_PASSWORD
(base64 encoded). Use service principal application ID as the client ID, and service principal password (client secret) as the password.
echo -n "secret-key" | base64
Create the secret in kubernetes
kubectl create -f k8s/secret.yml
Create the replication controller:
kubectl create -f k8s/replicationController.yaml
If you want to hack on this project:
make build
make test
go run ./main.go --kubecfg-file=<pathToKubecfgFile>
Built by UPMC Enterprises in Pittsburgh, PA. http://enterprises.upmc.com/