Allow for Registry credentials to be refreshed inside your Kubernetes cluster via ImagePullSecrets
.
- The tool runs as a pod in the
kube-system
namespace.
- It gets credentials from AWS ECR or Google Container Registry
- Next it creates a secret with credentials for your registry
- Then it sets up this secret to be used in the
ImagePullSecrets
for the default service account - Whenever a pod is created, this secret is attached to the pod
- The container will refresh the credentials by default every 60 minutes
- Enabled for use with Minikube as an addon
NOTE: This will setup credentials across ALL namespaces!
The following parameters are driven via Environment variables.
- Environment Variables:
- AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY: Credentials to access AWS.
- awsaccount: AWS Account Id.
- awsregion: (optional) Can override the default AWS region by setting this variable.
Note: The region can also be specified as an arg to the binary.
-
Clone the repo and navigate to directory
-
Configure
-
If running on AWS EC2, make sure your EC2 instances have the following IAM permissions:
{ "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:GetRepositoryPolicy", "ecr:DescribeRepositories", "ecr:ListImages", "ecr:BatchGetImage" ], "Resource": "*" }
-
If you are not running in AWS Cloud, then you can still use this tool! Edit & create the sample secret and update values for
AWS_ACCESS_KEY_ID
,AWS_SECRET_ACCESS_KEY
,aws-account
, andaws-region
(base64 encoded).echo -n "secret-key" | base64 kubectl create -f k8s/secret.yaml
-
-
Create the replication controller.
kubectl create -f k8s/replicationController.yaml
NOTE: If running on premise, no need to provide
AWS_ACCESS_KEY_ID
orAWS_SECRET_ACCESS_KEY
since that will come from the EC2 instance. -
Use
awsecr-cred
for name ofimagePullSecrets
on yourdeployment.yaml
file.
-
Clone the repo and navigate to directory
-
Input your
application_default_credentials.json
information into thesecret.yaml
template located here: The value forapplication_default_credentials.json
can be obtained with the following command:base64 -w 0 $HOME/.config/gcloud/application_default_credentials.json
-
Create the secret in kubernetes
kubectl create -f k8s/secret.yml
-
Create the replication controller:
kubectl create -f k8s/replicationController.yaml
-
Clone the repo and navigate to directory
-
Edit the sample secret and update values for
DOCKER_PRIVATE_REGISTRY_SERVER
,DOCKER_PRIVATE_REGISTRY_USER
, andDOCKER_PRIVATE_REGISTRY_PASSWORD
(base64 encoded).echo -n "secret-key" | base64
-
Create the secret in kubernetes
kubectl create -f k8s/secret.yml
-
Create the replication controller:
kubectl create -f k8s/replicationController.yaml
If you want to hack on this project:
- Clone the repo
- Build:
make build
- Test:
make test
- Run on your machine:
go run ./main.go --kubecfg-file=<pathToKubecfgFile>
Built by UPMC Enterprises in Pittsburgh, PA. http://enterprises.upmc.com/