ecr-k8s-secret-creator

module

v0.0.0-...-b46b529 Latest Latest Go to latest Published: Jan 13, 2024 License: MIT

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/dispatchitinc/ecr-k8s-secret-creator

Links

Open Source Insights

README ¶

ECR K8S Secret Creator

This application refreshes the ECR tokens that expire every 12 hours. EKS has this capability built into the IAM roles, but when running outside of EKS you'll need to manage this functionality yourself with an instance profile. There are many solutions for this like including a cron job and a third-party aws-kubectl image, but this solution worked best for us because:

Uses a distroless container
Deploy your own container (don't trust unvetted 3rd party images)
Easier to manage logs
Version lock your docker containers (not using latest)
Uses roles/creds/etc. to generate the secret
Helm chart for installation
Deploy the secret to multiple namespaces
SBOM generated for every version

This application creates a docker config.json (as a Kubernetes secret) that can authenticate docker clients to Amazon ECR. It is using the ECR GetAuthorizationToken API to fetch the token from a specific AWS region.

Installation

You can add the helm chart below with a custom values.yaml file to override your specific settings.

helm repo add dispatch-secret-creator https://dispatchitinc.github.io/ecr-k8s-secret-creator/
helm install ecr-k8s-secret-creator dispatch-secret-creator/ecr-k8s-secret-creator

IAM Policy

You will need to set up an IAM policy that is attached to an AWS EC2 IAM Role:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ecr:GetAuthorizationToken",
      "Resource": "*"
    }
  ]
}

aws iam create-policy \
  --policy-name ${GET_ECR_AUTH_IAM_POLICY} \
  --policy-document file://iam-policy.json \
  --description "A policy that can get ECR authorization token"

IAM Role

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::${AWS_PROFILE}:role/${IAM_K8S_NODE_ROLE}"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

aws iam create-role \
  --role-name ${GET_ECR_AUTH_IAM_ROLE} \
  --assume-role-policy-document file://ec2-iam-trust.json

Attaching the Policy

aws iam attach-role-policy \
  --role-name ${GET_ECR_AUTH_IAM_ROLE} \
  --policy-arn arn:aws:iam::${AWS_PROFILE}:policy/${GET_ECR_AUTH_IAM_POLICY}

Contributors

A special thanks to @bzon for the initial thoughts.

Directories ¶

Path	Synopsis
cmd
ecr-k8s-secret-creator
internal
authtoken
config
docker
k8s
logger

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL