The following was tested on a test k3s cluster deployed using multipass
A directory called runtime
is also now in the .gitignore
, and it is therefore a "safe place" to temporarily store sensitive information (credentials).
Also check out the blog post discussing the various use cases and other little bits of info that may also be important.
- Clone this repo
cd
into the cloned repo- Now run:
mkdir runtime
cp -vf templates/* runtime/
cd runtime/
From here the runtime/
directory is assumed to be the current working directory.
Secret values must be base64 encoded. Assuming the AWS credentials is in the environment variables $AWS_ACCESS_KEY_ID
and $AWS_SECRET_ACCESS_KEY
run the following to obtain the base64 values:
echo -n "$AWS_ACCESS_KEY_ID" | base64 -
echo -n "$AWS_SECRET_ACCESS_KEY" | base64 -
Update the the file aws-secrets.yml
with the base64 values for aws-access-key-id
and aws-secret-access-key
In the file ecr-cron.yml
endit the environment variables to suite your environment.
Remember to also add the namespaces that will require the ECR credentials.
The following was tested with the namespace infrastructure
- any namespace will do.
kubectl apply -f aws-secrets.yml -n infrastructure
kubectl apply -f aws-role.yml -n infrastructure
kubectl apply -f ecr-cron.yml -n infrastructure
To test that the secret key was correctly set:
echo "-->"`kubectl get secret aws-secrets -o jsonpath="{.data.aws-secret-access-key}" -n infrastructure | base64 -d`"<--"
Note: Ensure no newline is present with the output.
The following command will run the job:
kubectl create job --from=cronjob.batch/aws-registry-credential-cron aws-registry-credential-cron-001 -n infrastructure
To test if the job was successful, the following commands could aid:
kubectl get pods -n infrastructure
kubectl logs pod/aws-registry-credential-cron-XXXXXXXX--X-XXXXX -n infrastructure
kubectl describe secret aws-registry -n infrastructure
To get the full ECR config:
kubectl get secret aws-registry -o jsonpath="{.data}" -n infrastructure
Note: The value in .dockerconfigjson
is also base64 encoded. Decode with: echo "__THE_VALUE__" | base64 -d
The Docker Image contains the aws-cli and kubectl. It is used to update the AWS ECR credentials periodically in a kubernetes cluster.
You need to set your credentials in the aws-secrets.yml. Also you need to set your AWS_ACCOUNT, AWS_REGION and NAMESPACES in ecr-cron.yml.
Afterwords run: aws.sh
Afterwords you should be able to see the cron job with: kubectl get cronjobs -n infrastructure
This is based on the work of @xynova.