Amazon Elastic Container Registry Private Registry Authentication provides a temporary authorization token valid only for 12 hours. This operator refreshes automatically the Amazon ECR authorization token before it expires, reducing the overhead in managing the authentication flow.
This operator contains two Custom Resources which directs the operator to generate/refresh Amazon ECR authorization token in a timely manner:
- Create an Amazon ECR private repository
- Create An OpenShift Cluster
- Configure AWS authentication method. Two options:
- Install the Operator SDK CLI
oc new-project ecr-secret-operator
operator-sdk run bundle quay.io/mobb/ecr-secret-operator-bundle:v0.4.0
cat << EOF | oc apply -f -
apiVersion: ecr.mobb.redhat.com/v1alpha1
kind: Secret
metadata:
name: ecr-secret
namespace: test-ecr-secret-operator
spec:
generated_secret_name: ecr-docker-secret
ecr_registry: ${AWS_ACCOUNT_ID}.dkr.ecr.us-east-2.amazonaws.com
frequency: 10h
region: us-east-2
oc create -f samples/ecr_v1alpha1_secret.yaml
A Docker registry secret is created by the operator temporarily and the token is patched every 10 hours
oc get secret ecr-docker-secret
NAME TYPE DATA AGE
ecr-docker-secret kubernetes.io/dockerconfigjson 1 16h
Link the secret to builder
oc secrets link builder ecr-docker-secret
Configure build config to point to your Amazon ECR Container repository
oc create imagestream ruby
oc tag openshift/ruby:2.5-ubi8 ruby:2.5
oc create -f samples/build-config.yaml
oc start-build ruby-sample-build --wait
The build should succeed and push the image to the the private Amazon ECR Container repository
- Argo CD installed
- Helm chart stored in ecr
aws ecr set-repository-policy --repository-name helm-test-chart --policy-text file:///tmp/repo_policy.json
export ACCOUNT_AWS_ID=
cat << EOF | oc apply -f -
apiVersion: ecr.mobb.redhat.com/v1alpha1
kind: ArgoHelmRepoSecret
metadata:
name: helm-repo
namespace: openshift-gitops
spec:
generated_secret_name: ecr-argo-helm-secret
url: ${AWS_ACCOUNT_ID}.dkr.ecr.us-east-2.amazonaws.com
frequency: 10h
region: us-east-2
EOF
cat << EOF | oc apply -f -
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: test
spec:
destination:
namespace: test-ecr-secret-operator
server: 'https://kubernetes.default.svc'
source:
repoURL: ${AWS_ACCOUNT_ID}.dkr.ecr.us-east-2.amazonaws.com
targetRevision: 0.1.0
chart: helm-test-chart
project: default
EOF