From ad90d37f146fe95a6a5373a95569a342a48b6c91 Mon Sep 17 00:00:00 2001 From: Aurel Canciu Date: Wed, 6 Jan 2021 17:43:29 +0200 Subject: [PATCH] Add documentation for ECR authentication Document a workaround solution for users to rely on until native image repository authentication is implemented for supported cloud providers. Signed-off-by: Aurel Canciu --- docs/guides/image-update.md | 142 ++++++++++++++++++++++++++++++++++++ 1 file changed, 142 insertions(+) diff --git a/docs/guides/image-update.md b/docs/guides/image-update.md index 27d6ee17..54540652 100644 --- a/docs/guides/image-update.md +++ b/docs/guides/image-update.md @@ -358,3 +358,145 @@ images: newName: ghcr.io/stefanprodan/podinfo newTag: 5.0.0 # {"$imagepolicy": "flux-system:podinfo:tag"} ``` + +## ImageRepository cloud providers authentication + +If relying on a cloud provider image repository, you might need to do some extra +work in order to configure the ImageRepository resource credentials. Here are +some common examples for the most popular cloud provider docker registries. + +!!! warning "Workarounds" + The examples below are intended as workaround solutions until native + authentication mechanisms are implemented in Flux itself to support this in + a more straightforward manner. + +### AWS Elastic Container Registry + +The registry authentication credentials for ECR expire every 12 hours. +Considering this limitation, one needs to ensure the credentials are being +refreshed before expiration so that the controller can rely on them for +authentication. + +The solution proposed is to create a cronjob that runs every 6 hours which would +re-create the `docker-registry` secret using a new token. + +Edit and save the following snippet to a file +`./clusters/my-cluster/ecr-sync.yaml`, commit and push it to git. + +```yaml +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ecr-credentials-sync + namespace: flux-system +rules: +- apiGroups: [""] + resources: + - secrets + verbs: + - delete + - create +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ecr-credentials-sync + namespace: flux-system +subjects: +- kind: ServiceAccount + name: ecr-credentials-sync +roleRef: + kind: Role + name: ecr-credentials-sync + apiGroup: "" +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ecr-credentials-sync + # Uncomment and edit if using IRSA + # annotations: + # eks.amazonaws.com/role-arn: +--- +apiVersion: batch/v1beta1 +kind: CronJob +metadata: + name: ecr-credentials-sync + namespace: flux-system +spec: + suspend: false + schedule: 0 */6 * * * + failedJobsHistoryLimit: 1 + successfulJobsHistoryLimit: 1 + jobTemplate: + spec: + template: + spec: + serviceAccountName: ecr-credentials-sync + restartPolicy: Never + volumes: + - name: token + emptyDir: + medium: Memory + initContainers: + - image: amazon/aws-cli + name: get-token + imagePullPolicy: IfNotPresent + # You will need to set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables if not using + # IRSA. It is recommended to store the values in a Secret and load them in the container using envFrom. + # envFrom: + # - secretRef: + # name: aws-credentials + env: + - name: REGION + value: us-east-1 # change this if ECR repo is in a different region + volumeMounts: + - mountPath: /token + name: token + command: + - /bin/sh + - -ce + - aws ecr get-login-password --region ${REGION} > /token/ecr-token + containers: + - image: bitnami/kubectl + name: create-secret + imagePullPolicy: IfNotPresent + env: + - name: SECRET_NAME + value: # this is the generated Secret name + - name: + value: .dkr.ecr..amazonaws.com # fill in the account id and region + volumeMounts: + - mountPath: /token + name: token + command: + - /bin/bash + - -ce + - |- + kubectl delete secret --ignore-not-found $SECRET_NAME + kubectl create secret docker-registry $SECRET_NAME \ + --docker-server="$ECR_REGISTRY" \ + --docker-username=AWS \ + --docker-password="$(