-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to create replication for ECR on harbor running under kubernetes #15007
Comments
if you don't enter access key, it will try to use IAM role, based on feature request #12553 |
Following changes in src/pkg/reg/adapter/awsecr/auth.go (not the best) work for me (without having KIAM in my k8s cluster), note that I am trying this in non-EC2 environment.
|
Is it worth getting a PR for this ? |
I vote yes. Leveraging IAM Role Service accounts to let the aws sdk grab temporary credentials from a cluster's OIDC provider is handy. |
Related to #12888 which shouldn't have been closed. |
A single role attached to the pod via environment variable may not be perfect. Since the registries are added on demand in Harbor, deriving role_arn from the registry URL (account_id, region) and a predetermined ROLE_NAME could be an option. However, I am not sure how to achieve this - crossplane-contrib/provider-aws#597 |
Example Patch - harbor_patch.txt |
Anyone going to get a PR in? |
@ramukima are you going to get a PR going? |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
This issue was closed because it has been stalled for 30 days with no activity. If this issue is still relevant, please re-open a new issue. |
This issue was closed because it has been stalled for 30 days with no activity. If this issue is still relevant, please re-open a new issue. |
What can we help you?
I have harbor v2.2.2 running on a kubernetes cluster. I see the following error when I try to add an ECR endpoint without specifying access key/secret -
I have added following environment variables to 'core' and 'jobservice' deployments -
I do not have any AWS metadata service running (e.g. KIAM) in the cluster. All IAM policies are in place in AWS for the role I am trying to use.
I tried an 'awscli' pod with similar environment variables and the aws CLI is able to talk to my ECR using the same role ARN.
I checked #13687 but no mention of what changes were done to the core/jobservice pods. Also, the setup explained in the issue uses KIAM to associate roles to pods, which is not my case.
Not sure why is the awecr adaptor trying to fetch roles from metadata despite having those environment variables set ?
The text was updated successfully, but these errors were encountered: