Skip to content

rh-mobb/ecr-secret-operator

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

30 Commits

api/v1alpha1

api/v1alpha1

 
 

bundle

bundle

 
 

config

config

 
 

controllers

controllers

 
 

docs

docs

 
 

ecr

ecr

 
 

hack

hack

 
 

samples

samples

 
 

.dockerignore

.dockerignore

 
 

.gitignore

.gitignore

 
 

Dockerfile

Dockerfile

 
 

Makefile

Makefile

 
 

PROJECT

PROJECT

 
 

Readme.md

Readme.md

 
 

bundle.Dockerfile

bundle.Dockerfile

 
 

go.mod

go.mod

 
 

go.sum

go.sum

 
 

main.go

main.go

 
 

Repository files navigation

ECR Secret Operator

Amazon Elastic Container Registry Private Registry Authentication provides a temporary authorization token valid only for 12 hours. This operator refreshes automatically the Amazon ECR authorization token before it expires, reducing the overhead in managing the authentication flow.

This operator contains two Custom Resources which directs the operator to generate/refresh Amazon ECR authorization token in a timely manner:

How to use this operator

Prerequisites

Install the operator

oc new-project ecr-secret-operator
operator-sdk run bundle quay.io/mobb/ecr-secret-operator-bundle:v0.4.0

Installed Operator

Create the ECR Secret Image Pull CRD

cat << EOF | oc apply -f -
apiVersion: ecr.mobb.redhat.com/v1alpha1
kind: Secret
metadata:
  name: ecr-secret
  namespace: test-ecr-secret-operator
spec:
  generated_secret_name: ecr-docker-secret
  ecr_registry: ${AWS_ACCOUNT_ID}.dkr.ecr.us-east-2.amazonaws.com
  frequency: 10h
  region: us-east-2
oc create -f samples/ecr_v1alpha1_secret.yaml

A Docker registry secret is created by the operator temporarily and the token is patched every 10 hours

oc get secret ecr-docker-secret   
NAME                TYPE                             DATA   AGE
ecr-docker-secret   kubernetes.io/dockerconfigjson   1      16h

A sample build process with generated secret

Link the secret to builder

oc secrets link builder ecr-docker-secret

Configure build config to point to your Amazon ECR Container repository

oc create imagestream ruby
oc tag openshift/ruby:2.5-ubi8 ruby:2.5
oc create -f samples/build-config.yaml
oc start-build ruby-sample-build --wait

The build should succeed and push the image to the the private Amazon ECR Container repository

Success Build

Create the ECR Secret Argo CD Helm Repo CRD

  • Argo CD installed
  • Helm chart stored in ecr
  • aws ecr set-repository-policy --repository-name helm-test-chart --policy-text file:///tmp/repo_policy.json
export ACCOUNT_AWS_ID=
cat << EOF | oc apply -f -
apiVersion: ecr.mobb.redhat.com/v1alpha1
kind: ArgoHelmRepoSecret
metadata:
  name: helm-repo
  namespace: openshift-gitops
spec:
  generated_secret_name: ecr-argo-helm-secret
  url: ${AWS_ACCOUNT_ID}.dkr.ecr.us-east-2.amazonaws.com
  frequency: 10h
  region: us-east-2
EOF
cat << EOF | oc apply -f -
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: test
spec:
  destination:
    namespace: test-ecr-secret-operator
    server: 'https://kubernetes.default.svc'
  source:
    repoURL: ${AWS_ACCOUNT_ID}.dkr.ecr.us-east-2.amazonaws.com
    targetRevision: 0.1.0
    chart: helm-test-chart
  project: default
EOF

The ArgoCD application should sync with ECR helm chart successfully

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

3 stars

Watchers

5 watching

Forks

3 forks
Report repository

Releases

8 tags

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages