The preparations described below are required to install Usage Engine using Helm charts and Docker images. Read through the steps below and follow each step before installing.
...
Note | ||
---|---|---|
| ||
The created pull secret will only be valid for 12 hours! You can at any time re-create the pull secret by deleting and creating again. //Example $ kubectl delete secret ecr-cred -n default |
Using CronJob to sync ECR credentials as a Kubernetes secret
This is the recommended procedure to make sure the secret is always valid.
Copy the below content in a yaml file and make sure to update the namespaces and access keys.
This example update the secret ecr-cred every 8 hours in the given namespace.
Code Block |
---|
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ecr-credentials-sync
namespace: <your namespace>
rules:
- apiGroups: [""]
resources:
- secrets
verbs:
- get
- create
- patch
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ecr-credentials-sync
namespace: <your namespace>
subjects:
- kind: ServiceAccount
name: ecr-credentials-sync
roleRef:
kind: Role
name: ecr-credentials-sync
apiGroup: ""
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: ecr-credentials-sync
namespace: <your namespace>
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: ecr-credentials-sync
namespace: <your namespace>
spec:
suspend: false
schedule: 0 */8 * * *
failedJobsHistoryLimit: 1
successfulJobsHistoryLimit: 1
jobTemplate:
spec:
template:
spec:
serviceAccountName: ecr-credentials-sync
restartPolicy: Never
volumes:
- name: token
emptyDir:
medium: Memory
initContainers:
- image: amazon/aws-cli
name: get-token
imagePullPolicy: IfNotPresent
env:
- name: AWS_ACCESS_KEY_ID
value: <access key provided by Digitalroute>
- name: AWS_SECRET_ACCESS_KEY
value: <secret access key provided by Digitalroute>
- name: REGION
value: eu-west-1
volumeMounts:
- mountPath: /token
name: token
command:
- /bin/sh
- -ce
- aws ecr get-login-password --region ${REGION} > /token/ecr-token
containers:
- image: bitnami/kubectl
name: create-secret
imagePullPolicy: IfNotPresent
env:
- name: SECRET_NAME
value: ecr-cred
volumeMounts:
- mountPath: /token
name: token
command:
- /bin/sh
- -ce
- |-
kubectl create secret docker-registry $SECRET_NAME \
--dry-run=client \
--docker-server=https://462803626708.dkr.ecr.eu-west-1.amazonaws.com \
--docker-username=AWS \
--docker-password="$(cat /token/ecr-token)" \
-o yaml | kubectl apply -f -
|