Versions Compared

Old Version 9

changes.mady.by.user Johan Olsson

Saved on

compared with

New Version 10

changes.mady.by.user Johan Olsson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The preparations described below are required to install Usage Engine using Helm charts and Docker images. Read through the steps below and follow each step before installing.

...

Note
titleNote!

The created pull secret will only be valid for 12 hours! 

You can at any time re-create the pull secret by deleting and creating again.

//Example

$ kubectl delete secret ecr-cred -n default
$ kubectl create secret docker-registry ecr-cred \
  --docker-server=https://462803626708.dkr.ecr.eu-west-1.amazonaws.com \
  --docker-username=AWS \
  --docker-password=$(aws ecr get-login-password --region eu-west-1) \
  -n default


Using CronJob to sync ECR credentials as a Kubernetes secret

This is the recommended procedure to make sure the secret is always valid.

Copy the below content in a yaml file and make sure to update the namespaces and access keys.

This example update the secret ecr-cred every 8 hours in the given namespace.


Code Block
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: ecr-credentials-sync
  namespace: <your namespace>
rules:
- apiGroups: [""]
  resources:
  - secrets
  verbs:
  - get
  - create
  - patch
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: ecr-credentials-sync
  namespace: <your namespace>
subjects:
- kind: ServiceAccount
  name: ecr-credentials-sync
roleRef:
  kind: Role
  name: ecr-credentials-sync
  apiGroup: ""
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ecr-credentials-sync
  namespace: <your namespace>
---
apiVersion: batch/v1
kind: CronJob
metadata:
  name: ecr-credentials-sync
  namespace: <your namespace>
spec:
  suspend: false
  schedule: 0 */8 * * *
  failedJobsHistoryLimit: 1
  successfulJobsHistoryLimit: 1
  jobTemplate:
    spec:
      template:
        spec:
          serviceAccountName: ecr-credentials-sync
          restartPolicy: Never
          volumes:
          - name: token
            emptyDir:
              medium: Memory
          initContainers:
          - image: amazon/aws-cli
            name: get-token
            imagePullPolicy: IfNotPresent
            env:
 			- name: AWS_ACCESS_KEY_ID
			  value: <access key provided by Digitalroute>
			- name: AWS_SECRET_ACCESS_KEY
			  value: <secret access key provided by Digitalroute>
            - name: REGION
              value: eu-west-1
            volumeMounts:
            - mountPath: /token
              name: token
            command:
            - /bin/sh
            - -ce
            - aws ecr get-login-password --region ${REGION} > /token/ecr-token
          containers:
          - image: bitnami/kubectl
            name: create-secret
            imagePullPolicy: IfNotPresent
            env:
            - name: SECRET_NAME
              value: ecr-cred
            volumeMounts:
            - mountPath: /token
              name: token
            command:
            - /bin/sh
            - -ce
            - |-
              kubectl create secret docker-registry $SECRET_NAME \
                --dry-run=client \
                --docker-server=https://462803626708.dkr.ecr.eu-west-1.amazonaws.com \
                --docker-username=AWS \
                --docker-password="$(cat /token/ecr-token)" \
                -o yaml | kubectl apply -f -