Container ImagesUsage Engine Private Edition consists of the following container images hosted in the Digital Route AWS ECR registry: Name | Description |
|---|
462803626708.dkr.ecr.eu-west-1.amazonaws.com/usage-engine-private-edition:<version>
| This is the container image used by the platform pod. | 462803626708.dkr.ecr.eu-west-1.amazonaws.com/usage-engine-private-edition:<version>-ec
| This is the container image used by EC pods. | 462803626708.dkr.ecr.eu-west-1.amazonaws.com/usage-engine-private-edition:<version>-operator
| This is the container image used by the uepe-operator pod. | 462803626708.dkr.ecr.eu-west-1.amazonaws.com/usage-engine-private-edition:<version>-ui
| This is the container image used by the desktop-online pod. |
Where <version> is the desired Usage Engine Private Edition version, for example 4.0.0. infoNote! Since Usage Engine Private Edition 3.1, the container images have multi-architecture support (AMD and ARM). Hosting Container Images in Your Own Container RegistryIf you have your own container registry, it is recommended that you host the Usage Engine Private Edition container images there rather than in the Digital Route AWS ECR registry. In order to access the container images in the Digital Route AWS ECR registry, you will need to authenticate yourself first. Here is how you can do this using the docker CLI: | Code Block |
|---|
| docker login -u AWS \
-p $(AWS_ACCESS_KEY_ID=<your aws access key> AWS_SECRET_ACCESS_KEY=<your aws secret access key> aws ecr get-login-password --region eu-west-1) \
462803626708.dkr.ecr.eu-west-1.amazonaws.com |
Where <your aws access key> and <your aws secret access key> are the access keys provided by Digital Route (see https://infozone.atlassian.net/wiki/spaces/UEPE4D/pages/161481605/Common+Pre-requisites#ECR-Access-Keys in case you have not received any access keys yet). Once authenticated, you can pull the container images, re-tag them and then finally push them to your own container image repository. Depending on how your container registry is configured, you probably need to set up an image pull secret that allows the Kubernetes cluster to pull the container images from your container registry in runtime. Image Pull Secret for Digital Route AWS ECROn the other hand, if you do not have your own container image registry, then you need to set up an image pull secret that allows the Kubernetes cluster to pull the container images from the Digital Route AWS ECR in runtime. Such a secret can be created like this: | Code Block |
|---|
| kubectl create secret docker-registry ecr-cred \
--docker-server=https://462803626708.dkr.ecr.eu-west-1.amazonaws.com \
--docker-username=AWS \
--docker-password=$(AWS_ACCESS_KEY_ID=<your aws access key> AWS_SECRET_ACCESS_KEY=<your aws secret access key> aws ecr get-login-password --region eu-west-1) \
-n uepe |
Where <your aws access key> and <your aws secret access key> are the access keys provided by Digital Route (see https://infozone.atlassian.net/wiki/spaces/UEPE4D/pages/161481605/Common+Pre-requisites#ECR-Access-Keys in case you have not received any access keys yet). Since AWS ECR credentials expire after 12 hours, the image pull secret needs to be refreshed regularly. This can be automated through a cron job. The following yaml spec is an example of such a cron job: | Code Block |
|---|
| kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ecr-credentials-sync
namespace: uepe
rules:
- apiGroups: [""]
resources:
- secrets
verbs:
- get
- create
- patch
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ecr-credentials-sync
namespace: uepe
subjects:
- kind: ServiceAccount
name: ecr-credentials-sync
roleRef:
kind: Role
name: ecr-credentials-sync
apiGroup: ""
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: ecr-credentials-sync
namespace: uepe
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: ecr-credentials-sync
namespace: uepe
spec:
suspend: false
schedule: 0 */8 * * *
failedJobsHistoryLimit: 1
successfulJobsHistoryLimit: 1
jobTemplate:
spec:
template:
spec:
serviceAccountName: ecr-credentials-sync
restartPolicy: Never
volumes:
- name: token
emptyDir:
medium: Memory
initContainers:
- image: amazon/aws-cli
name: get-token
imagePullPolicy: IfNotPresent
env:
- name: AWS_ACCESS_KEY_ID
value: <your aws access key>
- name: AWS_SECRET_ACCESS_KEY
value: <your aws secret access key>
- name: REGION
value: eu-west-1
volumeMounts:
- mountPath: /token
name: token
command:
- /bin/sh
- -ce
- aws ecr get-login-password --region ${REGION} > /token/ecr-token
containers:
- image: bitnami/kubectl
name: create-secret
imagePullPolicy: IfNotPresent
env:
- name: SECRET_NAME
value: ecr-cred
volumeMounts:
- mountPath: /token
name: token
command:
- /bin/sh
- -ce
- |-
kubectl create secret docker-registry $SECRET_NAME \
--dry-run=client \
--docker-server=https://462803626708.dkr.ecr.eu-west-1.amazonaws.com \
--docker-username=AWS \
--docker-password="$(cat /token/ecr-token)" \
-n uepe \
-o yaml | kubectl apply -f - |
Where <your aws access key> and <your aws secret access key> are the access keys provided by Digital Route (see https://infozone.atlassian.net/wiki/spaces/UEPE4D/pages/161481605/Common+Pre-requisites#ECR-Access-Keys in case you have not received any access keys yet). Simply put the above yaml spec into a file called ecr-credentials-sync.yaml, and then use the following command to create it in your Kubernetes cluster: | Code Block |
|---|
kubectl apply -f ecr-credentials-sync.yaml -n uepe |
|