Pull image from ECR to Kubernetes deployment file

2
votes

I am facing the issue while pulling the docker image from AWS ECR repository, earlier i used

kubectl create secret docker-registry regcred --docker-server=https://index.docker.io/v1/ --docker-username=kammana --docker-password=<your-password> [email protected]

The deployment YAML file

apiVersion: v1
kind: Pod
metadata:
  name: private-reg
spec:
  containers:
  - name: privateapp
    image: kammana/privateapp:0.0.1
  imagePullSecrets:
  - name: regcred

but now the secret password is only valid for 12 hours when you generate for ECR, i will have to manually change the secret everytime. This is hectic and i read a Medium article.

It can creates kind of cron Job but i want to pull the image at runtime by logging in to ECR.

It would be helpful if you could provide some relevant example with respect ECR direct login via Kubernetes and my cluster is not in the same AWS account so AWS IAM Roles is out of question.

3
amazon-web-servicesdockerkubernetesrancheramazon-ecr

3 Answers

7
votes

I had the same issue and I use this in a cron:

# KUBECTL='kubectl --dry-run=client'
KUBECTL='kubectl'

ENVIRONMENT=sandbox # yes, typo
AWS_DEFAULT_REGION=moon-west-1

EXISTS=$($KUBECTL get secret "$ENVIRONMENT-aws-ecr-$AWS_DEFAULT_REGION" | tail -n 1 | cut -d ' ' -f 1)
if [ "$EXISTS" = "$ENVIRONMENT-aws-ecr-$AWS_DEFAULT_REGION" ]; then
  echo "Secret exists, deleting"
  $KUBECTL delete secrets "$ENVIRONMENT-aws-ecr-$AWS_DEFAULT_REGION"
fi

PASS=$(aws ecr get-login-password --region $AWS_DEFAULT_REGION)
$KUBECTL create secret docker-registry $ENVIRONMENT-aws-ecr-$AWS_DEFAULT_REGION \
    --docker-server=$AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com \
    --docker-username=AWS \
    --docker-password=$PASS \
    [email protected] --namespace collect
2
votes

This is true and the usual way is to get the password everytime you wish to login to ECR. This is the snippet from AWS documentation which says

The generated token is valid for 12 hours, which means developers running and managing container images have to re-authenticate every 12 hours manually, or script it to generate a new token, which can be somewhat cumbersome in a CI/CD environment. For example if you’re using Jenkins to build and push docker images to ECR, you have to set up Jenkins instances to re-authenticate using get-login to ECR every 12 hours.

link to the full AWS documentation

Below is the command to do get the password and login.

aws ecr get-login-password --region <<someregion>> | docker login --username <<someusername>> --password-stdin https://<<someaccount>>.amazonaws.com

And in your case you will have to write some script within a helper pod to do the below steps.

  1. Get the login password and save it in a variable.
aws ecr get-login-password --region <<someregion>>
  1. Delete you existing secret
kubectl delete secret <<secretname>>
  1. Recreate secret with new password.
kubectl create secret docker-registry regcred --docker-server=https://index.docker.io/v1/ --docker-username=kammana --docker-password=<newpassword> [email protected]

You could try cronjob to reset this every <12 hours

1
votes

There is this small tool called k8s-ecr-login-renew that does exactly what you need.