Cloud Experts Documentation

ECR Secret Operator

Amazon Elastic Container Registry Private Registry Authenticationexternal link (opens in new tab) provides a temporary authorization token valid only for 12 hours. This operator refreshes automatically the Amazon ECR authorization token before it expires, reducing the overhead in managing the authentication flow.

This operator contains two Custom Resources which direct the operator to generate/refresh Amazon ECR authorization token in a timely manner:

How to use this operator

Prerequisites

Install the operator

Installed Operator

Create the ECR Secret CRD

oc new-project test-ecr-secret-operator
cat << EOF | oc apply -f -
apiVersion: ecr.mobb.redhat.com/v1alpha1
kind: Secret
metadata:
  name: ecr-secret
  namespace: test-ecr-secret-operator
spec:
  generated_secret_name: ecr-docker-secret
  ecr_registry: ${AWS_ACCOUNT_ID}.dkr.ecr.us-east-2.amazonaws.com
  frequency: 10h
  region: us-east-2
EOF

A docker registry secret is created by the operator momentally and the token is patched every 10 hours

oc get secret ecr-docker-secret
NAME                TYPE                             DATA   AGE
ecr-docker-secret   kubernetes.io/dockerconfigjson   1      16h

A sample build process with generated secret

Link the secret to builder

oc secrets link builder ecr-docker-secret

Configure build config to point to your ECR Container repository

oc create imagestream ruby
oc tag openshift/ruby:2.5-ubi8 ruby:2.5
cat << EOF | oc apply -f -
kind: BuildConfig
apiVersion: build.openshift.io/v1
metadata:
  name: ruby-sample-build
  namespace: test-ecr-secret-operator
spec:
  runPolicy: Serial
  source:
    git:
      uri: "https://github.com/openshift/ruby-hello-world"
  strategy:
    sourceStrategy:
      from:
        kind: "ImageStreamTag"
        name: "ruby:2.5"
      incremental: true
  output:
    to:
      kind: "DockerImage"
      name: "${AWS_ACCOUNT_ID}.dkr.ecr.us-east-2.amazonaws.com/test:latest"
  postCommit:
      script: "bundle exec rake test"
EOF
oc start-build ruby-sample-build --wait

Build should succeed and push the image to the the private ECR Container repository

Success Build

Create the ECR Secret Argo CD Helm Repo CRD

cat << EOF | oc apply -f -
apiVersion: ecr.mobb.redhat.com/v1alpha1
kind: ArgoHelmRepoSecret
metadata:
  name: helm-repo
  namespace: openshift-gitops
spec:
  generated_secret_name: ecr-argo-helm-secret
  url: ${AWS_ACCOUNT_ID}.dkr.ecr.us-east-2.amazonaws.com
  frequency: 10h
  region: us-east-2
EOF
cat << EOF | oc apply -f -
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: test
spec:
  destination:
    name: ''
    namespace: test-ecr-secret-operator
    server: 'https://kubernetes.default.svc'
  source:
    path: ''
    repoURL: ${AWS_ACCOUNT_ID}.dkr.ecr.us-east-2.amazonaws.com
    targetRevision: 0.1.0
    chart: helm-test-chart
  project: default
EOF

The ArgoCD application should sync with ECR helm chart successfully

Create IAM user and Policy

Notes: These are sample commands. Please fill in your own resource parameters E.g. ARN Create the policy cat <<EOF > /tmp/iam_policy.json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken" ], "Resource": "*" } ] } EOF aws iam create-policy \ --policy-name ECRLoginPolicy \ --policy-document file:///tmp/iam_policy.json Create a user and access key and attach the policy aws iam create-user --user-name ecr-bot aws iam create-access-key --user-name ecr-bot aws iam attach-user-policy --policy-arn arn:aws:iam::[ACCOUNT_ID]:policy/ECRLoginPolicy --user-name ecr-bot Notes: Save access key id and key for later usage

Create STS Assume Role

About AWS STS and Assume Roleexternal link (opens in new tab) Notes: These are sample commands. Please fill in your own resource parameters E.g. ARN Prequisites An STS Openshift Cluster Setup Environment Variables export OIDC_PROVIDER=$(oc get authentication.config.openshift.io cluster -o json \ | jq -r .spec.serviceAccountIssuer| sed -e "s/^https:\/\///") export AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) export REPOSITORY_NAME=test Create the policy cat <<EOF > /tmp/iam_policy.json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken" ], "Resource": "*" } ] } EOF aws iam create-policy \ --policy-name ECRLoginPolicy \ --policy-document file:///tmp/iam_policy.

Interested in contributing to these docs?

Collaboration drives progress. Help improve our documentation The Red Hat Way.

Red Hat logo LinkedIn YouTube Facebook Twitter

Products

Tools

Try, buy & sell

Communicate

About Red Hat

We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Subscribe to our newsletter, Red Hat Shares

Sign up now
© 2023 Red Hat, Inc.