registry-creds

command module

v0.0.0-...-b2e8fec Latest Latest Go to latest Published: Jan 31, 2020 License: BSD-3-Clause Imports: 19 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/upmc-enterprises/registry-creds

README ¶

Registry Credentials

Allow for Registry credentials to be refreshed inside your Kubernetes cluster via ImagePullSecrets.

How it works

The tool runs as a pod in the kube-system namespace.

It gets credentials from AWS ECR, Google Container Registry, Docker private registry, or Azure Container Registry.
Next it creates a secret with credentials for your registry
Then it sets up this secret to be used in the ImagePullSecrets for the default service account
Whenever a pod is created, this secret is attached to the pod
The container will refresh the credentials by default every 60 minutes
Enabled for use with Minikube as an addon

NOTE: This will setup credentials across ALL namespaces!

Parameters

The following parameters are driven via Environment variables.

Environment Variables:
- AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY: Credentials to access AWS.
- awsaccount: Comma separated list of AWS Account Ids.
- awsregion: (optional) Can override the default AWS region by setting this variable.
- aws-assume-role (optional) can provide a role ARN that will be assumed for getting ECR authorization tokens
  
  Note: The region can also be specified as an arg to the binary.
- TOKEN_RETRY_TYPE: The type of Timer to use when getting a registry token fails and must be retried; "simple" or "exponential" (default: simple)
- TOKEN_RETRIES: The number of times to retry getting a registry token if an error occurred (default: 3)
- TOKEN_RETRY_DELAY: The number of seconds to delay between successive retries at getting a registry token; applies to "simple" retry timer only (default: 5)
- GCRURL: URL to Google Container Registry
- DOCKER_PRIVATE_REGISTRY_SERVER, DOCKER_PRIVATE_REGISTRY_USER, DOCKER_PRIVATE_REGISTRY_PASSWORD: the URL, user name, and password for a Docker private registry
- ACR_URL, ACR_CLIENT_ID, ACR_PASSWORD: the registry URL, client ID, and password to access to access an Azure Container Registry.

How to setup running in AWS

Clone the repo and navigate to directory

Configure

If running on AWS EC2, make sure your EC2 instances have the following IAM permissions:

{
 "Effect": "Allow",
  "Action": [
   "ecr:GetAuthorizationToken",
   "ecr:BatchCheckLayerAvailability",
   "ecr:GetDownloadUrlForLayer",
   "ecr:GetRepositoryPolicy",
   "ecr:DescribeRepositories",
   "ecr:ListImages",
   "ecr:BatchGetImage"
 ],
 "Resource": "*"
}

If you are not running in AWS Cloud, then you can still use this tool! Edit & create the sample secret and update values for AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, aws-account, and aws-region (base64 encoded).
```
echo -n "secret-key" | base64

kubectl create -f k8s/secret.yaml
```

Create the replication controller.
```
kubectl create -f k8s/replicationController.yaml
```
NOTE: If running on premise, no need to provide AWS_ACCESS_KEY_ID or AWS_SECRET_ACCESS_KEY since that will come from the EC2 instance.
Use awsecr-cred for name of imagePullSecrets on your deployment.yaml file.

How to setup running in GCR

Clone the repo and navigate to directory
Input your application_default_credentials.json information into the secret.yaml template located here: The value for application_default_credentials.json can be obtained with the following command:
```
base64 -w 0 $HOME/.config/gcloud/application_default_credentials.json
```
Create the secret in kubernetes
```
kubectl create -f k8s/secret.yml
```

Create the replication controller:

kubectl create -f k8s/replicationController.yaml

How to setup running in Docker Private Registry

Clone the repo and navigate to directory
Edit the sample secret and update values for DOCKER_PRIVATE_REGISTRY_SERVER, DOCKER_PRIVATE_REGISTRY_USER, and DOCKER_PRIVATE_REGISTRY_PASSWORD (base64 encoded).
```
echo -n "secret-key" | base64
```
Create the secret in kubernetes
```
kubectl create -f k8s/secret.yml
```

Create the replication controller:

kubectl create -f k8s/replicationController.yaml

How to set up Azure Container Registry

Create a service principal that your Kubernetes cluster will use to access the registry.
Clone the repo and navigate to the repo root
Edit the sample secret and update values for ACR_URL, ACR_CLIENT_ID, and ACR_PASSWORD (base64 encoded). Use service principal application ID as the client ID, and service principal password (client secret) as the password.
```
echo -n "secret-key" | base64
```
Create the secret in kubernetes
```
kubectl create -f k8s/secret.yml
```

Create the replication controller:

kubectl create -f k8s/replicationController.yaml

DockerHub Image

upmcenterprises/registry-creds

Developing Locally

If you want to hack on this project:

Clone the repo
Build: make build
Test: make test
Run on your machine: go run ./main.go --kubecfg-file=<pathToKubecfgFile>

About

Built by UPMC Enterprises in Pittsburgh, PA. http://enterprises.upmc.com/

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
k8sutil

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL