Implement automatic regeneration of AWS ECR tokens #2982
Conversation
| @@ -106,3 +106,57 @@ data "template_file" "gitpod_registry_values" { | |||
| secret_name = local.secret_name | |||
| } | |||
| } | |||
|
|
|||
| esource "aws_iam_user" "gitpod_registry" { | |||
There was a problem hiding this comment.
You are creating the IAM user here but you are not giving it any permissions so naturally it will not be able to refresh the token. what you want is the same permissions from resource "aws_iam_role_policy" "dns_manager" { or the very least "ecr:GetAuthorizationToken"
| } | ||
|
|
||
| data "template_file" "ecr_regeneration_script" { | ||
| template = file("${path.module}/template/regenerate-ecr.tpl") |
There was a problem hiding this comment.
| template = file("${path.module}/template/regenerate-ecr.tpl") | |
| template = file("${path.module}/templates/regenerate-ecr.tpl") |
|
|
||
| resource "kubernetes_cron_job" "ecr_regeneration_cron" { | ||
| metadata { | ||
| name = "ecr_regeneration_cron" |
There was a problem hiding this comment.
| name = "ecr_regeneration_cron" | |
| name = "ecr-regeneration-cron" |
Error: metadata.0.name a DNS-1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is 'a-z0-9?(.a-z0-9?)*')
|
Tested this this on a somewhat vanilla AWS self-hosted installation (version 0.8.0-beta1): |
| # Set the AWS auth environment variables | ||
| AWS_DEFAULT_REGION=${region} | ||
| AWS_SECRET_ACCESS_KEY=${secret_key} | ||
| AWS_ACCESS_KEY_ID=${access_key} |
There was a problem hiding this comment.
These needs some export in order to be available in the TOKEN subshell below. With that said though, I believe it is much better if those ENV are set on the cronjob at runtime and are proper Kubernetes secrets instead. Embedding them like this in the command makes them readable to most people with access to Kubernetes as you would like to allow people to see cronjobs but NOT secrets.
|
Please check this PR #3977 |
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
This PR contains a mechanism for regeneration of AWS ECR tokens to evade their expiry after 12 hours.
Earlier this was a manual task, that required manual deletion of secret, fetching the new token and again creating a secret. For this process, a Kubernetes cron job resource has been added. It runs a script containing the above instructions after 6 hours.
For configuring the aws-cli within the pod, the given aws iam user credentials are used from the terraform resources.
Suggestions are welcome for this implementation.
Fixes #1900