Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Aws/ecr token regeneration #3977

Closed
wants to merge 9 commits into from
Closed

Aws/ecr token regeneration #3977

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
6de0a27
homepage header and footer changed
arleif-dfactory Oct 6, 2020
a267234
Merge pull request #1 from trilogy-group/branding
arleif-dfactory Oct 6, 2020
50ff263
Merge pull request #2 from gitpod-io/master
arleif-dfactory Oct 15, 2020
2f8a948
fixes (#3)
arleif-dfactory Oct 16, 2020
90ccbde
bug fix: extension downloads were not working
arleif-dfactory Nov 3, 2020
358504c
Merge branch 'supra08/authorization-token-expired-1900' of https://gi…
dimazaur Apr 16, 2021
a3652d8
AWS ECR token registration fix
dimazaur Apr 16, 2021
97c63d7
rollback changes
dimazaur Apr 16, 2021
460169f
rollback changes
dimazaur Apr 16, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 57 additions & 0 deletions install/aws-full-terraform/modules/registry/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,36 @@ EOF
role = var.worker_iam_role_name
}

resource "aws_iam_user_policy" "gitpod_registry" {
name = "${var.project.name}-user-registry"

policy = <<-EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:*",
"cloudtrail:LookupEvents"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer",
"ecr:GetAuthorizationToken"
],
"Resource": "*"
}
]
}
EOF
user = aws_iam_user.gitpod_registry.name
}

data "aws_ecr_authorization_token" "gitpod_registry" {
registry_id = aws_ecr_repository.gitpod_registry.registry_id
Expand Down Expand Up @@ -119,6 +149,33 @@ resource "aws_iam_access_key" "gitpod_registry" {
user = aws_iam_user.gitpod_registry.name
}

resource "kubernetes_cluster_role" "regenerate-ecr-role" {
metadata {
name = "regenerate-ecr-role"
}
rule {
api_groups = [""]
resources = ["secrets", "serviceaccounts"]
verbs = ["get", "list", "watch", "create", "update", "patch", "delete"]
}
}

resource "kubernetes_cluster_role_binding" "regenerate-ecr-role-binding" {
metadata {
name = "regenerate-ecr-role-binding"
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "ClusterRole"
name = "regenerate-ecr-role"
}
subject {
kind = "ServiceAccount"
name = "default"
namespace = "default"
}
}

data "template_file" "ecr_regeneration_script" {
template = file("${path.module}/template/regenerate-ecr.tpl")
vars = {
Expand Down
12 changes: 6 additions & 6 deletions install/aws-full-terraform/modules/registry/templates/regenerate-ecr.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,18 +1,18 @@
#!/bin/bash

# Set the AWS auth environment variables
AWS_DEFAULT_REGION=${region}
AWS_SECRET_ACCESS_KEY=${secret_key}
AWS_ACCESS_KEY_ID=${access_key}
export AWS_DEFAULT_REGION=${region}
export AWS_SECRET_ACCESS_KEY=${secret_key}
export AWS_ACCESS_KEY_ID=${access_key}

# Generate the auth token from the aws account
TOKEN=`aws ecr get-authorization-token --output text --query 'authorizationData[].authorizationToken'`
# Generate the auth token from the aws account
export TOKEN=`aws ecr get-authorization-token --output text --query 'authorizationData[].authorizationToken'`

# Delete the original secret
kubectl delete secret --ignore-not-found ${secret_name}

# Generate the new docker registry auth config
CONFIGJSON='{"auths": {"%s": {"auth": "%s"}}}\n'
CONFIGJSON='{"auths": {"%s": {"auth": "%s"}}}'
UPDATEDCONFIG=$(printf "$CONFIGJSON" "${host}" "$TOKEN")
echo $UPDATEDCONFIG > /tmp/config.json

Expand Down
60 changes: 58 additions & 2 deletions install/aws-terraform/modules/registry/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,36 @@ EOF
role = var.worker_iam_role_name
}

resource "aws_iam_user_policy" "gitpod_registry" {
name = "${var.project.name}-user-registry"

policy = <<-EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:*",
"cloudtrail:LookupEvents"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer",
"ecr:GetAuthorizationToken"
],
"Resource": "*"
}
]
}
EOF
user = aws_iam_user.gitpod_registry.name
}

data "aws_ecr_authorization_token" "gitpod_registry" {
registry_id = aws_ecr_repository.gitpod_registry.registry_id
Expand Down Expand Up @@ -107,7 +137,7 @@ data "template_file" "gitpod_registry_values" {
}
}

esource "aws_iam_user" "gitpod_registry" {
resource "aws_iam_user" "gitpod_registry" {
name = "${var.project.name}-registry"

tags = {
Expand All @@ -119,6 +149,33 @@ resource "aws_iam_access_key" "gitpod_registry" {
user = aws_iam_user.gitpod_registry.name
}

resource "kubernetes_cluster_role" "regenerate-ecr-role" {
metadata {
name = "regenerate-ecr-role"
}
rule {
api_groups = [""]
resources = ["secrets", "serviceaccounts"]
verbs = ["get", "list", "watch", "create", "update", "patch", "delete"]
}
}

resource "kubernetes_cluster_role_binding" "regenerate-ecr-role-binding" {
metadata {
name = "regenerate-ecr-role-binding"
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "ClusterRole"
name = "regenerate-ecr-role"
}
subject {
kind = "ServiceAccount"
name = "default"
namespace = "default"
}
}

data "template_file" "ecr_regeneration_script" {
template = file("${path.module}/template/regenerate-ecr.tpl")
vars = {
Expand Down Expand Up @@ -159,4 +216,3 @@ resource "kubernetes_cron_job" "ecr_regeneration_cron" {
}
}
}

10 changes: 5 additions & 5 deletions install/aws-terraform/modules/registry/templates/regenerate-ecr.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,18 +1,18 @@
#!/bin/bash

# Set the AWS auth environment variables
AWS_DEFAULT_REGION=${region}
AWS_SECRET_ACCESS_KEY=${secret_key}
AWS_ACCESS_KEY_ID=${access_key}
export AWS_DEFAULT_REGION=${region}
export AWS_SECRET_ACCESS_KEY=${secret_key}
export AWS_ACCESS_KEY_ID=${access_key}

# Generate the auth token from the aws account
TOKEN=`aws ecr get-authorization-token --output text --query 'authorizationData[].authorizationToken'`
export TOKEN=`aws ecr get-authorization-token --output text --query 'authorizationData[].authorizationToken'`

# Delete the original secret
kubectl delete secret --ignore-not-found ${secret_name}

# Generate the new docker registry auth config
CONFIGJSON='{"auths": {"%s": {"auth": "%s"}}}\n'
CONFIGJSON='{"auths": {"%s": {"auth": "%s"}}}'
UPDATEDCONFIG=$(printf "$CONFIGJSON" "${host}" "$TOKEN")
echo $UPDATEDCONFIG > /tmp/config.json

Expand Down