DEV Community

Cover image for Integrating AWS ECR(Elastic Container Registry) with Kubernetes
Sai Kiran
Sai Kiran

Posted on

Integrating AWS ECR(Elastic Container Registry) with Kubernetes

I run my own kubernetes cluster spun up using Rancher on AWS lightsail which is an alternative to DigitalOcean. Though Lightsail is part of AWS, its not tightly as integrated as the rest of AWS. The ECR docker image token(or password) expires every 12 hours, and everytime you want to pull or push you have to renew it. To use it with kubernetes you need someway to update the secret automatically every 12 hours.
Getting ECR to work with it is like as same as any other non AWS(or EKS) cluster. You may read further if you want to integrate it with your DIY or other non AWS kubernetes clusters.
I dockerized a lightweight python script to run as a cron job, which will fetch a new login token every 6 hours(based on your deployment.yaml).
First create a secret that holds your AWS credentials with

kubectl create secret -n ecr-kube-helper generic ecr-kube-helper-ecr-secret --from-literal=REGION=[AWS_REGION] --from-literal=ID=[AWS_KEY_ID] --from-literal=SECRET=[AWS_SECRET]

Lets begin by creating a service account.

apiVersion: v1
kind: Namespace
metadata:
  name: ecr-kube-helper
  labels:
    name: ecr-kube-helper
---
apiVersion: v1
kind: ServiceAccount
metadata:
  namespace: ecr-kube-helper
  name: svac-ecr-kube-helper
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: role-ecr-kube-helper
  namespace: ecr-kube-helper
rules:
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get","delete", "create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  namespace: ecr-kube-helper
  name: rb-ecr-kube-helper
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: role-ecr-kube-helper
subjects:
  - kind: ServiceAccount
    name: svac-ecr-kube-helper
    namespace: ecr-kube-helper

Then deploy it with a CronJob deployment, but be sure to change the environment values.

apiVersion: batch/v1beta1
kind: CronJob
metadata:
  namespace: ecr-kube-helper
  name: cron-ecr-kube-helper
  labels:
    app: cron-ecr-kube-helper
spec:
  schedule: "0 */6 * * *"
  successfulJobsHistoryLimit: 3
  failedJobsHistoryLimit: 5
  jobTemplate:
    spec:
      template:
        spec:
          restartPolicy: OnFailure
          serviceAccountName: svac-ecr-kube-helper
          volumes:
            - name: svac-ecr-kube-helper-token-dr9bg
              secret:
                secretName: svac-ecr-kube-helper-token-dr9bg
          containers:
            - name: pod-ecr-kube-helper
              image: anaganisk/ecr-kube-helper:1.0.0
              imagePullPolicy: IfNotPresent
              volumeMounts:
                - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
                  name: svac-ecr-kube-helper-token-dr9bg
              env:
                - name: AWS_DEFAULT_REGION
                  valueFrom:
                    secretKeyRef:
                      # AWS credientials secret
                      name: ecr-kube-helper-ecr-secret
                      key: REGION
                - name: AWS_ACCESS_KEY_ID
                  valueFrom:
                    secretKeyRef:
                      # AWS credientials secret
                      name: ecr-kube-helper-ecr-secret
                      key: ID
                - name: AWS_SECRET_ACCESS_KEY
                  valueFrom:
                    secretKeyRef:
                      # AWS credientials secret
                      name: ecr-kube-helper-ecr-secret
                      key: SECRET
                - name: LOGLEVEL
                  value: INFO
                - name: TARGET_SECRET
                  value: xxxSecretxxx
                - name: TARGET_ECR
                  value: "xxxECR_REPOxxx"
                - name: TARGET_NAMESPACE
                  value: "ecr-kube-helper"
                - name: TARGET_EMAIL
                  value: "docker@example.com"

And you’re done. Let it handle the rest.
The helper can only update one ECR ID for now so, if you want to use it with multiple ECRs you may have to create multiple cronjobs. One ECR ID may have multiple repositories
for example ECR_ID.dkr.ecr.ap-south-1.amazonaws.com/repository

Github Page https://anaganisk.github.io/ecr-kube-helper/

Top comments (0)