DEV Community

Cover image for Integrating AWS ECR(Elastic Container Registry) with Kubernetes
Sai Kiran
Sai Kiran

Posted on

Integrating AWS ECR(Elastic Container Registry) with Kubernetes

#kubernetes #aws #python

I run my own kubernetes cluster spun up using Rancher on AWS lightsail which is an alternative to DigitalOcean. Though Lightsail is part of AWS, its not tightly as integrated as the rest of AWS. The ECR docker image token(or password) expires every 12 hours, and everytime you want to pull or push you have to renew it. To use it with kubernetes you need someway to update the secret automatically every 12 hours.
Getting ECR to work with it is like as same as any other non AWS(or EKS) cluster. You may read further if you want to integrate it with your DIY or other non AWS kubernetes clusters.
I dockerized a lightweight python script to run as a cron job, which will fetch a new login token every 6 hours(based on your deployment.yaml).
First create a secret that holds your AWS credentials with

kubectl create secret -n ecr-kube-helper generic ecr-kube-helper-ecr-secret --from-literal=REGION=[AWS_REGION] --from-literal=ID=[AWS_KEY_ID] --from-literal=SECRET=[AWS_SECRET]

Lets begin by creating a service account.

apiVersion: v1 kind: Namespace metadata: name: ecr-kube-helper labels: name: ecr-kube-helper --- apiVersion: v1 kind: ServiceAccount metadata: namespace: ecr-kube-helper name: svac-ecr-kube-helper --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: role-ecr-kube-helper namespace: ecr-kube-helper rules: - apiGroups: [""] resources: ["secrets"] verbs: ["get","delete", "create"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: namespace: ecr-kube-helper name: rb-ecr-kube-helper roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: role-ecr-kube-helper subjects: - kind: ServiceAccount name: svac-ecr-kube-helper namespace: ecr-kube-helper

Then deploy it with a CronJob deployment, but be sure to change the environment values.

apiVersion: batch/v1beta1 kind: CronJob metadata: namespace: ecr-kube-helper name: cron-ecr-kube-helper labels: app: cron-ecr-kube-helper spec: schedule: "0 */6 * * *" successfulJobsHistoryLimit: 3 failedJobsHistoryLimit: 5 jobTemplate: spec: template: spec: restartPolicy: OnFailure serviceAccountName: svac-ecr-kube-helper volumes: - name: svac-ecr-kube-helper-token-dr9bg secret: secretName: svac-ecr-kube-helper-token-dr9bg containers: - name: pod-ecr-kube-helper image: anaganisk/ecr-kube-helper:1.0.0 imagePullPolicy: IfNotPresent volumeMounts: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: svac-ecr-kube-helper-token-dr9bg env: - name: AWS_DEFAULT_REGION valueFrom: secretKeyRef: # AWS credientials secret name: ecr-kube-helper-ecr-secret key: REGION - name: AWS_ACCESS_KEY_ID valueFrom: secretKeyRef: # AWS credientials secret name: ecr-kube-helper-ecr-secret key: ID - name: AWS_SECRET_ACCESS_KEY valueFrom: secretKeyRef: # AWS credientials secret name: ecr-kube-helper-ecr-secret key: SECRET - name: LOGLEVEL value: INFO - name: TARGET_SECRET value: xxxSecretxxx - name: TARGET_ECR value: "xxxECR_REPOxxx" - name: TARGET_NAMESPACE value: "ecr-kube-helper" - name: TARGET_EMAIL value: "docker@example.com"

And you’re done. Let it handle the rest.
The helper can only update one ECR ID for now so, if you want to use it with multiple ECRs you may have to create multiple cronjobs. One ECR ID may have multiple repositories
for example ECR_ID.dkr.ecr.ap-south-1.amazonaws.com/repository

Github Page https://anaganisk.github.io/ecr-kube-helper/

Top comments (0)