[refresh-credential] rotate the AWS ECR credential by schedule

components/BUILD.yaml

@@ -66,6 +66,7 @@ packages:
  - components/usage:docker
  - components/openvsx-proxy:docker
  - components/proxy:docker
+ - components/refresh-credential:docker
  - components/registry-facade:docker
  - components/registry-facade/ca-updater:docker
  - components/server:docker
@@ -121,6 +122,7 @@ packages:
  - components/image-builder-mk3:app
  - components/openvsx-proxy:app
  - components/public-api-server:app
+ - components/refresh-credential:app
  - components/registry-facade:app
  - components/server:app
  - components/service-waiter:app

components/refresh-credential/.gitignore

@@ -0,0 +1 @@
+refresh-credential

components/refresh-credential/BUILD.yaml

@@ -0,0 +1,38 @@
+packages:
+ - name: app
+ type: go
+ srcs:
+ - "**/*.go"
+ - "go.mod"
+ - "go.sum"
+ deps:
+ - components/common-go:lib
+ env:
+ - CGO_ENABLED=0
+ - GOOS=linux
+ config:
+ packaging: app
+ buildCommand: ["go", "build", "-trimpath", "-ldflags", "-buildid= -w -s -X 'github.com/gitpod-io/gitpod/refresh-credential/cmd.Version=commit-${__git_commit}'"]
+ - name: docker
+ type: docker
+ deps:
+ - :app
+ argdeps:
+ - imageRepoBase
+ config:
+ dockerfile: leeway.Dockerfile
+ metadata:
+ helm-component: refreshCredential
+ image:
+ - ${imageRepoBase}/refresh-credential:${version}
+ - ${imageRepoBase}/refresh-credential:commit-${__git_commit}
+ - name: lib
+ type: go
+ srcs:
+ - "**/*.go"
+ - "go.mod"
+ - "go.sum"
+ config:
+ packaging: library
+ deps:
+ - components/common-go:lib

components/refresh-credential/README.md

@@ -0,0 +1,44 @@
+# refresh-credential
+
+`refresh-credential` is a service to refresh the AWS ECR authorization token because the authorization token is valid for 12 hours.
+
+## Development
+
+### Prepare a Kubernetes cluster
+
+```console
+# Set up kube context. The refresh-credential will connect to this Kubernetes cluster.
+kubectx [cluster-name]
+```
+
+### Prepare the AWS access/secret key pair
+
+```console
+aws configure
+```
+
+### Prepare the configuration
+
+```json
+{
+ "namespace": "default", # The namespace to find the Kubernetes secret name
+ "credentialSecret": "$HOME/.aws/credentials", # The secret name with AWS access/secret key pair
+ "region": "", # The AWS ECR registry region
+ "publicRegistry": false, # Indicate it's a private or public registry
+ "secretToUpdate": "" # The authorization token written to
+}
+```
+
+> **Note*
+> If you are using public a AWS ECR registry, the region name is either `us-east-1` or `us-west-2`. Reference to the [AWS ECR Public endpoints](https://docs.aws.amazon.com/general/latest/gr/ecr-public.html).
+
+### Running locally
+
+To run `refresh-credential` locally, the `example-config.json` can be used as follows:
+
+```console
+cd /workspace/gitpod/components/refresh-credential
+
+# Run refresh-credential to refresh the AWS ECR authorization token.
+go run . ecr example-config.json
+```

components/refresh-credential/cmd/root.go

@@ -0,0 +1,51 @@
+// Copyright (c) 2022 Gitpod GmbH. All rights reserved.
+// Licensed under the GNU Affero General Public License (AGPL).
+// See License-AGPL.txt in the project root for license information.
+
+package cmd
+
+import (
+"fmt"
+"os"
+
+"k8s.io/client-go/kubernetes"
+ctrl "sigs.k8s.io/controller-runtime"
+
+"github.com/spf13/cobra"
+
+"github.com/gitpod-io/gitpod/common-go/log"
+"github.com/gitpod-io/gitpod/refresh-credential/pkg/config"
+"github.com/gitpod-io/gitpod/refresh-credential/pkg/ecr"
+)
+
+var rootCmd = &cobra.Command{
+Use: "ecr <config.json>",
+Short: "Refresh the AWS ECR credential",
+Args: cobra.ExactArgs(2),
+Run: func(cmd *cobra.Command, args []string) {
+cfgFile := args[1]
+cfg := config.Get(cfgFile)
+log.WithField("config", cfg).Info("Starting refresh-credential")
+
+kubeConfig, err := ctrl.GetConfig()
+if err != nil {
+log.WithError(err).Fatal("unable to getting Kubernetes client config")
+}
+
+client, err := kubernetes.NewForConfig(kubeConfig)
+if err != nil {
+log.WithError(err).Fatal("constructing Kubernetes client")
+}
+
+ecr.RefreshCredential(client, cfg)
+},
+}
+
+// Execute adds all child commands to the root command and sets flags appropriately.
+// This is called by main.main(). It only needs to happen once to the rootCmd.
+func Execute() {
+if err := rootCmd.Execute(); err != nil {
+fmt.Println(err)
+os.Exit(1)
+}
+}

components/refresh-credential/example-config.json

@@ -0,0 +1,7 @@
+{
+ "namespace": "default",
+ "credentialSecret": "/home/gitpod/.aws/credentials",
+ "region": "",
+ "publicRegistry": false,
+ "secretToUpdate": ""
+}

components/refresh-credential/go.mod

@@ -0,0 +1,94 @@
+module github.com/gitpod-io/gitpod/refresh-credential
+
+go 1.19
+
+require (
+github.com/aws/aws-sdk-go-v2 v1.17.2
+github.com/aws/aws-sdk-go-v2/config v1.18.4
+github.com/aws/aws-sdk-go-v2/credentials v1.13.4
+github.com/aws/aws-sdk-go-v2/service/ecr v1.17.24
+github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.13.21
+github.com/docker/cli v20.10.21+incompatible
+github.com/gitpod-io/gitpod/common-go v0.0.0-00010101000000-000000000000
+github.com/spf13/cobra v1.4.0
+k8s.io/api v0.25.0
+k8s.io/apimachinery v0.25.0
+k8s.io/client-go v0.25.0
+sigs.k8s.io/controller-runtime v0.11.2
+)
+
+require (
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.20 // indirect
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.26 // indirect
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.20 // indirect
+github.com/aws/aws-sdk-go-v2/internal/ini v1.3.27 // indirect
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.20 // indirect
+github.com/aws/aws-sdk-go-v2/service/sso v1.11.26 // indirect
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.9 // indirect
+github.com/aws/aws-sdk-go-v2/service/sts v1.17.6 // indirect
+github.com/aws/smithy-go v1.13.5 // indirect
+github.com/beorn7/perks v1.0.1 // indirect
+github.com/cespare/xxhash/v2 v2.1.2 // indirect
+github.com/davecgh/go-spew v1.1.1 // indirect
+github.com/docker/docker-credential-helpers v0.7.0 // indirect
+github.com/emicklei/go-restful/v3 v3.9.0 // indirect
+github.com/evanphx/json-patch v4.12.0+incompatible // indirect
+github.com/fsnotify/fsnotify v1.5.4 // indirect
+github.com/go-logr/logr v1.2.3 // indirect
+github.com/go-openapi/jsonpointer v0.19.5 // indirect
+github.com/go-openapi/jsonreference v0.20.0 // indirect
+github.com/go-openapi/swag v0.19.14 // indirect
+github.com/gogo/protobuf v1.3.2 // indirect
+github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+github.com/golang/protobuf v1.5.2 // indirect
+github.com/google/gnostic v0.5.7-v3refs // indirect
+github.com/google/go-cmp v0.5.9 // indirect
+github.com/google/gofuzz v1.1.0 // indirect
+github.com/google/uuid v1.1.2 // indirect
+github.com/imdario/mergo v0.3.12 // indirect
+github.com/inconshreveable/mousetrap v1.0.0 // indirect
+github.com/jmespath/go-jmespath v0.4.0 // indirect
+github.com/josharian/intern v1.0.0 // indirect
+github.com/json-iterator/go v1.1.12 // indirect
+github.com/mailru/easyjson v0.7.6 // indirect
+github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+github.com/modern-go/reflect2 v1.0.2 // indirect
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+github.com/pkg/errors v0.9.1 // indirect
+github.com/prometheus/client_golang v1.13.0 // indirect
+github.com/prometheus/client_model v0.2.0 // indirect
+github.com/prometheus/common v0.37.0 // indirect
+github.com/prometheus/procfs v0.8.0 // indirect
+github.com/sirupsen/logrus v1.8.1 // indirect
+github.com/spf13/pflag v1.0.5 // indirect
+golang.org/x/net v0.3.1-0.20221206200815-1e63c2f08a10 // indirect
+golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b // indirect
+golang.org/x/sys v0.3.0 // indirect
+golang.org/x/term v0.3.0 // indirect
+golang.org/x/text v0.5.0 // indirect
+golang.org/x/time v0.0.0-20220922220347-f3bd1da661af // indirect
+gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
+google.golang.org/appengine v1.6.7 // indirect
+google.golang.org/protobuf v1.28.1 // indirect
+gopkg.in/inf.v0 v0.9.1 // indirect
+gopkg.in/yaml.v2 v2.4.0 // indirect
+gopkg.in/yaml.v3 v3.0.1 // indirect
+gotest.tools/v3 v3.4.0 // indirect
+k8s.io/apiextensions-apiserver v0.25.0 // indirect
+k8s.io/component-base v0.25.0 // indirect
+k8s.io/klog/v2 v2.80.1 // indirect
+k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 // indirect
+k8s.io/utils v0.0.0-20221107191617-1a15be271d1d // indirect
+sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect
+sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
+sigs.k8s.io/yaml v1.3.0 // indirect
+)
+
+replace github.com/gitpod-io/gitpod/common-go => ../common-go // leeway
+
+replace k8s.io/api => k8s.io/api v0.24.4 // leeway indirect from components/common-go:lib
+
+replace k8s.io/apimachinery => k8s.io/apimachinery v0.24.4 // leeway indirect from components/common-go:lib
+
+replace k8s.io/client-go => k8s.io/client-go v0.24.4 // leeway indirect from components/common-go:lib