Log in to AWS ECR automatically using the cluster-provided credentials. #147
Conversation
As discussed in fluxcd#139 if the environment variable USE_ECR is set, logs in to the AWS Elastic Container Registry in the image URL by fetching a temporary token from AWS. Signed-off-by: Martin Emrich <martin@martinemrich.me>
| @@ -210,6 +265,28 @@ func (r *ImageRepositoryReconciler) scan(ctx context.Context, imageRepo *imagev1 | |||
| options = append(options, remote.WithAuth(auth)) | |||
| } | |||
|
|
|||
| if accountId, awsEcrRegion, _, _, _, err := parseAwsImageURL(imageRepo.Spec.Image); err == nil { | |||
| if _, present := os.LookupEnv("USE_ECR"); present { | |||
There was a problem hiding this comment.
I would prefer this as a flag to the controller, rather than an environment variable. Really only because that's more in the spirit of controller-runtime with its config file support -- in most respects environment vars and flags work equally well.
I think it is appropriate for it to be set at the controller level, since it's up to the platform admin to grant global access to ambient authority, rather than for users to claim it. (If there is a reason to opt in per image repository, then fine, but I would still want the flag on the controller to explicitly grant access to everyone who wants it).
There was a problem hiding this comment.
Yes, I'll try to find out how to access the command line and change the PR....
But I have no Idea what "instead of merging main into this branch, please rebase this branch on main" means...
There was a problem hiding this comment.
@squaremo I guess I got the command-line option working. As for the rebase topic, I brushed up on Git theory, but I have no clue on how to execute it here on Github without damaging anything (Yes, it's my very first Github PR).
There was a problem hiding this comment.
I have no clue on how to execute it here on Github without damaging anything (Yes, it's my very first Github PR).
First GitHub PR high five! ✋
I don't think GitHub has an in-app way to do this; it's something you would do on your local computer, after cloning your fork of this repo.
But I have no Idea what "instead of merging main into this branch, please rebase this branch on main" means...
Since you're working from a fork, you'll have to add this repo as a <remote>, first:
git remote add upstream https://github.com/fluxcd/image-reflector-controller
Also, it's worth working in a branch, and reserving main for keeping track of the upstream main branch:
git switch -c ecr-auto-creds
git push -u origin ecr-auto-creds
(The second command pushes the new branch to your forked repo, and -u sets it as the default place to push any further commits on that branch)
Then, rebasing on the main branch here can be done with
git pull upstream main --rebase
A lot of the time, this will succeed without any more work from you. If you get into trouble, you can git rebase --abort to take you back to the state before the rebase (or pull --rebase).
To push the branch back to GitHub, you'll need to use --force-with-lease, because you've replaced the commits in the branch:
git push --force-with-lease # it knows where to push to, because of `-u` above
There was a problem hiding this comment.
@squaremo Thanks! I followed your instructions, and all commands succeeded. But apparently it is not possible to change the source branch of a Github PR, so it's still from my "main" branch :(
(... and quote a dot in the ECR URL pattern regexp) Signed-off-by: Martin Emrich <martin@martinemrich.me>
Signed-off-by: Martin Emrich <martin@martinemrich.me>
Signed-off-by: Michael Bridgen <michael@weave.works>
Signed-off-by: Michael Bridgen <michael@weave.works>
Signed-off-by: Michael Bridgen <michael@weave.works>
Release v0.11.0
Signed-off-by: Michael Bridgen <michael@weave.works>
Correct apiVersion of v1beta1 samples
| @@ -79,6 +80,8 @@ func main() { | |||
| flag.StringVar(&storagePath, "storage-path", "/data", "Where to store the persistent database of image metadata") | |||
| flag.Int64Var(&storageValueLogFileSize, "storage-value-log-file-size", 1<<28, "Set the database's memory mapped value log file size in bytes. Effective memory usage is about two times this size.") | |||
| flag.IntVar(&concurrent, "concurrent", 4, "The number of concurrent resource reconciles.") | |||
| flag.BoolVar(&useAwsEcr, "use-aws-ecr", false, "Log in to AWS Elastic Container Registry with IAM") | |||
There was a problem hiding this comment.
Wondering if a flag like --with-aws-ecr-iam or simply --enable-aws-iam would be more descriptive. In my opinion, you only actually start making use of AWS Elastic Container Registry once a scan detects it.
| auth := authn.FromConfig(authConfig) | ||
| options = append(options, remote.WithAuth(auth)) | ||
| } else { | ||
| logr.FromContext(ctx).Info("AWS ECR authentication is not enabled, to enable, set USE_ECR environment variable") |
There was a problem hiding this comment.
Not sure if implementation details from another layer (set USE_ECR) should be mentioned here, it may be better (and less maintenance heavy) to simply refer to the feature.
|
This looks like it needs to be rebased before it can be approved. (Is there any other feedback that was left here, which still needs to be addressed?) |
|
@kingdonb I am very sorry for the long inactivity, I am quite busy atm... I'll try to follow squaremos rebase tutorial above ASAP. |
As discussed in fluxcd#139 if the environment variable USE_ECR is set, logs in to the AWS Elastic Container Registry in the image URL by fetching a temporary token from AWS. Signed-off-by: Martin Emrich <martin@martinemrich.me>
(... and quote a dot in the ECR URL pattern regexp) Signed-off-by: Martin Emrich <martin@martinemrich.me>
Signed-off-by: Martin Emrich <martin@martinemrich.me>
|
Sorry for the interruption! This PR got a mention in our bug scrub event today, I think there is no urgency, it was just the right age and staleness for this issue to come to the top of our list and get our attention, I'm glad to see it moving ahead. Thank you for doing the rebase; it looks like the next step is for a maintainer to approve the test execution and have another look for review. Also, 🙌 |
|
Hello all, Nice work being performed here, we are looking forward to using it. As of now, we use a pods that retrieves a token every 6 hours and stores it as kubesecret to be used by the image reflector controller. Thanks. |
|
I'm going to rebase this and put it in another PR -- usually I would rebase and push to the fork, but I don't want to mess with someone's |
|
@squaremo sure, do whatever you have to, no worries! :) THB, navigating all these processes with git, forks, branches, rebases, checks, reviews and stuff seems to be more hassle than implementing these few lines of code... Maybe I'm getting old, but in hindsight |
Ha yep, fair enough. I think it's worth brushing up on git in general, and all those things you mention get easier, but it is steep hill to climb to scratch just one itch*, that's true. (*A mixed metaphor should be derailed, no matter how it sings!) |
|
Closing in favour in #174, which repackaged the change for more convenient review. Thank you for your initiative and efforts, @MartinEmrich 🍏 |
…d): elaborate on how to enable autologin for ECR fluxcd/flux#1619 fluxcd/flux2#107 fluxcd#11 fluxcd#139 fluxcd#147 fluxcd#174 fluxcd#179 fluxcd#180 fluxcd/website#601 fluxcd#193 fluxcd/website#611 https://fluxcd.io/docs/guides/image-update/#aws-elastic-container-registry Signed-off-by: lloydchang <lloydchang@gmail.com>
…d): elaborate on how to enable autologin for ECR fluxcd/flux#1619 fluxcd/flux2#107 fluxcd#11 fluxcd#139 fluxcd#147 fluxcd#174 fluxcd#179 fluxcd#180 fluxcd/website#601 fluxcd#193 fluxcd/website#611 https://fluxcd.io/docs/guides/image-update/#aws-elastic-container-registry Signed-off-by: lloydchang <lloydchang@gmail.com>
…d): elaborate on how to enable autologin for ECR fluxcd/flux#1619 fluxcd/flux2#107 fluxcd#11 fluxcd#139 fluxcd#147 fluxcd#174 fluxcd#179 fluxcd#180 fluxcd/website#601 fluxcd#193 fluxcd/website#611 https://fluxcd.io/docs/guides/image-update/#aws-elastic-container-registry Signed-off-by: lloydchang <lloydchang@gmail.com> Signed-off-by: Kingdon Barrett <kingdon@weave.works>
…d): elaborate on how to enable autologin for ECR fluxcd/flux#1619 fluxcd/flux2#107 fluxcd#11 fluxcd#139 fluxcd#147 fluxcd#174 fluxcd#179 fluxcd#180 fluxcd/website#601 fluxcd#193 fluxcd/website#611 https://fluxcd.io/docs/guides/image-update/#aws-elastic-container-registry Signed-off-by: lloydchang <lloydchang@gmail.com> Signed-off-by: Kingdon Barrett <kingdon@weave.works>
As discussed in #139
This mostly restores the flux v1 functionality (for me)
if the environment variable USE_ECR is set, logs in to the AWS Elastic
Container Registry in the image URL by fetching a temporary token from
AWS.