Bundle resolver from private ECR registries

[wilstdu]

I'm looking for a workflow to use bundle resolver with bundled images (tkn bundle) from Amazon ECR private repositories.

With the previous bundle resolver implementation (when it still used ServiceAccounts for auth) my use-case worked, but with Secrets approach (0fa076e) it no longer works, because ECR uses short-lived tokens (up to 12 hours if not mistaken) for auth and I cannot just add something once to the secret and use it for long. I would then need to build some kind of mechanism (maybe simply CronJob) in front that generates the token every X hours and replaces it in the secret - and this doesn't sound like a good approach to me.

Also another question - where do secrets have to be deployed? In all namespaces where pipelines reference the bundle or in just a single namespace that Tekton looks for?

Related topics:

• Missing permissions while tekton bundle resolver pulls from a private Google Artifact registry repository #7159 (initiative for Service Accounts replacement to Secrets approach)

[wilstdu]

@shruthipuranik @Yongxuanzhang @vdemeester - maybe you have some ideas on this topic?
I'd really appreciate some feedback and if there is really a gap, we'd be more than happy to fill it and restore ServiceAccount approach to work side-by-side with the secret approach.

Related to this issue: #7331

[vdemeester]

Also another question - where do secrets have to be deployed? In all namespaces where pipelines reference the bundle or in just a single namespace that Tekton looks for?

They need to be deployed in the namespace the TaskRun or PipelineRun that reference the tekton bundle is.

Reading this issue, it does indeed sounds like a gap, or at least something we need to provide a better ux than having to "manually" rotate secrets.