feat: Add ECR pull helper

ecr-pull-helper/README.md

@@ -0,0 +1,19 @@
+# ECR Pull Helper
+
+This module  sets up a cronjob that keeps temporary Docker credentials for ECR up to date in all namespaces.
+
+## Usage:
+
+
+```hcl
+module "ecr_helper" {
+  source = "github.com/contiamo/terraform//ecr-helper-module"
+
+  aws_secret_access_key       = [AWS secrets access key for a user with read-only ECR access]
+  aws_access_key_id           = [AWS secret access key ID for a user with read-only ECR access]
+  aws_region                  = [AWS region where your ECR lives]
+  ecr_helper_namespace        = [The name of the namespace that will be created for the cronjob. Default: "ecr-helper"]
+  ecr_helper_svc_account_name = [The name of the service account that will be created for the cronjob. Default: "ecr-helper"]
+  ecr_registry_secret_name    = [The name of the Docker credential secrets that will be managed for you in all namespaces. Default: "ecr-registry-secret"]
+}
+```

ecr-pull-helper/main.tf

@@ -0,0 +1,121 @@
+resource "kubernetes_namespace_v1" "ecr_helper_namespace" {
+  metadata {
+    name = var.ecr_helper_namespace
+    annotations = {
+      "purpose" = "This namesopace is used to run the ecr-registry-helper cronjob. The cronjob keeps the ecr-registry-secret to date."
+    }
+  }
+}
+
+resource "kubernetes_secret_v1" "ecr_registry_helper_secret" {
+  metadata {
+    name      = "ecr-helper-creds"
+    namespace = kubernetes_namespace_v1.ecr_helper_namespace.metadata[0].name
+  }
+
+  data = {
+    AWS_SECRET_ACCESS_KEY = var.aws_secret_access_key
+    AWS_ACCESS_KEY_ID     = var.aws_access_key_id
+  }
+}
+
+
+resource "kubernetes_service_account_v1" "ecr_helper" {
+  metadata {
+    name      = var.ecr_helper_svc_account_name
+    namespace = kubernetes_namespace_v1.ecr_helper_namespace.metadata[0].name
+  }
+}
+
+resource "kubernetes_cluster_role_v1" "full_access_to_secrets" {
+  metadata {
+    name = "ecr-helper-full-access-to-secrets"
+  }
+
+  rule {
+    api_groups     = [""]
+    resources      = ["secrets"]
+    resource_names = ["${var.ecr_registry_secret_name}"]
+    verbs          = ["delete"]
+  }
+
+  rule {
+    api_groups = [""]
+    resources  = ["secrets"]
+    verbs      = ["create"]
+  }
+
+  rule {
+    api_groups = [""]
+    resources  = ["namespaces"]
+    verbs      = ["list"]
+  }
+}
+
+resource "kubernetes_cluster_role_binding_v1" "full_access_to_secrets_role_binding" {
+  metadata {
+    name = "ecr-helper-full-access-to-secrets"
+  }
+
+  subject {
+    kind      = "ServiceAccount"
+    name      = var.ecr_helper_svc_account_name
+    namespace = var.ecr_helper_namespace
+  }
+
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "ClusterRole"
+    name      = kubernetes_cluster_role_v1.full_access_to_secrets.metadata[0].name
+  }
+}
+
+resource "kubernetes_cron_job_v1" "ecr_registry_helper" {
+  metadata {
+    name      = "ecr-helper"
+    namespace = kubernetes_namespace_v1.ecr_helper_namespace.metadata[0].name
+  }
+
+  spec {
+    concurrency_policy            = "Forbid"
+    schedule                      = "0 */10 * * *"
+    suspend                       = false
+    failed_jobs_history_limit     = 3
+    successful_jobs_history_limit = 3
+    job_template {
+      metadata {}
+      spec {
+        backoff_limit              = 2
+        ttl_seconds_after_finished = 10
+        template {
+          metadata {}
+          spec {
+            service_account_name = kubernetes_service_account_v1.ecr_helper.metadata[0].name
+            container {
+              name              = "ecr-registry-helper"
+              image             = "odaniait/aws-kubectl:latest"
+              image_pull_policy = "IfNotPresent"
+
+              env_from {
+                secret_ref {
+                  name = kubernetes_secret_v1.ecr_registry_helper_secret.metadata[0].name
+                }
+              }
+
+              command = [
+                "/bin/sh",
+                "-c",
+                templatefile("${path.module}/assets/ecr-helper-script.sh.tpl", {
+                  AWS_REGION         = var.aws_region,
+                  AWS_ACCOUNT        = data.aws_caller_identity.current.account_id,
+                  DOCKER_SECRET_NAME = var.ecr_registry_secret_name
+                })
+              ]
+            }
+            restart_policy = "Never"
+          }
+        }
+      }
+    }
+  }
+}

ecr-pull-helper/variables.tf

@@ -0,0 +1,38 @@
+variable "aws_secret_access_key" {
+  description = "AWS secret access key for an IAM user with access to ECR"
+  type        = string
+}
+variable "aws_access_key_id" {
+  description = "AWS access key id for an IAM user with access to ECR"
+  type        = string
+}
+variable "aws_region" {
+  description = "AWS region where the ECR registry is located. Can be obtained by the resource"
+  type        = string
+}
+variable "aws_account_id" {
+  description = <<-EOF
+    The ID of the AWS account ID where your the ECR lives.
+    Can be obtained by the resource:
+    data "aws_caller_identity" "current" {}
+    And then:
+    data.aws_caller_identity.current.account_id
+  EOF
+  type        = string
+}
+variable "ecr_registry_secret_name" {
+  description = "The name of the secret that will be managed by this tool. This secret will contain temporary Docker creds for ECR"
+  type        = string
+  default     = "ecr-registry-pull-creds"
+}
+
+variable "ecr_helper_svc_account_name" {
+  description = "The name of the service account that will be used by the ecr-registry-helper cronjob"
+  type        = string
+  default     = "ecr-helper"
+}
+variable "ecr_helper_namespace" {
+  description = "The name of the namespace where the ecr-registry-helper cronjob will run"
+  type        = string
+  default     = "ecr-helper"
+}