-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
3 changed files
with
178 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
# ECR Pull Helper | ||
|
||
This module sets up a cronjob that keeps temporary Docker credentials for ECR up to date in all namespaces. | ||
|
||
## Usage: | ||
|
||
|
||
```hcl | ||
module "ecr_helper" { | ||
source = "github.com/contiamo/terraform//ecr-helper-module" | ||
aws_secret_access_key = [AWS secrets access key for a user with read-only ECR access] | ||
aws_access_key_id = [AWS secret access key ID for a user with read-only ECR access] | ||
aws_region = [AWS region where your ECR lives] | ||
ecr_helper_namespace = [The name of the namespace that will be created for the cronjob. Default: "ecr-helper"] | ||
ecr_helper_svc_account_name = [The name of the service account that will be created for the cronjob. Default: "ecr-helper"] | ||
ecr_registry_secret_name = [The name of the Docker credential secrets that will be managed for you in all namespaces. Default: "ecr-registry-secret"] | ||
} | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,121 @@ | ||
resource "kubernetes_namespace_v1" "ecr_helper_namespace" { | ||
metadata { | ||
name = var.ecr_helper_namespace | ||
annotations = { | ||
"purpose" = "This namesopace is used to run the ecr-registry-helper cronjob. The cronjob keeps the ecr-registry-secret to date." | ||
} | ||
} | ||
} | ||
|
||
resource "kubernetes_secret_v1" "ecr_registry_helper_secret" { | ||
metadata { | ||
name = "ecr-helper-creds" | ||
namespace = kubernetes_namespace_v1.ecr_helper_namespace.metadata[0].name | ||
} | ||
|
||
data = { | ||
AWS_SECRET_ACCESS_KEY = var.aws_secret_access_key | ||
AWS_ACCESS_KEY_ID = var.aws_access_key_id | ||
} | ||
} | ||
|
||
|
||
resource "kubernetes_service_account_v1" "ecr_helper" { | ||
metadata { | ||
name = var.ecr_helper_svc_account_name | ||
namespace = kubernetes_namespace_v1.ecr_helper_namespace.metadata[0].name | ||
} | ||
} | ||
|
||
resource "kubernetes_cluster_role_v1" "full_access_to_secrets" { | ||
metadata { | ||
name = "ecr-helper-full-access-to-secrets" | ||
} | ||
|
||
rule { | ||
api_groups = [""] | ||
resources = ["secrets"] | ||
resource_names = ["${var.ecr_registry_secret_name}"] | ||
verbs = ["delete"] | ||
} | ||
|
||
rule { | ||
api_groups = [""] | ||
resources = ["secrets"] | ||
verbs = ["create"] | ||
} | ||
|
||
rule { | ||
api_groups = [""] | ||
resources = ["namespaces"] | ||
verbs = ["list"] | ||
} | ||
} | ||
|
||
resource "kubernetes_cluster_role_binding_v1" "full_access_to_secrets_role_binding" { | ||
metadata { | ||
name = "ecr-helper-full-access-to-secrets" | ||
} | ||
|
||
subject { | ||
kind = "ServiceAccount" | ||
name = var.ecr_helper_svc_account_name | ||
namespace = var.ecr_helper_namespace | ||
} | ||
|
||
role_ref { | ||
api_group = "rbac.authorization.k8s.io" | ||
kind = "ClusterRole" | ||
name = kubernetes_cluster_role_v1.full_access_to_secrets.metadata[0].name | ||
} | ||
} | ||
|
||
resource "kubernetes_cron_job_v1" "ecr_registry_helper" { | ||
metadata { | ||
name = "ecr-helper" | ||
namespace = kubernetes_namespace_v1.ecr_helper_namespace.metadata[0].name | ||
} | ||
|
||
spec { | ||
concurrency_policy = "Forbid" | ||
schedule = "0 */10 * * *" | ||
suspend = false | ||
failed_jobs_history_limit = 3 | ||
successful_jobs_history_limit = 3 | ||
job_template { | ||
metadata {} | ||
spec { | ||
backoff_limit = 2 | ||
ttl_seconds_after_finished = 10 | ||
template { | ||
metadata {} | ||
spec { | ||
service_account_name = kubernetes_service_account_v1.ecr_helper.metadata[0].name | ||
container { | ||
name = "ecr-registry-helper" | ||
image = "odaniait/aws-kubectl:latest" | ||
image_pull_policy = "IfNotPresent" | ||
|
||
env_from { | ||
secret_ref { | ||
name = kubernetes_secret_v1.ecr_registry_helper_secret.metadata[0].name | ||
} | ||
} | ||
|
||
command = [ | ||
"/bin/sh", | ||
"-c", | ||
templatefile("${path.module}/assets/ecr-helper-script.sh.tpl", { | ||
AWS_REGION = var.aws_region, | ||
AWS_ACCOUNT = data.aws_caller_identity.current.account_id, | ||
DOCKER_SECRET_NAME = var.ecr_registry_secret_name | ||
}) | ||
] | ||
} | ||
restart_policy = "Never" | ||
} | ||
} | ||
} | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
variable "aws_secret_access_key" { | ||
description = "AWS secret access key for an IAM user with access to ECR" | ||
type = string | ||
} | ||
variable "aws_access_key_id" { | ||
description = "AWS access key id for an IAM user with access to ECR" | ||
type = string | ||
} | ||
variable "aws_region" { | ||
description = "AWS region where the ECR registry is located. Can be obtained by the resource" | ||
type = string | ||
} | ||
variable "aws_account_id" { | ||
description = <<-EOF | ||
The ID of the AWS account ID where your the ECR lives. | ||
Can be obtained by the resource: | ||
data "aws_caller_identity" "current" {} | ||
And then: | ||
data.aws_caller_identity.current.account_id | ||
EOF | ||
type = string | ||
} | ||
variable "ecr_registry_secret_name" { | ||
description = "The name of the secret that will be managed by this tool. This secret will contain temporary Docker creds for ECR" | ||
type = string | ||
default = "ecr-registry-pull-creds" | ||
} | ||
|
||
variable "ecr_helper_svc_account_name" { | ||
description = "The name of the service account that will be used by the ecr-registry-helper cronjob" | ||
type = string | ||
default = "ecr-helper" | ||
} | ||
variable "ecr_helper_namespace" { | ||
description = "The name of the namespace where the ecr-registry-helper cronjob will run" | ||
type = string | ||
default = "ecr-helper" | ||
} |