Skip to content
/ rancher-ecr-credentials Public
forked from bobjana/rancher-ecr-credentials

Docker container to periodically update the Credentials for an AWS Elastic Container Registry in Rancher

License

Apache-2.0 license
0 stars 20 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

platanus/rancher-ecr-credentials

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits

Godeps

Godeps

 
 

vendor/github.com

vendor/github.com

 
 

.gitignore

.gitignore

 
 

Dockerfile

Dockerfile

 
 

LICENSE

LICENSE

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

main.go

main.go

 
 

Repository files navigation

Rancher ECR Credentials Updater

This is Docker container that when executed will update the Docker registry credentials in Rancher for an Amazon Elastic Container Registry.

Why is this needed?

Because access to ECR is controlled with AWS IAM. An IAM user must request a temporary credential to the registry using the AWS API. This temporary credential is then valid for 12 hours.

Rancher only supports registries that authenticate with a username and password.

How to use

In order to authenticate with AWS ECR, this Docker container uses the default chain of credential providers.

The easiest way to run it is to feed in the following environment variables:

  • AWS_REGION - the AWS region of the ECR registry
  • AWS_ACCESS_KEY_ID
  • AWS_SECRET_ACCESS_KEY

If you're using an IAM instance profile, then you only need to specify the region, with the AWS_REGION environment variable, and the credentials will be automatically negotiated.

Add the following labels to the service in Rancher:

  • io.rancher.container.create_agent: true
  • io.rancher.container.agent.role: environment

These labels will cause Rancher to provision an API key for this service and create the CATTLE_URL, CATTLE_ACCESS_KEY, and CATTLE_SECRET_KEY environment variables.

Running container outside of Rancher

If you are running this container outside of a Rancher managed environment, then you must provide the following envvars in additional to the ones above.

  • CATTLE_URL - the url of the Rancher server to update
  • CATTLE_ACCESS_KEY
  • CATTLE_SECRET_KEY
$ docker run -d -e AWS_REGION=us-east-1 -e AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY -e CATTLE_URL=http://rancher.mydomain.com -e CATTLE_ACCESS_KEY=$CATTLE_ACCESS_KEY -e CATTLE_SECRET_KEY=$CATTLE_SECRET_KEY objectpartners/rancher-ecr-credentials:latest

Notes

The AWS credentials must correspond to an IAM user that has permissions to call the ECR GetToken API. The application then parses the resulting response to retrieve the ECR registry URL, username, and password. The returned registry URL, is used to discover the corresponding registry in Rancher.

Rancher stores registries by environment. If multiple environments exists, one instance of this container must be run per environment. Rancher credentials are tied to an environment, so specifying them will indicate which environment to update in Rancher.

NOTE: This application runs on a 6 hour loop. It's possible there could be a slight gap where the credentials expire before this program updates them.

About

Docker container to periodically update the Credentials for an AWS Elastic Container Registry in Rancher

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

4 watching

Forks

0 forks
Report repository

Releases

2 tags

Packages

No packages published

Languages

  • Go 95.6%
  • Makefile 4.4%