New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
connaisseur+cosign on eks: add support for aws credentials #390
Comments
@hsuchan like the idea to avoid extra steps here. It is very unfortunate that apparently every cloud provider rolls their own docker credential helper which would mean to continuously extend Connaisseur by external code/SDKs. There seems to be a credential helper helper available that might resolve part of the technicalities and an open docker issue. |
I am tackling the situation the same way as @hsuchan doing, Running a job to run for the very first time then cronJob run job every x hours to refresh the token + replace all pods on the deployment. I also tired if irsa could help me out by giving connaisseur serviceaccount ecr permission but no luck. I will look forward if anyone have a better solution. |
docker-credential-helper is needed for accessing credentials from IRSA. Adding this utility reduces overhead in implementing a sidecar to refresh the Docker Login Credentials for AWS ECR Releavnt upstrema issues with documented workarounds can be found: - sse-secure-systems#390 - sse-secure-systems#352 Changes: - create name for user - make docker-credential-helper executable for user
I've implemented passing |
there has been many good contributions now to improve support for EKS. Maybe we should prepare a blog post on how to best use Connaisseur with AWS EKS to spread the knowledge or eventually add full examples to the docs somewhere |
@hsuchan the feature has been released with |
@sf-jmarcou and @marckn0x I really appreciate the effort to add EKS credentials support to connaisseur. @xopham I was able to test both:
both solutions work great so far. |
wow...awesome! Super happy that support of AWS has improved so much thanks to your efforts 🚀 |
k8s version: 1.20
flavor: eks
Goal:
Use connaisseur+cosign on eks to sign/validate images located in private ecr registry.
Problem statement:
At the moment connaisseur provides 2 methods to auth against a private registry:
(https://github.com/sse-secure-systems/connaisseur/blob/master/helm/values.yaml#L82-L87)
Since docker doesn't natively support ecr auth, in order to auth to ecr, one needs to use an aws helper:
(https://docs.aws.amazon.com/AmazonECR/latest/userguide/registry_auth.html)
This creates a temporary token valid for 12 hours, which you can then use to authenticate to ecr:
Creating a secret with the following information would unfortunately expire within 12h.
The solution I had to come up with as reported by @diegonicacio in #352 was to create a cronjob, whose job is to rotate the ecr credentials inside the secret every x hours.
While this works, it's a fragile solution, and it would be a more elegant solution if connaisseur was able to natively support AWS credentials:
The text was updated successfully, but these errors were encountered: