Pull image from ECR to Kubernetes deployment file
Solution 1
I had the same issue and I use this in a cron:
# KUBECTL='kubectl --dry-run=client'
KUBECTL='kubectl'
ENVIRONMENT=sandbox # yes, typo
AWS_DEFAULT_REGION=moon-west-1
EXISTS=$($KUBECTL get secret "$ENVIRONMENT-aws-ecr-$AWS_DEFAULT_REGION" | tail -n 1 | cut -d ' ' -f 1)
if [ "$EXISTS" = "$ENVIRONMENT-aws-ecr-$AWS_DEFAULT_REGION" ]; then
echo "Secret exists, deleting"
$KUBECTL delete secrets "$ENVIRONMENT-aws-ecr-$AWS_DEFAULT_REGION"
fi
PASS=$(aws ecr get-login-password --region $AWS_DEFAULT_REGION)
$KUBECTL create secret docker-registry $ENVIRONMENT-aws-ecr-$AWS_DEFAULT_REGION \
--docker-server=$AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com \
--docker-username=AWS \
--docker-password=$PASS \
[email protected] --namespace collect
Solution 2
This is true and the usual way is to get the password everytime you wish to login to ECR. This is the snippet from AWS documentation which says
The generated token is valid for 12 hours, which means developers running and managing container images have to re-authenticate every 12 hours manually, or script it to generate a new token, which can be somewhat cumbersome in a CI/CD environment. For example if you’re using Jenkins to build and push docker images to ECR, you have to set up Jenkins instances to re-authenticate using get-login to ECR every 12 hours.
link to the full AWS documentation
Below is the command to do get the password and login.
aws ecr get-login-password --region <<someregion>> | docker login --username <<someusername>> --password-stdin https://<<someaccount>>.amazonaws.com
And in your case you will have to write some script within a helper pod to do the below steps.
- Get the login password and save it in a variable.
aws ecr get-login-password --region <<someregion>>
- Delete you existing secret
kubectl delete secret <<secretname>>
- Recreate secret with new password.
kubectl create secret docker-registry regcred --docker-server=https://index.docker.io/v1/ --docker-username=kammana --docker-password=<newpassword> [email protected]
You could try cronjob to reset this every <12 hours
Solution 3
There is this small tool called k8s-ecr-login-renew that does exactly what you need.
sks123245
Updated on June 30, 2022Comments
-
sks123245 almost 2 years
I am facing the issue while pulling the docker image from AWS ECR repository, earlier i used
kubectl create secret docker-registry regcred --docker-server=https://index.docker.io/v1/ --docker-username=kammana --docker-password=<your-password> [email protected]The deployment YAML file
apiVersion: v1 kind: Pod metadata: name: private-reg spec: containers: - name: privateapp image: kammana/privateapp:0.0.1 imagePullSecrets: - name: regcredbut now the secret password is only valid for 12 hours when you generate for ECR, i will have to manually change the secret everytime. This is hectic and i read a Medium article.
It can creates kind of cron Job but i want to pull the image at runtime by logging in to ECR.
It would be helpful if you could provide some relevant example with respect ECR direct login via Kubernetes and my cluster is not in the same AWS account so AWS IAM Roles is out of question.
-
sks123245 over 3 yearsActually i am not good with script, do you anything i can take as reference for cron job or is there any other alternative
-
Rohit over 3 yearsCheck this link -
Rohit over 3 years
-
sks123245 over 3 yearsI have already referrd this article in the question here, i had a question if i have pull the image separately will it use it when i launch the yaml file.
-
sks123245 over 3 yearsThe articcle just pulls the image, i have tried with that, but when i launch my YAML files referring to the image getting pulled, it fails
-
Rohit over 3 yearsIf you set the imagePullPolicy as IfNotPresent then it won't pull the image again if it exists on the node.
-
sks123245 over 3 yearsIt is not working i tried doing it, the image is not getting pulled. Do you have anything to reference, i also have a question, i am running this in rancher is it different
-
Gert van den Berg about 2 yearsusing a dry-run on the create and then piping it to kubectl apply might be simpler method to sort out the issues if the secret already exists....
-
btzs about 2 yearsOr delete and re-create it: kubectl delete secret --ignore-not-found $SECRET_NAME
