Skip to content

Instantly share code, notes, and snippets.

@qclaogui

qclaogui/rancher_aws_ecr_secret.md

Forked from flybd5/rancher_aws_ecr_secret.md
Created August 11, 2021 10:17
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save qclaogui/aeb9126d280d4632b52265e360ab3fd0 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save qclaogui/aeb9126d280d4632b52265e360ab3fd0 to your computer and use it in GitHub Desktop.
Download ZIP
Creating and updating AWS ECR docker-registry secrets in Rancher
Raw
rancher_aws_ecr_secret.md

The easiest way to create and update a docker-registry secret in Rancher 2.x for an AWS ECR repo is to set up a CRON job that uses the AWS CLI and Kubectl.

  • Log into the host machine where the cluster is running
  • Install AWS CLI and configure it to use an IAM role that can read the ECR credentials.
  • Test the CLI config using this command: aws ecr --region <your_ecr's_region> get-login-password
  • Install kubectl and configure it with the yaml for the cluster in which you want to define the secret
  • Create a shell script like this:
# Delete the secret if it already exists (there is no way to update it)
kubectl delete secret <name_of_the_docker_registry_secret>
# Create the secret
kubectl create secret docker-registry <name_of_the_docker_registry_secret> \
	--docker-server=<your_ecr_registry_uri> \
	--docker-username=AWS \
	--docker-password=$(aws ecr --region <your_ecr's_region> get-login-password) \
	--docker-email=<your_notification_email>
  • Now setup a cron job to run this shell script every 6 hours (AWS resets the password every 12, so just to be on the safe side).

The secret will show up in the default project for the cluster. If you know how to have kubectl create it in a specific project, let me know.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment