IMPORTANT NOTE: This site is not official Red Hat documentation and is provided for informational purposes only. These guides may be experimental, proof of concept, or early adoption. Officially supported documentation is available at docs.openshift.com and access.redhat.com.
ECR Secret Operator
Amazon Elastic Container Registry Private Registry Authentication provides a temporary token that is valid only for 12 hours. It is a challenge for automating container image build process to refresh the token or secret in a timely manner.
This operators frequently talks with AWS ECR GetAuthroization Token and create/update the secret, so that the service account can perform docker image build.
How to use this operator
Prerequisites
- Create an ECR private repository
- Provide AWS Authentication to the operator. Two Options:
Install the operator
- Install the operator from operator hub community
Create the ECR Secret CRD
echo << EOF | oc apply -f -
apiVersion: ecr.mobb.redhat.com/v1alpha1
kind: Secret
metadata:
name: ecr-secret
namespace: test-ecr-secret-operator
spec:
generated_secret_name: ecr-docker-secret
ecr_registry: [ACCOUNT_ID].dkr.ecr.us-east-2.amazonaws.com
frequency: 10h
region: us-east-2
EOF
A docker registry secret is created by the operator momentally and the token is patched every 10 hours
oc get secret ecr-docker-secret
NAME TYPE DATA AGE
ecr-docker-secret kubernetes.io/dockerconfigjson 1 16h
A sample build process with generated secret
Link the secret to builder
oc secrets link builder ecr-docker-secret
Configure build config to point to your ECR Container repository
oc create imagestream ruby
oc tag openshift/ruby:2.5-ubi8 ruby:2.5
echo << EOF | oc apply -f -
kind: BuildConfig
apiVersion: build.openshift.io/v1
metadata:
name: ruby-sample-build
namespace: test-ecr-secret-operator
spec:
runPolicy: Serial
source:
git:
uri: "https://github.com/openshift/ruby-hello-world"
strategy:
sourceStrategy:
from:
kind: "ImageStreamTag"
name: "ruby:2.5"
incremental: true
output:
to:
kind: "DockerImage"
name: "[ACCOUNT_ID].dkr.ecr.us-east-2.amazonaws.com/test:latest"
postCommit:
script: "bundle exec rake test"
EOF
oc start-build ruby-sample-build --wait
Build should succeed and push the image to the the private ECR Container repository