Skip to content

Commit

Permalink
Add ecr-cred-injector
Browse files Browse the repository at this point in the history
  • Loading branch information
d8660091 committed Sep 11, 2023
1 parent 23dfe13 commit f4bfed2
Show file tree
Hide file tree
Showing 10 changed files with 406 additions and 12 deletions.
5 changes: 3 additions & 2 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# Build the manager binary
FROM golang:1.17 as builder
FROM golang:1.20 as builder

WORKDIR /workspace
# Copy the Go Modules manifests
Expand All @@ -15,13 +15,14 @@ COPY api/ api/
COPY controllers/ controllers/
COPY config/ config/
COPY pkg/ pkg/
COPY cmd/ cmd/

# Build
RUN GOPROXY=direct CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o package-manager main.go

# Use distroless as minimal base image to package the manager binary
# Refer to https://github.com/GoogleContainerTools/distroless for more details
FROM gcr.io/distroless/static:nonroot
FROM gcr.io/distroless/static:debug-nonroot
WORKDIR /
COPY --from=builder /workspace/package-manager .
USER 65532:65532
Expand Down
6 changes: 6 additions & 0 deletions charts/eks-anywhere-packages/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,8 @@ spec:
- mountPath: /tmp/ecr-token
name: ecr-token
readOnly: true
- name: aws-secret
mountPath: /tmp/aws-secret
initContainers:
- name: init-job
image: {{.Values.sourceRegistry}}{{ template "template.image" .Values.cronjob }}
Expand Down Expand Up @@ -146,6 +148,10 @@ spec:
defaultMode: 420
secretName: ecr-token
optional: true
- name: aws-secret
secret:
secretName: aws-secret
optional: true
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
Expand Down
7 changes: 7 additions & 0 deletions cmd/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ import (
"github.com/aws/eks-anywhere-packages/api/v1alpha1"
"github.com/aws/eks-anywhere-packages/controllers"
pkgConfig "github.com/aws/eks-anywhere-packages/pkg/config"
"github.com/aws/eks-anywhere-packages/pkg/registry"
"github.com/aws/eks-anywhere-packages/pkg/webhook"
)

Expand Down Expand Up @@ -87,6 +88,12 @@ func server() error {
return fmt.Errorf("unable to start manager: %v", err)
}

ecrCredAdapter, err := registry.NewECRCredInjector(rootCmd.Context(), mgr.GetClient(), packageLog)
if err != nil {
return fmt.Errorf("unable to create ecrCredAdapter: %v", err)
}
go ecrCredAdapter.Run(rootCmd.Context())

if err = controllers.RegisterPackageBundleReconciler(mgr); err != nil {
return fmt.Errorf("unable to register package bundle controller: %v", err)
}
Expand Down
24 changes: 24 additions & 0 deletions ecrtokenrefresher/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
# Build the manager binary
FROM golang:1.20 as builder

WORKDIR /workspace
# Copy the Go Modules manifests
COPY go.mod go.mod
COPY go.sum go.sum
# cache deps before building and copying source so that we don't need to re-download as much
# and so that source changes don't invalidate our downloaded layer
RUN go mod download

# Copy the go source
COPY pkg/ pkg/
COPY cmd/ cmd/

# Build
RUN GOPROXY=direct CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o ecr-token-refresh ./cmd/ecr-token-refresher

FROM gcr.io/distroless/static:debug-nonroot
WORKDIR /
COPY --from=builder /workspace/ecr-token-refresh .
USER 65532:65532

ENTRYPOINT ["/ecr-token-refresh"]
14 changes: 7 additions & 7 deletions ecrtokenrefresher/pkg/secrets/registrymirror/registrymirror.go
Original file line number Diff line number Diff line change
Expand Up @@ -66,12 +66,8 @@ func (mirror *RegistryMirrorSecret) GetClusterCredentials(clientSets secrets.Clu
CA: string(secret.Data[caKey]),
Insecure: string(secret.Data[insecureKey]),
}
if credential.Registry != "" && credential.Username != "" && credential.Password != "" {
clusterCredentials[clusterName] = []*secrets.Credential{credential}
utils.InfoLogger.Println("success.")
} else {
utils.InfoLogger.Println("empty credential.")
}
clusterCredentials[clusterName] = []*secrets.Credential{credential}
utils.InfoLogger.Println("success.")
} else {
utils.ErrorLogger.Println(err)
return nil, err
Expand All @@ -94,7 +90,9 @@ func (mirror *RegistryMirrorSecret) BroadcastCredentials() error {
if clusterName == mirror.mgmtClusterName {
data[corev1.DockerConfigJsonKey] = configJson
}
data[clusterName+"_ca.crt"] = []byte(creds[0].CA)
if len(creds[0].CA) > 0 { // when "" ca is used, no tls verification will succeed
data[clusterName+"_ca.crt"] = []byte(creds[0].CA)
}
data["config.json"] = configJson
if creds[0].Insecure == "true" {
data[clusterName+"_insecure"] = []byte(creds[0].Insecure)
Expand All @@ -109,11 +107,13 @@ func (mirror *RegistryMirrorSecret) BroadcastCredentials() error {
}
secret, _ := k8s.GetSecret(defaultClientSet, credName, constants.PackagesNamespace)
if secret == nil {
utils.InfoLogger.Printf("Create secret %s in namespace %s", credName, constants.PackagesNamespace)
_, err := k8s.CreateSecret(defaultClientSet, credName, constants.PackagesNamespace, data)
if err != nil {
return err
}
} else {
utils.InfoLogger.Printf("Update secret %s in namespace %s", credName, constants.PackagesNamespace)
_, err := k8s.UpdateSecret(defaultClientSet, constants.PackagesNamespace, secret, data)
if err != nil {
return err
Expand Down
21 changes: 21 additions & 0 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ require (
github.com/Masterminds/sprig/v3 v3.2.3 // indirect
github.com/Masterminds/squirrel v1.5.3 // indirect
github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535 // indirect
github.com/aws/aws-sdk-go-v2 v1.21.0
github.com/beorn7/perks v1.0.1 // indirect
github.com/cespare/xxhash/v2 v2.2.0 // indirect
github.com/chai2010/gettext-go v1.0.2 // indirect
Expand Down Expand Up @@ -163,3 +164,23 @@ require (
sigs.k8s.io/kustomize/kyaml v0.13.9 // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
)

require (
github.com/aws/aws-sdk-go-v2/config v1.18.39
github.com/aws/smithy-go v1.14.2 // indirect
)

require (
github.com/aws/aws-sdk-go-v2/credentials v1.13.37
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.11 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.41 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.35 // indirect
github.com/aws/aws-sdk-go-v2/internal/ini v1.3.42 // indirect
github.com/aws/aws-sdk-go-v2/service/ecr v1.19.5
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.35 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.13.6 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.15.6 // indirect
github.com/aws/aws-sdk-go-v2/service/sts v1.21.5 // indirect
)

require github.com/jmespath/go-jmespath v0.4.0 // indirect
31 changes: 31 additions & 0 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,32 @@ github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj
github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535 h1:4daAzAu0S6Vi7/lbWECcX0j45yZReDZ56BQsrVBOEEY=
github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535/go.mod h1:oGkLhpf+kjZl6xBf758TQhh5XrAeiJv/7FRz/2spLIg=
github.com/aws/aws-sdk-go-v2 v1.21.0 h1:gMT0IW+03wtYJhRqTVYn0wLzwdnK9sRMcxmtfGzRdJc=
github.com/aws/aws-sdk-go-v2 v1.21.0/go.mod h1:/RfNgGmRxI+iFOB1OeJUyxiU+9s88k3pfHvDagGEp0M=
github.com/aws/aws-sdk-go-v2/config v1.18.39 h1:oPVyh6fuu/u4OiW4qcuQyEtk7U7uuNBmHmJSLg1AJsQ=
github.com/aws/aws-sdk-go-v2/config v1.18.39/go.mod h1:+NH/ZigdPckFpgB1TRcRuWCB/Kbbvkxc/iNAKTq5RhE=
github.com/aws/aws-sdk-go-v2/credentials v1.13.37 h1:BvEdm09+ZEh2XtN+PVHPcYwKY3wIeB6pw7vPRM4M9/U=
github.com/aws/aws-sdk-go-v2/credentials v1.13.37/go.mod h1:ACLrdkd4CLZyXOghZ8IYumQbcooAcp2jo/s2xsFH8IM=
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.11 h1:uDZJF1hu0EVT/4bogChk8DyjSF6fof6uL/0Y26Ma7Fg=
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.11/go.mod h1:TEPP4tENqBGO99KwVpV9MlOX4NSrSLP8u3KRy2CDwA8=
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.41 h1:22dGT7PneFMx4+b3pz7lMTRyN8ZKH7M2cW4GP9yUS2g=
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.41/go.mod h1:CrObHAuPneJBlfEJ5T3szXOUkLEThaGfvnhTf33buas=
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.35 h1:SijA0mgjV8E+8G45ltVHs0fvKpTj8xmZJ3VwhGKtUSI=
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.35/go.mod h1:SJC1nEVVva1g3pHAIdCp7QsRIkMmLAgoDquQ9Rr8kYw=
github.com/aws/aws-sdk-go-v2/internal/ini v1.3.42 h1:GPUcE/Yq7Ur8YSUk6lVkoIMWnJNO0HT18GUzCWCgCI0=
github.com/aws/aws-sdk-go-v2/internal/ini v1.3.42/go.mod h1:rzfdUlfA+jdgLDmPKjd3Chq9V7LVLYo1Nz++Wb91aRo=
github.com/aws/aws-sdk-go-v2/service/ecr v1.19.5 h1:hg2/a7rE9dwYr+/DPNzHQ+IsHXLNt1NsQVUecBtA8os=
github.com/aws/aws-sdk-go-v2/service/ecr v1.19.5/go.mod h1:pGwmNL8hN0jpBfKfTbmu+Rl0bJkDhaGl+9PQLrZ4KLo=
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.35 h1:CdzPW9kKitgIiLV1+MHobfR5Xg25iYnyzWZhyQuSlDI=
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.35/go.mod h1:QGF2Rs33W5MaN9gYdEQOBBFPLwTZkEhRwI33f7KIG0o=
github.com/aws/aws-sdk-go-v2/service/sso v1.13.6 h1:2PylFCfKCEDv6PeSN09pC/VUiRd10wi1VfHG5FrW0/g=
github.com/aws/aws-sdk-go-v2/service/sso v1.13.6/go.mod h1:fIAwKQKBFu90pBxx07BFOMJLpRUGu8VOzLJakeY+0K4=
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.15.6 h1:pSB560BbVj9ZlJZF4WYj5zsytWHWKxg+NgyGV4B2L58=
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.15.6/go.mod h1:yygr8ACQRY2PrEcy3xsUI357stq2AxnFM6DIsR9lij4=
github.com/aws/aws-sdk-go-v2/service/sts v1.21.5 h1:CQBFElb0LS8RojMJlxRSo/HXipvTZW2S44Lt9Mk2aYQ=
github.com/aws/aws-sdk-go-v2/service/sts v1.21.5/go.mod h1:VC7JDqsqiwXukYEDjoHh9U0fOJtNWh04FPQz4ct4GGU=
github.com/aws/smithy-go v1.14.2 h1:MJU9hqBGbvWZdApzpvoF2WAIJDbtjK2NDJSiJP7HblQ=
github.com/aws/smithy-go v1.14.2/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
Expand Down Expand Up @@ -262,6 +288,7 @@ github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
Expand Down Expand Up @@ -340,6 +367,10 @@ github.com/itchyny/gojq v0.12.6/go.mod h1:ZHrkfu7A+RbZLy5J1/JKpS4poEqrzItSTGDItq
github.com/itchyny/timefmt-go v0.1.3 h1:7M3LGVDsqcd0VZH2U+x393obrzZisp7C0uEe921iRkU=
github.com/itchyny/timefmt-go v0.1.3/go.mod h1:0osSSCQSASBJMsIZnhAaF1C2fCBTJZXrnj37mG8/c+A=
github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
github.com/jmoiron/sqlx v1.3.5 h1:vFFPA71p1o5gAeqtEAwLU4dnX2napprKtHr7PYIcN3g=
github.com/jmoiron/sqlx v1.3.5/go.mod h1:nRVWtLre0KfCLJvgxzCsLVMogSvQ1zNJtpYr2Ccp0mQ=
github.com/joho/godotenv v1.4.0 h1:3l4+N6zfMWnkbPEXKng2o2/MR5mSwTrBih4ZEkkz1lg=
Expand Down
5 changes: 2 additions & 3 deletions pkg/authenticator/ecrsecret.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ const (
ecrTokenName = "ecr-token"
cronJobName = "cron-ecr-renew"
jobExecName = "eksa-auth-refresher-"
mirrorCredName = "registry-mirror-cred"
MirrorCredName = "registry-mirror-cred"
)

type ecrSecret struct {
Expand Down Expand Up @@ -136,7 +136,7 @@ func (s *ecrSecret) GetSecretValues(ctx context.Context, namespace string) (map[
imagePullSecret[0] = make(map[string]string)
imagePullSecret[0]["name"] = ecrTokenName
imagePullSecret[1] = make(map[string]string)
imagePullSecret[1]["name"] = mirrorCredName
imagePullSecret[1]["name"] = MirrorCredName
values["imagePullSecrets"] = imagePullSecret

return values, nil
Expand All @@ -147,7 +147,6 @@ func (s *ecrSecret) cleanupPrevRuns(ctx context.Context) error {
deletePropagation := metav1.DeletePropagationBackground
jobs, err := s.clientset.BatchV1().Jobs(api.PackageNamespace).
List(ctx, metav1.ListOptions{LabelSelector: labels.Set(labelSelector.MatchLabels).String()})

if err != nil {
return err
}
Expand Down
Loading

0 comments on commit f4bfed2

Please sign in to comment.