Skip to content
This repository has been archived by the owner on Oct 3, 2024. It is now read-only.

Zarf Init Package for AWS - DevSecOps for Air Gap & Limited-Connection Systems. https://zarf.dev/

License

Notifications You must be signed in to change notification settings

defenseunicorns/zarf-init-aws

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Zarf Init Package for AWS

Latest Release Build Status OpenSSF Scorecard

Zarf eliminates the complexity of air gap software delivery for Kubernetes clusters and cloud-native workloads using a declarative packaging strategy to support DevSecOps in offline and semi-connected environments.

๐Ÿ‘€ Looking for Zarf?

Zarf Init Package for AWS

This repository contains the Zarf init package for AWS that uses ECR as an OCI registry and deploys onto EKS.

Usage

Prerequisites

  • Zarf CLI (version >= v0.30.0)

  • Connection to an existing EKS cluster configured with an IAM OIDC identity provider to allow IRSA authentication

  • AWS CLI configured with the necessary permissions to describe and create ECR repositories, and fetch ECR tokens

  • Create IAM role for the Pepr webhook to be able to list and create ECR repositories

    • See an example role for reference. Be sure to replace the {{AWS_ACCOUNT_ID}} and {{EKS_CLUSTER_ID}} placeholders, as well as the AWS region with your values.

    • You will need to create an IAM policy with the appropriate permissions and attach it to the role. See an example policy for reference.

    Note: If you only need to work with a private ECR registry, the ecr-public: prefixed actions can be removed from the policy. Likewise, if you only need to work with a public ECR registry, the ecr: prefixed actions can be removed from the policy.

  • (Optional) Create IAM role for the zarf-ecr-credential-helper to be able to fetch new ECR auth tokens

    • The credential helper is an optional component and is NOT required to use ECR as an external Zarf registry. It can be used if you are looking for an automated solution for keeping your image pull secrets updated with valid ECR auth tokens. Frequent rotation of ECR tokens in image pull secrets is required because they expire after 12 hours. https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_GetAuthorizationToken.html

    • See an example role for reference. Be sure to replace the {{AWS_ACCOUNT_ID}} and {{EKS_CLUSTER_ID}} placeholders, as well as the AWS region with your values.

    • You will need to create an IAM policy with the appropriate permissions and attach it to the role. See an example policy for reference.

    Note: If you only need to work with a private ECR registry, the ecr-public: prefixed actions can be removed from the policy. Likewise, if you only need to work with a public ECR registry, the ecr: prefixed actions can be removed from the policy.

Get the Zarf init package

zarf package pull oci://ghcr.io/defenseunicorns/packages/init-aws:$(zarf version)-amd64

Initialize EKS cluster with Zarf configured to use ECR as external registry

Use private ECR registry

  1. Create a Zarf config file zarf-config.yaml

    architecture: amd64
    
    package:
      deploy:
        components: zarf-ecr-credential-helper
        set:
          registry_type: private
    
          # Change me to your AWS region if needed
          aws_region: us-east-1
    
          # Set IAM role ARNs
          ecr_hook_role_arn: <YOUR_WEBHOOK_ROLE_ARN>
          ecr_credential_helper_role_arn: <YOUR_CREDENTIAL_HELPER_ROLE_ARN>
    
  2. Zarf init

    Note: Be sure to run the zarf init command from the same working directory as your Zarf config file or set the ZARF_CONFIG environment variable to point to your config file.

    AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' --output text)
    
    # Note: Be sure the region you specify in the --registry-url matches the one specified in your Zarf config file
    zarf init \
      --registry-url="${AWS_ACCOUNT_ID}.dkr.ecr.<YOUR_AWS_REGION>.amazonaws.com" \
      --registry-push-username="AWS" \
      --registry-push-password="$(aws ecr get-login-password --region <YOUR_AWS_REGION>)" \
      --confirm

Use public ECR registry

  1. Create a Zarf config file zarf-config.yaml

    architecture: amd64
    
    package:
      deploy:
        components: zarf-ecr-credential-helper
        set:
          registry_type: public
    
          # Must use us-east-1 region for public ECR registries
          # https://docs.aws.amazon.com/AmazonECR/latest/public/public-registries.html#public-registry-auth
          aws_region: us-east-1
    
          # Set IAM role ARNs
          ecr_hook_role_arn: <YOUR_WEBHOOK_ROLE_ARN>
          ecr_credential_helper_role_arn: <YOUR_CREDENTIAL_HELPER_ROLE_ARN>
    
  2. Zarf init

    Note: Be sure to run the zarf init command from the same working directory as your Zarf config file or set the ZARF_CONFIG environment variable to point to your config file.

    zarf init \
      --registry-url="$(aws ecr-public describe-registries --query 'registries[0].registryUri' --output text --region us-east-1)" \
      --registry-push-username="AWS" \
      --registry-push-password="$(aws ecr-public get-login-password --region us-east-1)" \
      --confirm