Add ecr-cred-injector #978
Conversation
eks-distro-bot
added
approved
size/L
d8660091
force-pushed
the
ecr-cred-injector
branch
4 times, most recently
from
9e9e04f to
56a3636
Compare
| FROM gcr.io/distroless/static:debug-nonroot | ||
| WORKDIR / | ||
| COPY --from=builder /workspace/ecr-token-refresh . | ||
| USER 65532:65532 |
There was a problem hiding this comment.
maybe add a comment where this group/user number comes from?
| } | ||
|
|
||
| if !IsECRRegistry(registry) { | ||
| a.log.Info("defaultRegistry is not ECR registry, skip injecting credential to docker config") |
There was a problem hiding this comment.
are we missing a return here?
| @@ -146,6 +148,10 @@ spec: | |||
| defaultMode: 420 | |||
| secretName: ecr-token | |||
| optional: true | |||
| - name: aws-secret | |||
There was a problem hiding this comment.
what do you think about aws-config-secret? or is aws-secret the convention elsewhere?
checking my understanding: we can't use the existing ecr-token secret here because we don't have control over its renewal lifecycle?
There was a problem hiding this comment.
"aws-secret" contains a field called "config", calling it "aws-config-secret" may imply that the volume is the "config" of "aws-secret".
ecr-token stores "username:password", it's not refreshed anymore perhaps because we have migrated to use credential-provider.
d8660091
force-pushed
the
ecr-cred-injector
branch
from
56a3636 to
3794f70
Compare
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: d8660091, jonathanmeier5 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Issue #, if available:
Description of changes: This change will allow packages controller to be able to pull charts from private ECR. It injects the credential(username:password) to the docker config file of the package controller container.
Manually tested that the injector works for regional ECR
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.