Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Log in to AWS ECR automatically using the cluster-provided credentials. #147

Closed
wants to merge 15 commits into from

Conversation

MartinEmrich
Copy link
Contributor

As discussed in #139

This mostly restores the flux v1 functionality (for me)

if the environment variable USE_ECR is set, logs in to the AWS Elastic
Container Registry in the image URL by fetching a temporary token from
AWS.

As discussed in fluxcd#139

if the environment variable USE_ECR is set, logs in to the AWS Elastic
Container Registry in the image URL by fetching a temporary token from
AWS.

Signed-off-by: Martin Emrich <[email protected]>
Copy link
Member

@squaremo squaremo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd like to see this go ahead -- there's one thing I think is worth discussing (in a review comment), and one procedural thing: instead of merging main into this branch, please rebase this branch on main.

@@ -210,6 +265,28 @@ func (r *ImageRepositoryReconciler) scan(ctx context.Context, imageRepo *imagev1
options = append(options, remote.WithAuth(auth))
}

if accountId, awsEcrRegion, _, _, _, err := parseAwsImageURL(imageRepo.Spec.Image); err == nil {
if _, present := os.LookupEnv("USE_ECR"); present {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would prefer this as a flag to the controller, rather than an environment variable. Really only because that's more in the spirit of controller-runtime with its config file support -- in most respects environment vars and flags work equally well.

I think it is appropriate for it to be set at the controller level, since it's up to the platform admin to grant global access to ambient authority, rather than for users to claim it. (If there is a reason to opt in per image repository, then fine, but I would still want the flag on the controller to explicitly grant access to everyone who wants it).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I'll try to find out how to access the command line and change the PR....

But I have no Idea what "instead of merging main into this branch, please rebase this branch on main" means...

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@squaremo I guess I got the command-line option working. As for the rebase topic, I brushed up on Git theory, but I have no clue on how to execute it here on Github without damaging anything (Yes, it's my very first Github PR).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have no clue on how to execute it here on Github without damaging anything (Yes, it's my very first Github PR).

First GitHub PR high five! ✋
I don't think GitHub has an in-app way to do this; it's something you would do on your local computer, after cloning your fork of this repo.

But I have no Idea what "instead of merging main into this branch, please rebase this branch on main" means...

Since you're working from a fork, you'll have to add this repo as a <remote>, first:

git remote add upstream https://github.com/fluxcd/image-reflector-controller

Also, it's worth working in a branch, and reserving main for keeping track of the upstream main branch:

git switch -c ecr-auto-creds
git push -u origin ecr-auto-creds

(The second command pushes the new branch to your forked repo, and -u sets it as the default place to push any further commits on that branch)

Then, rebasing on the main branch here can be done with

git pull upstream main --rebase

A lot of the time, this will succeed without any more work from you. If you get into trouble, you can git rebase --abort to take you back to the state before the rebase (or pull --rebase).

To push the branch back to GitHub, you'll need to use --force-with-lease, because you've replaced the commits in the branch:

git push --force-with-lease # it knows where to push to, because of `-u` above

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@squaremo Thanks! I followed your instructions, and all commands succeeded. But apparently it is not possible to change the source branch of a Github PR, so it's still from my "main" branch :(

(... and quote a dot in the ECR URL pattern regexp)

Signed-off-by: Martin Emrich <[email protected]>
@@ -79,6 +80,8 @@ func main() {
flag.StringVar(&storagePath, "storage-path", "/data", "Where to store the persistent database of image metadata")
flag.Int64Var(&storageValueLogFileSize, "storage-value-log-file-size", 1<<28, "Set the database's memory mapped value log file size in bytes. Effective memory usage is about two times this size.")
flag.IntVar(&concurrent, "concurrent", 4, "The number of concurrent resource reconciles.")
flag.BoolVar(&useAwsEcr, "use-aws-ecr", false, "Log in to AWS Elastic Container Registry with IAM")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wondering if a flag like --with-aws-ecr-iam or simply --enable-aws-iam would be more descriptive. In my opinion, you only actually start making use of AWS Elastic Container Registry once a scan detects it.

auth := authn.FromConfig(authConfig)
options = append(options, remote.WithAuth(auth))
} else {
logr.FromContext(ctx).Info("AWS ECR authentication is not enabled, to enable, set USE_ECR environment variable")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure if implementation details from another layer (set USE_ECR) should be mentioned here, it may be better (and less maintenance heavy) to simply refer to the feature.

@kingdonb
Copy link
Member

This looks like it needs to be rebased before it can be approved. (Is there any other feedback that was left here, which still needs to be addressed?)

@MartinEmrich
Copy link
Contributor Author

@kingdonb I am very sorry for the long inactivity, I am quite busy atm... I'll try to follow squaremos rebase tutorial above ASAP.

As discussed in fluxcd#139

if the environment variable USE_ECR is set, logs in to the AWS Elastic
Container Registry in the image URL by fetching a temporary token from
AWS.

Signed-off-by: Martin Emrich <[email protected]>
(... and quote a dot in the ECR URL pattern regexp)

Signed-off-by: Martin Emrich <[email protected]>
@kingdonb kingdonb self-assigned this Jul 22, 2021
@kingdonb
Copy link
Member

kingdonb commented Jul 22, 2021

Sorry for the interruption! This PR got a mention in our bug scrub event today, I think there is no urgency, it was just the right age and staleness for this issue to come to the top of our list and get our attention, I'm glad to see it moving ahead.

Thank you for doing the rebase; it looks like the next step is for a maintainer to approve the test execution and have another look for review.

Also, 🙌
– first time Flux contributor high-five!

@kingdonb kingdonb removed their assignment Jul 22, 2021
@tibz-enex
Copy link

Hello all,

Nice work being performed here, we are looking forward to using it. As of now, we use a pods that retrieves a token every 6 hours and stores it as kubesecret to be used by the image reflector controller.
Do you have any idea when this PR could be merged?

Thanks.

@squaremo
Copy link
Member

I'm going to rebase this and put it in another PR -- usually I would rebase and push to the fork, but I don't want to mess with someone's main. @MartinEmrich you will still get the credit, don't worry ;-)

@MartinEmrich
Copy link
Contributor Author

@squaremo sure, do whatever you have to, no worries! :)

THB, navigating all these processes with git, forks, branches, rebases, checks, reviews and stuff seems to be more hassle than implementing these few lines of code... Maybe I'm getting old, but in hindsight diff -Naur+email was easier.
So I apologize if my ignorance held this up more than necessary.

@squaremo
Copy link
Member

Maybe I'm getting old, but in hindsight diff -Naur+email was easier

Ha yep, fair enough. I think it's worth brushing up on git in general, and all those things you mention get easier, but it is steep hill to climb to scratch just one itch*, that's true.

(*A mixed metaphor should be derailed, no matter how it sings!)

@squaremo
Copy link
Member

Closing in favour in #174, which repackaged the change for more convenient review. Thank you for your initiative and efforts, @MartinEmrich 🍏

@squaremo squaremo closed this Oct 14, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants