-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathecr-sync.tf
126 lines (122 loc) · 3.53 KB
/
ecr-sync.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
locals {
ecr_creds_sync = <<YAML
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ecr-credentials-sync
namespace: flux-system
rules:
- apiGroups: [""]
resources:
- secrets
verbs:
- delete
- create
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ecr-credentials-sync
namespace: flux-system
subjects:
- kind: ServiceAccount
name: ecr-credentials-sync
roleRef:
kind: Role
name: ecr-credentials-sync
apiGroup: ""
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: ecr-credentials-sync
namespace: flux-system
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::${var.account}:role/${var.cluster_name}-ecr-sync
---
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: ecr-credentials-sync
namespace: flux-system
spec:
suspend: false
schedule: 0 */6 * * *
failedJobsHistoryLimit: 1
successfulJobsHistoryLimit: 1
jobTemplate:
spec:
template:
spec:
serviceAccountName: ecr-credentials-sync
restartPolicy: Never
volumes:
- name: token
emptyDir:
medium: Memory
initContainers:
- image: amazon/aws-cli
name: get-token
imagePullPolicy: IfNotPresent
# You will need to set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables if not using
# IRSA. It is recommended to store the values in a Secret and load them in the container using envFrom.
# envFrom:
# - secretRef:
# name: aws-credentials
env:
- name: REGION
value: ${var.region} # change this if ECR repo is in a different region
volumeMounts:
- mountPath: /token
name: token
command:
- /bin/sh
- -ce
- aws ecr get-login-password --region $REGION > /token/ecr-token
containers:
- image: bitnami/kubectl
name: create-secret
imagePullPolicy: IfNotPresent
env:
- name: SECRET_NAME
value: ecr-credentials
- name: ECR_REGISTRY
value: ${var.account}.dkr.ecr.${var.region}.amazonaws.com # fill in the account id and region
volumeMounts:
- mountPath: /token
name: token
command:
- /bin/bash
- -ce
- |-
kubectl delete secret --ignore-not-found $SECRET_NAME
kubectl create secret docker-registry $SECRET_NAME \
--docker-server="$ECR_REGISTRY" \
--docker-username=AWS \
--docker-password="$(</token/ecr-token)"
YAML
ecr_sync_irsa_roles = var.ecr_sync_job ? [{
role_name = "${var.cluster_name}-ecr-sync"
service_account = "system:serviceaccount:flux-system:ecr-credentials-sync"
policies_to_assign = [
"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
]
}] : []
}
resource "kubectl_manifest" "ecr-sync" {
count = var.flux_enabled && var.ecr_sync_job ? 1 : 0
yaml_body = local.ecr_creds_sync
lifecycle {
create_before_destroy = true
}
}
resource "github_repository_file" "ecr-sync" {
count = var.flux_enabled && var.ecr_sync_job ? 1 : 0
repository = data.github_repository.main[0].name
file = "${var.flux_target_path}/${local.flux_manifests_path}/ecr-sync.yaml"
content = local.ecr_creds_sync
branch = var.flux_branch
lifecycle {
ignore_changes = [content,sha]
}
}