Pull image from ECR to Kubernetes deployment file

Question

I am facing the issue while pulling the docker image from AWS ECR repository, earlier i used

kubectl create secret docker-registry regcred --docker-server=https://index.docker.io/v1/ --docker-username=kammana --docker-password=<your-password> --docker-email=hari.kammana@gmail.com

The deployment YAML file

apiVersion: v1
kind: Pod
metadata:
  name: private-reg
spec:
  containers:
  - name: privateapp
    image: kammana/privateapp:0.0.1
  imagePullSecrets:
  - name: regcred

but now the secret password is only valid for 12 hours when you generate for ECR, i will have to manually change the secret everytime. This is hectic and i read a Medium article.

It can creates kind of cron Job but i want to pull the image at runtime by logging in to ECR.

It would be helpful if you could provide some relevant example with respect ECR direct login via Kubernetes and my cluster is not in the same AWS account so AWS IAM Roles is out of question.

Does this answer your question? [How to use Docker Image in ECR with AWS EKS](https://stackoverflow.com/questions/54109603/how-to-use-docker-image-in-ecr-with-aws-eks) — Almenon, Apr 11 '23 at 23:01

ixaxaar · Accepted Answer · 2021-01-20T10:07:33.683

9

I had the same issue and I use this in a cron:

# KUBECTL='kubectl --dry-run=client'
KUBECTL='kubectl'

ENVIRONMENT=sandbox # yes, typo
AWS_DEFAULT_REGION=moon-west-1

EXISTS=$($KUBECTL get secret "$ENVIRONMENT-aws-ecr-$AWS_DEFAULT_REGION" | tail -n 1 | cut -d ' ' -f 1)
if [ "$EXISTS" = "$ENVIRONMENT-aws-ecr-$AWS_DEFAULT_REGION" ]; then
  echo "Secret exists, deleting"
  $KUBECTL delete secrets "$ENVIRONMENT-aws-ecr-$AWS_DEFAULT_REGION"
fi

PASS=$(aws ecr get-login-password --region $AWS_DEFAULT_REGION)
$KUBECTL create secret docker-registry $ENVIRONMENT-aws-ecr-$AWS_DEFAULT_REGION \
    --docker-server=$AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com \
    --docker-username=AWS \
    --docker-password=$PASS \
    --docker-email=infra@setu.co --namespace collect

edited Jan 20 '21 at 10:07

answered Jan 19 '21 at 14:13

ixaxaar

6,411
3
24
33

using a dry-run on the create and then piping it to kubectl apply might be simpler method to sort out the issues if the secret already exists.... – Gert van den Berg Feb 14 '22 at 08:49
Or delete and re-create it: kubectl delete secret --ignore-not-found $SECRET_NAME – btzs Mar 07 '22 at 12:26

score 2 · Answer 2 · answered Aug 14 '20 at 18:05

2

This is true and the usual way is to get the password everytime you wish to login to ECR. This is the snippet from AWS documentation which says

The generated token is valid for 12 hours, which means developers running and managing container images have to re-authenticate every 12 hours manually, or script it to generate a new token, which can be somewhat cumbersome in a CI/CD environment. For example if you’re using Jenkins to build and push docker images to ECR, you have to set up Jenkins instances to re-authenticate using get-login to ECR every 12 hours.

link to the full AWS documentation

Below is the command to do get the password and login.

aws ecr get-login-password --region <<someregion>> | docker login --username <<someusername>> --password-stdin https://<<someaccount>>.amazonaws.com

And in your case you will have to write some script within a helper pod to do the below steps.

Get the login password and save it in a variable.

aws ecr get-login-password --region <<someregion>>

Delete you existing secret

kubectl delete secret <<secretname>>

Recreate secret with new password.

kubectl create secret docker-registry regcred --docker-server=https://index.docker.io/v1/ --docker-username=kammana --docker-password=<newpassword> --docker-email=hari.kammana@gmail.com

You could try cronjob to reset this every <12 hours

answered Aug 14 '20 at 18:05

Rohit

1,231
10
22

Actually i am not good with script, do you anything i can take as reference for cron job or is there any other alternative – sks123245 Aug 14 '20 at 18:29
Check [this link](https://medium.com/@damitj07/how-to-configure-and-use-aws-ecr-with-kubernetes-rancher2-0-6144c626d42c) – Rohit Aug 14 '20 at 18:32
And also these 2 articles. [first](https://tuantranf.me/2020/01/18/how-to-manage-aws-ecr-pull-secret-for-kubernetes/) and [second](https://hub.docker.com/r/frekele/aws-ecr-kubectl) – Rohit Aug 14 '20 at 18:33
1

I have already referrd this article in the question here, i had a question if i have pull the image separately will it use it when i launch the yaml file. – sks123245 Aug 14 '20 at 19:28
The articcle just pulls the image, i have tried with that, but when i launch my YAML files referring to the image getting pulled, it fails – sks123245 Aug 14 '20 at 19:28
If you set the imagePullPolicy as IfNotPresent then it won't pull the image again if it exists on the node. – Rohit Aug 14 '20 at 19:30

score 1 · Answer 3 · answered Aug 14 '20 at 17:52

1

There is this small tool called k8s-ecr-login-renew that does exactly what you need.

answered Aug 14 '20 at 17:52

BogdanL

691
5
5

It is not working i tried doing it, the image is not getting pulled. Do you have anything to reference, i also have a question, i am running this in rancher is it different – sks123245 Aug 14 '20 at 19:45

Pull image from ECR to Kubernetes deployment file

3 Answers3

Linked