刷新 AWS ECR 注册表的令牌

问题描述 投票:0回答:1

我有一个用于部署 docker 镜像的 helm 图表。我使用以下方法将秘密配置到 kubernetes 中:

apt-get install docker

sudo apt-get install python python3-pip

aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 123456789.dkr.ecr.us-east-1.amazonaws.com

root@node1:~# cd .docker
root@node1:~/.docker# ls
cat config.json

kubectl create secret generic regcred \
--from-file=.dockerconfigjson=/root/.docker/config.json \
--type=kubernetes.io/dockerconfigjson

进入我放置的舵图:

imagePullSecrets:
  - name: regcred

当我部署 Helm Chart 时,它工作正常,但大约 24 小时后我得到:

Events:
  Type     Reason     Age                From               Message
  ----     ------     ----               ----               -------
  Normal   Scheduled  91s                default-scheduler  Successfully assigned default/mockup-6c5cfb4677-qztdv to node2
  Normal   BackOff    24s (x5 over 90s)  kubelet            Back-off pulling image "381491899314.dkr.ecr.us-east-1.amazonaws.com/mockup:0.0.1"
  Warning  Failed     24s (x5 over 90s)  kubelet            Error: ImagePullBackOff
  Normal   Pulling    11s (x4 over 91s)  kubelet            Pulling image "123456789.dkr.ecr.us-east-1.amazonaws.com/mockup:0.0.1"
  Warning  Failed     11s (x4 over 90s)  kubelet            Failed to pull image "123456789.dkr.ecr.us-east-1.amazonaws.com/mockup:0.0.1": failed to pull and unpack image "123456789.dkr.ecr.us-east-1.amazonaws.com/mockup:0.0.1": failed to resolve reference "123456789.dkr.ecr.us-east-1.amazonaws.com/mockup:0.0.1": unexpected status from HEAD request to https://123456789.dkr.ecr.us-east-1.amazonaws.com/v2/mockup/manifests/0.0.1: 403 Forbidden
  Warning  Failed     11s (x4 over 90s)  kubelet            Error: ErrImagePull
root@node1:~#

令牌似乎已过期。如何制作永久令牌? 这个问题有解决办法吗?

amazon-web-services kubernetes-helm amazon-ecr
1个回答
0
投票

文档说:

授权令牌的有效期为 12 小时。

该命令没有提供延长令牌有效期的选项,因此我认为这是不可能的。

为了保持令牌有效,我建议创建 cron 作业每 10-11 小时运行一次:

# Preparation for env and SA
kubectl create generic aws-credentials --from-env-file=<file path>
kubectl -n default create sa secrets-manager  

apiVersion: batch/v1
kind: CronJob
metadata:
  name: refresh-aws-secret
  namespace: default
spec:
  schedule: "* */11 * * *" # Run each 1 hours
  jobTemplate:
    spec:
      template:
        spec:
          restartPolicy: OnFailure
          serviceAccount: secrets-manager
          containers:
            - name: refresh-aws-secret
              image: <any public image with aws-cli and kubectl>
              imagePullPolicy: IfNotPresent
              env:
                - name: SECRET_NAME
                  value: aws
              envFrom:
                - secretRef:
                    name: aws-credentials
              command:
                - /bin/sh
                - -c
                - |-
                  kubectl delete secret --ignore-not-found ${SECRET_NAME}
                  kubectl create secret docker-registry ${SECRET_NAME} \
                  --docker-server=${AWS_ACCOUNT_ID}.dkr.ecr.${REGION}.amazonaws.com \
                  --docker-username=AWS \
                  --docker-password=$(aws ecr get-login-password)
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.