我在设置具有ECR访问权限的Spinnaker时遇到问题。
背景:我使用头盔在EKS集群上安装了大三角帆,并且已经确认该集群具有必要的ECR权限(通过从clouddriver pod内手动运行ECR命令)。我正在按照此处的说明设置Spinnaker + ECR:https://www.spinnaker.io/setup/install/providers/docker-registry/
问题:运行时:
hal config provider docker-registry account add my-ecr-registry \
--address $ADDRESS \
--username AWS \
--password-command "aws --region us-west-2 ecr get-authorization-token --output text --query 'authorizationData[].authorizationToken' | base64 -d | sed 's/^AWS://'"
我得到以下输出:
+ Get current deployment
Success
- Add the some-ecr-registry account
Failure
Problems in default.provider.dockerRegistry.some-ecr-registry:
- WARNING Resolved Password was empty, missing dependencies for
running password command?
- WARNING You have a supplied a username but no password.
! ERROR Unable to fetch tags from the docker repository: code, 400
Bad Request
? Can the provided user access this repository?
- WARNING None of your supplied repositories contain any tags.
Spinnaker will not be able to deploy any docker images.
? Push some images to your registry.
Problems in halconfig:
- WARNING There is a newer version of Halyard available (1.28.0),
please update when possible
? Run 'sudo apt-get update && sudo apt-get install
spinnaker-halyard -y' to upgrade
- Failed to add account some-ecr-registry for provider
dockerRegistry.
run hal config provider docker-registry account add my-ecr-registry --address $ADDRESS --username AWS --password-command "echo $MANUALLY_GENERATED_TOKEN"
,一切正常。因此,密码命令有一些特定的地方出错了,我不确定如何调试它。 hal config provider docker-registry account add some-ecr-registry --address $ADDRESS --username AWS --repositories code --password-command "aws --region us-west-2 ecr get-authorization-token"
,则会得到一条额外的输出,内容为"- WARNING Password command returned non 0 return code stderr/stdout was:bash: aws: command not found"
。仅针对此简化命令显示此输出。关于如何调试此问题的任何建议将不胜感激。
我还在AKS上安装了Spinnaker,而我所做的全部是通过使用具有对ECR正确的AWS IAM策略的AWS管理用户:*我可以直接访问ECR存储库。我不认为基于Java的hal
将在--password-command
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:*", "cloudformation:*", "ecr:*" ], "Resource": [ "*" ] }, { "Action": "sts:AssumeRole", "Resource": [ "arn:aws:iam::123456789012:role/SpinnakerManagedRoleAccount1", "arn:aws:iam::101121314157:role/SpinnakerManagedRoleAccount2", "arn:aws:iam::202122232425:role/SpinnakerManagedRoleAccount3" ], "Effect": "Allow" } ] }