Spin naker + ECR访问

问题描述 投票:0回答:1

我在设置具有ECR访问权限的Spinnaker时遇到问题。

背景:我使用头盔在EKS集群上安装了大三角帆,并且已经确认该集群具有必要的ECR权限(通过从clouddriver pod内手动运行ECR命令)。我正在按照此处的说明设置Spinnaker + ECR:https://www.spinnaker.io/setup/install/providers/docker-registry/

问题:运行时:

hal config provider docker-registry account add my-ecr-registry \
--address $ADDRESS \
--username AWS \
--password-command "aws --region us-west-2 ecr get-authorization-token --output text --query 'authorizationData[].authorizationToken' | base64 -d | sed 's/^AWS://'"

我得到以下输出:

+ Get current deployment
  Success
- Add the some-ecr-registry account
  Failure
Problems in default.provider.dockerRegistry.some-ecr-registry:
- WARNING Resolved Password was empty, missing dependencies for
  running password command?
- WARNING You have a supplied a username but no password.
! ERROR Unable to fetch tags from the docker repository: code, 400
  Bad Request
? Can the provided user access this repository?
- WARNING None of your supplied repositories contain any tags.
  Spinnaker will not be able to deploy any docker images.
? Push some images to your registry.
Problems in halconfig:
- WARNING There is a newer version of Halyard available (1.28.0),
  please update when possible
? Run 'sudo apt-get update && sudo apt-get install
  spinnaker-halyard -y' to upgrade
- Failed to add account some-ecr-registry for provider
  dockerRegistry.
  • 我已经确认aws-cli已安装在clouddriver pod上。而且我已经确认可以直接从clouddriver pod进行密码命令,并且该命令成功返回了令牌。
  • 我还确认,如果我手动生成ECR令牌并且run hal config provider docker-registry account add my-ecr-registry --address $ADDRESS --username AWS --password-command "echo $MANUALLY_GENERATED_TOKEN",一切正常。因此,密码命令有一些特定的地方出错了,我不确定如何调试它。
  • 另一个奇怪的行为:如果我将password命令简化为:hal config provider docker-registry account add some-ecr-registry --address $ADDRESS --username AWS --repositories code --password-command "aws --region us-west-2 ecr get-authorization-token",则会得到一条额外的输出,内容为"- WARNING Password command returned non 0 return code stderr/stdout was:bash: aws: command not found"。仅针对此简化命令显示此输出。

关于如何调试此问题的任何建议将不胜感激。

amazon-web-services kubernetes spinnaker ecr
1个回答
0
投票

我还在AKS上安装了Spinnaker,而我所做的全部是通过使用具有对ECR正确的AWS IAM策略的AWS管理用户:*我可以直接访问ECR存储库。我不认为基于Java的hal将在--password-command

中执行Bash命令
  • 在大三角帆部署中设置AWS ECS provider
  • 使用将以下AWS IAM策略(SpinnakerManagingPolicy)附加到AWS MAnaging用户以授予对ECR的访问权限。请根据您的需要替换AWS账户。
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:*",
                "cloudformation:*",
                "ecr:*"                
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Action": "sts:AssumeRole",
            "Resource": [
                "arn:aws:iam::123456789012:role/SpinnakerManagedRoleAccount1",
                "arn:aws:iam::101121314157:role/SpinnakerManagedRoleAccount2",
                "arn:aws:iam::202122232425:role/SpinnakerManagedRoleAccount3"
            ],
            "Effect": "Allow"
        }
    ]
}
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.