Open jwitko opened 1 year ago
This sounds completely doable... however, I wonder if it's really that relevant to this particular tool.
The reason I ask is that the idea behind this tool is to make accessing ECR easy from non-AWS Kubernetes clusters. If you're running in EKS, don't you have better ways to get access to ECR? (do you even need to use k8s-ecr-login-renew
?)
If you're running in EKS
Not running in EKS. Using a hybrid infrastructure with kubernetes running in an on-premise datacenter but leveraging the aws-pod-identity-webhook
to provide iRSA capabilities to the service accounts within the on-premise cluster.
Silly question, but have you tried using this tool without providing the environment variables? I'm using NewSession()
to generate credentials, so it's already not hard-coded to only use environment variables.
Yes an up to date version of the standard SDK credentials chain would definitely support iRSA through the instancePrincipals
method. However the issue is your helm chart https://github.com/nabsul/k8s-ecr-login-renew/blob/main/chart/templates/005-CronJob.yaml#L48-L54
I did not make an attempt to modify and use a local version of your helm chart
I think I can make a fairly safe tweak to the chart to allow you to test this: https://github.com/nabsul/k8s-ecr-login-renew/pull/53/files
helm chart is published.
Actually, you might also want to change the docker image to the latest one here: https://hub.docker.com/layers/nabsul/k8s-ecr-login-renew/sha-adba342/images/sha256-b55d183b333eeebaff8affdb446601b63d7c76829974f0ee487aab2a843b35db?context=explore
It has all the latest dependency updates. I'm not sure if the current official version has a new enough AWS SDK.
The downside of this image is that I haven't tested it yet. There could be a bug, especially around the namespace detection logic 🤷
I think that we need to add annotation in serviceaccount. It is needed for IRSA.
Is there any chance you could implement the ability for this app/chart to have the ability to leverage the aws-pod-identity-webhook which implements iRSA ? It should be pretty straight forward if you're using a relatively modern AWS SDK version. You would also have to remove the hard requirements for the AWS credential env vars.
This would get us the ability to have dynamic ecr credentials and not have to store AWS user credentials in the cluster. It would be a huge win and even better than the new kubernetes native image credential helper which requires AWS credentials on the nodes.