upmc-enterprises / registry-creds

Allow for AWS ECR, Google Registry, & Azure Container Registry credentials to be refreshed inside your Kubernetes cluster via ImagePullSecrets
Other
344 stars 124 forks source link

"aws-secret-name" value only set to default #99

Closed irmiller22 closed 3 years ago

irmiller22 commented 3 years ago

I tried setting up my deployment.yaml configuration to set the aws-secret-name value, but the secret is always set to the default value awsecr-cred despite aws-secret-name being set.

The deployment.yaml file looks like the following:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: ecr-pull-secret
  namespace: kube-system
spec:
  replicas: 1
  selector:
    matchLabels:
      name: ecr-pull-secret
  template:
    metadata:
      labels:
        name: ecr-pull-secret
    spec:
      containers:
      - image: upmcenterprises/registry-creds:1.10
        name: ecr-pull-secret
        imagePullPolicy: Always
        env:
          - name: AWS_ACCESS_KEY_ID
            valueFrom:
              secretKeyRef:
                name: kube-system-ecr-pull-secret
                key: AWS_ACCESS_KEY_ID
          - name: AWS_SECRET_ACCESS_KEY
            valueFrom:
              secretKeyRef:
                name: kube-system-ecr-pull-secret
                key: AWS_SECRET_ACCESS_KEY
          - name: awsaccount
            valueFrom:
              secretKeyRef:
                name: kube-system-ecr-pull-secret
                key: aws-account
          - name: awsregion
            valueFrom:
              secretKeyRef:
                name: kube-system-ecr-pull-secret
                key: aws-region
          - name: awssecretname
            valueFrom:
              secretKeyRef:
                name: kube-system-ecr-pull-secret
                key: aws-secret-name

My secrets file looks like the following:

apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  creationTimestamp: null
  name: kube-system-ecr-pull-secret
  namespace: kube-system
spec:
  encryptedData:
    AWS_ACCESS_KEY_ID: <sealed_secret>
    AWS_SECRET_ACCESS_KEY: <sealed_secret>
    aws-account: <sealed_secret>
    aws-region: <sealed_secret>
    aws-secret-name: <sealed_secret>
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: ecr-pull-secret
        cloud: ecr
      name: kube-system-ecr-pull-secret
      namespace: kube-system
    type: Opaque

The other variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, aws-account, aws-region) are recognized, but aws-secret-name isn't.

Here's the log output after deployment:

time="2021-03-12T22:50:47Z" level=info msg="Got 4 refreshed credentials for namespace default"
time="2021-03-12T22:50:47Z" level=info msg="Processing secret for namespace default, secret gcr-secret"
time="2021-03-12T22:50:47Z" level=info msg="Updated secret gcr-secret in namespace default" function=processNamespace
time="2021-03-12T22:50:47Z" level=info msg="Updating ServiceAccount default in namespace default" function=processNamespace
time="2021-03-12T22:50:47Z" level=info msg="Finished processing secret for namespace default, secret gcr-secret"
time="2021-03-12T22:50:47Z" level=info msg="Processing secret for namespace default, secret awsecr-cred"
time="2021-03-12T22:50:47Z" level=info msg="Updated secret awsecr-cred in namespace default" function=processNamespace
time="2021-03-12T22:50:47Z" level=info msg="Updating ServiceAccount default in namespace default" function=processNamespace
time="2021-03-12T22:50:47Z" level=info msg="Finished processing secret for namespace default, secret awsecr-cred"
time="2021-03-12T22:50:47Z" level=info msg="Processing secret for namespace default, secret dpr-secret"
time="2021-03-12T22:50:47Z" level=info msg="Updated secret dpr-secret in namespace default" function=processNamespace

ianmiller@ianmiller ../seismic/infra OPS-5386-ecr-pull-secrets ❯ kubectl get secrets
NAME                  TYPE                                  DATA   AGE
acr-secret            kubernetes.io/dockerconfigjson        1      12m
awsecr-cred           kubernetes.io/dockerconfigjson        1      12m
default-token-pz8s9   kubernetes.io/service-account-token   3      15m
devolate-tls          kubernetes.io/tls                     2      15m
dpr-secret            kubernetes.io/dockerconfigjson        1      12m
gcr-secret            Opaque                                0      12m
antonblr commented 3 years ago

@irmiller22 - I think this meant to be passed as a flag only, e.g. I've updated config with:

...
- image: upmcenterprises/registry-creds:1.10
  args:
    - --aws-secret-name
    - my-aws-creds-secret
...

... and I see my-aws-creds-secret gets created.

time="2021-08-10T22:38:03Z" level=info msg="Created new secret my-aws-creds-secret in namespace default" function=processNamespace
time="2021-08-10T22:38:03Z" level=info msg="Updating ServiceAccount default in namespace default" function=processNamespace
time="2021-08-10T22:38:03Z" level=info msg="Finished processing secret for namespace default, secret my-aws-creds-secret"
$ kubectl get secrets 

NAME                       TYPE                                  DATA   AGE
acr-secret                 kubernetes.io/dockerconfigjson        1      71s
dpr-secret                 kubernetes.io/dockerconfigjson        1      72s
my-aws-creds-secret        kubernetes.io/dockerconfigjson        1      72s
...
irmiller22 commented 3 years ago

@antonblr ah, good catch. Thanks for correcting me. I'll close the issue now.