Elaborate on how to enable autologin for ECR #193
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -61,7 +61,7 @@ type ImageRepositorySpec struct { | |
| ``` | ||
|
|
||
| The `Suspend` field can be set to `true` to stop the controller scanning the image repository | ||
| specified; remove the field value or set it to `false` to resume scanning. | ||
|
|
||
| ### Authentication | ||
|
|
||
|
|
@@ -77,9 +77,40 @@ For a publicly accessible image repository, you will not need to provide a `secr | |
|
|
||
| When running in [<abbr title="Elastic Kubernetes Service">EKS</abbr>][EKS] and using [<abbr | ||
| title="Elastic Container Registry">ECR</abbr>][ECR] to store images, you should be able to rely on | ||
| the controller retrieving credentials automatically. | ||
|
|
||
| The `image-reflector-controller` must be run with the flag `--aws-autologin-for-ecr` set for this to work. | ||
|
|
||
| This flag can be added by including a patch in the `kustomization.yaml` overlay file in your `flux-system`, | ||
| similar to the process described in [customize Flux manifests][]: | ||
|
|
||
| ``` | ||
| patches: | ||
| - target: | ||
| version: v1 | ||
| group: apps | ||
| kind: Deployment | ||
| name: image-reflector-controller | ||
| namespace: flux-system | ||
| patch: |- | ||
| - op: add | ||
| path: /spec/template/spec/containers/0/args/- | ||
| value: --aws-autologin-for-ecr | ||
| ``` | ||
|
|
||
| Alternatively, the advice under [Other platforms][other platforms] below will also work for ECR. | ||
|
|
||
| > You need to upgrade to Flux version 2 release [v0.19][Flux v0.19.0] that contains the image-reflector-controller release [v0.13.0][image-reflector-controller v0.13.0]. | ||
|
|
||
| > [**Release date**: 2021-10-19][image-reflector-controller v0.13.0] | ||
| > | ||
| > This prerelease adds experimental support for automatically getting | ||
| credentials from AWS when scanning an image in [Elastic Container Registry | ||
| (ECR)][ECR]. | ||
| > | ||
| > Improvements: | ||
| > * Get credentials from AWS ECR when needed | ||
| > [#174][image-reflector-controller#174] | ||
|
|
||
| #### Other platforms | ||
|
|
||
|
|
@@ -190,7 +221,7 @@ type ImageRepositoryStatus struct { | |
| // +optional | ||
| ObservedGeneration int64 `json:"observedGeneration,omitempty"` | ||
|
|
||
| // CanonicalImageName is the name of the image repository with all the | ||
|
There was a problem hiding this comment. This section is taken from https://github.com/fluxcd/image-reflector-controller/blob/main/api/v1beta1/imagerepository_types.go#L99 which also has this incorrect name. Can you update that as well and run There was a problem hiding this comment. It looks like this has been taken care of. I found another CannonicalName in the docs and updated it there 👍 |
||
| // implied bits made explicit; e.g., `docker.io/library/alpine` | ||
| // rather than `alpine`. | ||
| // +optional | ||
|
|
@@ -261,3 +292,8 @@ and reference it under `secretRef`. | |
| [sops-guide]: https://toolkit.fluxcd.io/guides/mozilla-sops/ | ||
| [EKS]: https://docs.aws.amazon.com/eks/latest/userguide/what-is-eks.html | ||
| [ECR]: https://docs.aws.amazon.com/AmazonECR/latest/userguide/what-is-ecr.html | ||
| [customize Flux manifests]: https://fluxcd.io/docs/installation/#customize-flux-manifests | ||
| [other platforms]: https://fluxcd.io/docs/components/image/imagerepositories/#other-platforms | ||
| [Flux v0.19.0]: https://github.com/fluxcd/flux2/releases/tag/v0.19.0 | ||
| [image-reflector-controller v0.13.0]: https://github.com/fluxcd/image-reflector-controller/blob/main/CHANGELOG.md#0130 | ||
| [image-reflector-controller#174]: https://github.com/fluxcd/image-reflector-controller/pull/174 | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
API specs usually don't contain changelogs, what's the reason we add these here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As an experimental feature, I wanted to call out the release version that these docs applied to so that it is clear enough what needs to be updated when changes inevitably happen. (Also, it was a suggestion from @lloydchang)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I suppose the right place for this documentation might actually be here. This section should be updated anyway since it's likely a lot of folks will prefer this method of authentication over the CronJob approach.