diff --git a/README.md b/README.md index 98fe661..8718c78 100644 --- a/README.md +++ b/README.md @@ -16,24 +16,91 @@ From an operational perspective: ## Quick Start +You'll need a credentials that can assume a role with the following policy. Note, you can substitute `*` with the ARN of the repository if you want to limit the role to a specific repository. For multiple specific repos, use add more statement with different ARNs. + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ecr:GetAuthorizationToken", + "ecr:GetDownloadUrlForLayer", + "ecr:BatchGetImage", + "ecr:BatchCheckLayerAvailability" + ], + "Resource": "*" + } + ] +} +``` + + Setup your values.yaml for the helm chart. Specifically include the AWS credentials using the standard AWS SDK environment variables. The easiest way to issue long lived AWS credentials, the most secure way is to use [AWS OIDC](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html) with [Spiffe](https://spiffe.io/). The best reference for AWS SDK environment variables seems to be in the [AWS CLI documentation](https://docs.aws.amazon.com/cli/v1/userguide/cli-configure-envvars.html). -```yaml +```yaml pod: container: env: + # How you authenticate to AWS is up to you, see AWS CLI documentation for more options - name: AWS_ACCESS_KEY_ID value: "EXAMPLE" - name: AWS_SECRET_ACCESS_KEY value: "EXAMPLE" + + # Recommended that you assume a role with the policy above + - name: AWS_ROLE_ARN + value: "ARN of role with ECR permissions" + + # Important, this must match the region in the image name(s) - name: AWS_REGION - #important, this must match the region in the image name value: "us-east-1" + + + ``` ```sh -helm install ecr-anywhere ./charts/ecr-anywhere -f values.yaml +helm repo add ecr-anywhere https://centml.github.io/ecr-anywhere +helm repo update +helm install ecr-anywhere ecr-anywhere/ecr-anywhere -f values.yaml ``` +Once deployed, you can test it by creating a namespace with the label `ecr-anywhere.centml.ai/namespace: "enabled"`, then a secret of type `kubernetes.io/dockerconfigjson` with the label `ecr-anywhere.centml.ai/managed: "true"`. It doesn't matter what the secret contains, the mutating webhook will overwrite it with fresh ECR credentials. + +```yaml +apiVersion: v1 +kind: Namespace +metadata: + name: test + labels: + ecr-anywhere.centml.ai/namespace: "enabled" +--- +apiVersion: v1 +kind: Secret +metadata: + name: ecr-secret + namespace: test + labels: + ecr-anywhere.centml.ai/managed: "true" +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: "FAKE" +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-pod + namespace: test + labels: + app: test +spec: + containers: + - name: test-container + image: 544849402588.dkr.ecr.us-east-1.amazonaws.com/test:923442bcd004d94c1f7447e1ae14f36d39d77b0e + imagePullSecrets: + - name: ecr-secret +```yaml diff --git a/charts/ecr-anywhere/values.yaml b/charts/ecr-anywhere/values.yaml index 90b1712..893b916 100644 --- a/charts/ecr-anywhere/values.yaml +++ b/charts/ecr-anywhere/values.yaml @@ -20,7 +20,6 @@ mutatingWebhookConfiguration: annotations: {} image: - # TODO Temporary personal repo repository: ghcr.io/centml/ecr-anywhere tag: v1.0.0 imagePullPolicy: Always diff --git a/pkg/credentials/credentials.go b/pkg/credentials/credentials.go index cdd8047..1fca9b9 100644 --- a/pkg/credentials/credentials.go +++ b/pkg/credentials/credentials.go @@ -76,7 +76,7 @@ func NewECRCredentialInjector(ecrClient ECRClient, loggers *loggers.Loggers) Cre } } -// InjectionPermitted determines whether a mutation is required for the specified pod and if so +// InjectionPermitted determines whether a mutation is required for the specified secret and if so // which mutation to use func (ic *ecrCredentialInjector) InjectionPermitted(ignoredList []string, metadata *metav1.ObjectMeta) bool { // skip special kubernete system namespaces