improve documentation

README.md

@@ -16,24 +16,91 @@ From an operational perspective:
 
 ## Quick Start
 
+You'll need a credentials that can assume a role with the following policy. Note, you can substitute `*` with the ARN of the repository if you want to limit the role to a specific repository. For multiple specific repos, use add more statement with different ARNs.
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ecr:GetAuthorizationToken",
+                "ecr:GetDownloadUrlForLayer",
+                "ecr:BatchGetImage",
+                "ecr:BatchCheckLayerAvailability"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+```
+
+
 Setup your values.yaml for the helm chart. Specifically include the AWS credentials using the standard AWS SDK environment variables. The easiest way to issue long lived AWS credentials, the most secure way is to use [AWS OIDC](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html) with [Spiffe](https://spiffe.io/). The best reference for AWS SDK environment variables seems to be in the [AWS CLI documentation](https://docs.aws.amazon.com/cli/v1/userguide/cli-configure-envvars.html).  
 
-```yaml
 
+```yaml
 pod:
   container:
     env:
+        # How you authenticate to AWS is up to you, see AWS CLI documentation for more options
         - name: AWS_ACCESS_KEY_ID
           value: "EXAMPLE"
         - name: AWS_SECRET_ACCESS_KEY
           value: "EXAMPLE"
+
+        # Recommended that you assume a role with the policy above 
+        - name: AWS_ROLE_ARN
+          value: "ARN of role with ECR permissions"
+
+        # Important, this must match the region in the image name(s)
         - name: AWS_REGION
-          #important, this must match the region in the image name
           value: "us-east-1" 
+
+
+
 ```
 
 
 ```sh
-helm install ecr-anywhere ./charts/ecr-anywhere -f values.yaml
+helm repo add ecr-anywhere https://centml.github.io/ecr-anywhere
+helm repo update
+helm install ecr-anywhere ecr-anywhere/ecr-anywhere -f values.yaml
 ```
 
+Once deployed, you can test it by creating a namespace with the label `ecr-anywhere.centml.ai/namespace: "enabled"`, then a secret of type `kubernetes.io/dockerconfigjson` with the label `ecr-anywhere.centml.ai/managed: "true"`. It doesn't matter what the secret contains, the mutating webhook will overwrite it with fresh ECR credentials. 
+
+```yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: test
+  labels:
+    ecr-anywhere.centml.ai/namespace: "enabled"
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ecr-secret
+  namespace: test
+  labels:
+    ecr-anywhere.centml.ai/managed: "true"
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: "FAKE"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-pod
+  namespace: test
+  labels:
+    app: test
+spec:
+  containers:
+  - name: test-container
+    image: 544849402588.dkr.ecr.us-east-1.amazonaws.com/test:923442bcd004d94c1f7447e1ae14f36d39d77b0e
+  imagePullSecrets:
+  - name: ecr-secret
+```yaml

charts/ecr-anywhere/values.yaml

@@ -20,7 +20,6 @@ mutatingWebhookConfiguration:
   annotations: {}
 
 image:
-  # TODO Temporary personal repo
   repository: ghcr.io/centml/ecr-anywhere
   tag: v1.0.0
   imagePullPolicy: Always

pkg/credentials/credentials.go

@@ -76,7 +76,7 @@ func NewECRCredentialInjector(ecrClient ECRClient, loggers *loggers.Loggers) Cre
 	}
 }
 
-// InjectionPermitted determines whether a mutation is required for the specified pod and if so
+// InjectionPermitted determines whether a mutation is required for the specified secret and if so
 // which mutation to use
 func (ic *ecrCredentialInjector) InjectionPermitted(ignoredList []string, metadata *metav1.ObjectMeta) bool {
 	// skip special kubernete system namespaces