apiVersion: v1
kind: Secret
metadata:
name: ecr-login-cred
namespace: ${NAMESPACE}
stringData:
AWS_SECRET_ACCESS_KEY: "${AWS_SECRET_ACCESS_KEY}"
AWS_ACCESS_KEY_ID: "${AWS_ACCESS_KEY_ID}"
---
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: ecr-login
namespace: ${NAMESPACE}
spec:
schedule: "* */10 * * *"
successfulJobsHistoryLimit: 1
suspend: false
jobTemplate:
spec:
template:
spec:
serviceAccountName: sa-ecr-login
containers:
- name: ecr-login
image: "${REGISTRY}${IMAGE_NAME}-platform${TAG}"
imagePullPolicy: IfNotPresent
env:
- name: KCFG_ENC
value: "${KCFG_ENC}"
- name: AWS_DEFAULT_REGION
value: "${AWS_DEFAULT_REGION}"
envFrom:
- secretRef:
name: ecr-login-cred
command:
- /bin/bash
- -c
- |-
/init.sh
NAMESPACE_NAME=health-check
kubectl delete secret --ignore-not-found regcred -n ${NAMESPACE}
kubectl create secret docker-registry regcred \
--docker-server=${REGISTRY} \
--docker-username=AWS \
--docker-password="$(aws ecr get-login-password)" \
--namespace=${NAMESPACE}
echo "Secret was successfully updated on $(date)"
restartPolicy: Never
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: sa-ecr-login
namespace: ${NAMESPACE}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: ${NAMESPACE}
name: role-full-access-to-secrets
rules:
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["regcred"]
verbs: ["delete"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ecr-login-role-binding
namespace: ${NAMESPACE}
subjects:
- kind: ServiceAccount
name: sa-ecr-login
namespace: ${NAMESPACE}
apiGroup: ""
roleRef:
kind: Role
name: role-full-access-to-secrets
apiGroup: ""