I use this configuration for cron job to get temporary token from AWS ECR:
apiVersion: batch/v1
kind: CronJob
metadata:
name: {{ .Values.cronjob.name }}
spec:
schedule: "0 */6 * * *"
successfulJobsHistoryLimit: 0
jobTemplate:
spec:
template:
spec:
serviceAccountName: grafana
containers:
- command:
- /bin/sh
- -c
- |-
TOKEN=`aws ecr get-login-password --region ${REGION} | cut -d' ' -f6`
kubectl delete secret -n default --ignore-not-found $SECRET_NAME
kubectl create secret -n default docker-registry $SECRET_NAME \
--docker-server=$ECR_REPOSITORY \
--docker-username=AWS \
--docker-password=$TOKEN \
--namespace=default
kubectl patch serviceaccount default -p '{"imagePullSecrets":[{"name":"'$SECRET_NAME'"}]}' -n default
envFrom:
- secretRef:
name: mockup-secret-env
- configMapRef:
name: application-mockup-configuration-configmap-env
image: {{ .Values.cronjob.image }}
imagePullPolicy: IfNotPresent
name: {{ .Values.cronjob.name }}
restartPolicy: Never
Is it passible to pull images just with apikey without the need to generate a temporary token?
These are the possible ways to make authentication for private registry?
https://docs.aws.amazon.com/AmazonECR/latest/userguide/registry_auth.html
what if we make a request to get a token using apikey each time before we make image pull?