-
Notifications
You must be signed in to change notification settings - Fork 12
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit 6bb1f4e
Showing
6 changed files
with
513 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| .venv | ||
| .env | ||
| .idea | ||
| .vscode | ||
| .vs/* |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| FROM python:3.9-slim | ||
| LABEL "app"="argocd-ecr-updater" | ||
| ENV PYTHONUNBUFFERED=0 | ||
|
|
||
| WORKDIR /app | ||
|
|
||
| RUN pip install pipenv | ||
|
|
||
|
|
||
| COPY Pipfile* . | ||
| RUN pipenv install --system --deploy | ||
|
|
||
| COPY argocd-ecr-updater.py . | ||
|
|
||
| CMD ["python", "-u", "argocd-ecr-updater.py"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| [[source]] | ||
| url = "https://pypi.org/simple" | ||
| verify_ssl = true | ||
| name = "pypi" | ||
|
|
||
| [packages] | ||
| boto3 = "==1.20.26" | ||
| bottle = "==0.12.19" | ||
| kubernetes = "==21.7.0" | ||
| prometheus-client = "==0.12.0" | ||
| APScheduler = "==3.8.1" | ||
|
|
||
| [dev-packages] | ||
|
|
||
| [requires] | ||
| python_version = "3.9" |
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,43 @@ | ||
| # ArgoCD-ECR-Updater | ||
|
|
||
| ECR currently requires token authentication | ||
| ArgoCD supports username and password authentication for helm repos but does not have native functionality to refresh tokens | ||
|
|
||
| This image regenerates ECR tokens and updates an ArgoCD manifest with the updated token | ||
|
|
||
| See - https://docs.aws.amazon.com/AmazonECR/latest/userguide/ECR_on_EKS.html | ||
| See - https://docs.aws.amazon.com/AmazonECR/latest/userguide/registry_auth.html | ||
|
|
||
| ## Configuration | ||
| Create and apply a repository configuration | ||
| ``` | ||
| apiVersion: v1 | ||
| kind: Secret | ||
| metadata: | ||
| name: YOUR_REPO_SECRET_NAME | ||
| namespace: argocd | ||
| labels: | ||
| argocd.argoproj.io/secret-type: repository | ||
| stringData: | ||
| url: YOUR_AWS_ACCOUNT_ID.dkr.ecr.YOUR_AWS_REGION.amazonaws.com | ||
| name: ecr | ||
| type: helm | ||
| enableOCI: "true" | ||
| username: AWS | ||
| password: TO_BE_AUTOGENERATED_AND_AUTOREFRESHED | ||
| ``` | ||
|
|
||
| ## General parameters | ||
|
|
||
| | ENV VAR | DEFAULT | Description | | ||
| |-----|------|---------|-------------| | ||
| | ARGOCD_REPO_SECRET_NAME | `""` | The name of the argocd repository secret to refresh. Required. | | ||
| | ARGOCD_ECR_UPDATER_SYNC_CRON | `0 */12 * * *` | cron for how often credentials should be refreshed. defaults to every 12 hours. | | ||
| | ARGOCD_ECR_REGISTRY | `None` | Optionally specify a registry ID (ACCOUNT_ID) to use, if not the default registry for the account. Useful for cross account login. | | ||
|
|
||
| ## Monitoring | ||
| `/metrics` endpoint is exposed on port 8080 for external monitoring | ||
|
|
||
| ## AWS Authentication | ||
| Pod-iam is the preferred method, which can be set via the serviceAccount annotations. | ||
| Otherwise (not recommended) aws access keys can be set via volume mounts, environment variables, or external secret refs |
Oops, something went wrong.