{"id":20148268,"url":"https://github.com/chainguard-dev/pull-secret-updater","last_synced_at":"2025-05-06T21:34:32.203Z","repository":{"id":186547657,"uuid":"675329947","full_name":"chainguard-dev/pull-secret-updater","owner":"chainguard-dev","description":null,"archived":true,"fork":false,"pushed_at":"2023-08-08T14:19:04.000Z","size":4792,"stargazers_count":6,"open_issues_count":0,"forks_count":2,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-03-17T15:58:30.334Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/chainguard-dev.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2023-08-06T15:09:06.000Z","updated_at":"2024-09-13T17:07:39.000Z","dependencies_parsed_at":"2023-08-07T21:36:50.003Z","dependency_job_id":null,"html_url":"https://github.com/chainguard-dev/pull-secret-updater","commit_stats":null,"previous_names":["imjasonh/pull-secret-updater","chainguard-dev/pull-secret-updater"],"tags_count":0,"template":false,"template_full_name":"knative-extensions/sample-controller","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fpull-secret-updater","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fpull-secret-updater/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fpull-secret-updater/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fpull-secret-updater/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/chainguard-dev","download_url":"https://codeload.github.com/chainguard-dev/pull-secret-updater/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252772906,"owners_count":21802013,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-13T22:36:32.951Z","updated_at":"2025-05-06T21:34:31.888Z","avatar_url":"https://github.com/chainguard-dev.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Chainguard Registry Pull Secret Updater\n\n⚠️**EXPERIMENTAL**⚠️ controller to keep a pull secret updated with short-lived credentials to pull from the [Chainguard Registry](https://edu.chainguard.dev/chainguard/chainguard-images/registry/overview/).\n\nTo use this, you must first create an [assumable identity](https://edu.chainguard.dev/chainguard/chainguard-enforce/iam-groups/assumable-ids/) with permission to pull from the registry.\n\nFor a KinD cluster:\n\n```sh\nchainctl iam identities create kind-pull-secrets \\\n    --issuer-keys=\"$(kubectl get --raw /openid/v1/jwks)\" \\\n    --identity-issuer=https://kubernetes.default.svc.cluster.local \\\n    --subject=system:serviceaccount:pull-secret-updater:controller \\\n    --role=registry.pull\n```\n\nFor a GKE cluster:\n\n```sh\nchainctl iam identities create gke-pull-secrets \\\n    --identity-issuer=\"https://container.googleapis.com/v1/projects/\u003cproject\u003e/locations/\u003clocation\u003e/clusters/\u003ccluster-name\u003e\" \\\n    --subject-pattern=\"system:serviceaccount:pull-secret-updater:controller\" \\\n    --role=registry.pull\n```\n\n**TODO:** EKS, AKS, anything else.\n\nThis command will print the identity's UID, which we'll use to configure the updater.\n\nCreate an empty pull secret in the same namespace as the service account you want to use it with, and annotate it with the identity UID:\n\n```sh\nkubectl create secret generic pull-secret --type=kubernetes.io/dockerconfigjson --from-literal=.dockerconfigjson='{}'\nkubectl annotate secret pull-secret pull-secret-updater.chainguard.dev/identity=\u003cidentity-UID\u003e\n```\n\nAfter creating the empty secret, the controller will update it to contain the short-lived token.\nThe controller will update the token before it expires.\n\n```sh\nkubectl get secret pull-secret -oyaml\n```\n\nNow you can use the pull secret to authorize pulls from cgr.dev, as described in official docs:\n\n```sh\nkubectl create -f - \u003c\u003cEOF\napiVersion: v1\nkind: Pod\nmetadata:\n  generateName: pull-secret-example-\nspec:\n  containers:\n    - name: pull-secret-example\n      image: cgr.dev/chainguard/busybox:latest-glibc\n      command: ['sleep', 'Infinity']\n  imagePullSecrets:\n    - name: pull-secret\nEOF\n```\n\nAs configured by default, the controller has permission to update Secrets named `pull-secret` in every namespace.\nTo use a different name, you must grant `update` access to the controller's service account.\n\n## Motivation\n\nWith traditional registries, to pull an image from a Kubernetes cluster you must create a pull secret with a long-lived credential, for example in the [official Kubernetes docs for pull secrets](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#log-in-to-docker-hub).\n\nThis means anyone with access to the secret can extract the credential and use it to pull images from the registry, without detection, indefinitely.\n\nIdeally, the token would be short-lived and be automatically refreshed, like you get when you credential helpers like `chainctl auth configure-docker`, but this is typically not easy with image pull secrets on Kubernetes.\n\nThis controller keeps pull secrets updated with freshly minted short-lived tokens, meaning that if the token is extracted from the secret, it's only useful for a short time.\nThe controller updates the token automatically before it expires.\n\nThe token used by this controller can be tied to the cluster, so only _this_ controller running on _this_ cluster can request new tokens for the identity.\n\nYou can also use [Registry pull events](https://edu.chainguard.dev/chainguard/chainguard-enforce/reference/events/#service-registry---pull) to further monitor image pulls for potential abuse.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchainguard-dev%2Fpull-secret-updater","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fchainguard-dev%2Fpull-secret-updater","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchainguard-dev%2Fpull-secret-updater/lists"}