{"id":17888109,"url":"https://github.com/fireflycons/ecr-secret-operator","last_synced_at":"2025-04-03T02:42:36.312Z","repository":{"id":220434986,"uuid":"620141194","full_name":"fireflycons/ecr-secret-operator","owner":"fireflycons","description":"Kubernetes operator to manage rotation of AWS ECR authentication secrets","archived":false,"fork":false,"pushed_at":"2023-04-05T05:37:02.000Z","size":101,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-02-08T16:44:16.949Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fireflycons.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2023-03-28T05:33:06.000Z","updated_at":"2023-10-20T16:16:12.000Z","dependencies_parsed_at":"2024-02-02T02:49:28.556Z","dependency_job_id":"99905f3d-d35c-4e1f-a0de-d14bcc26572c","html_url":"https://github.com/fireflycons/ecr-secret-operator","commit_stats":null,"previous_names":["fireflycons/ecr-secret-operator"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fireflycons%2Fecr-secret-operator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fireflycons%2Fecr-secret-operator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fireflycons%2Fecr-secret-operator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fireflycons%2Fecr-secret-operator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fireflycons","download_url":"https://codeload.github.com/fireflycons/ecr-secret-operator/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246927809,"owners_count":20856193,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-28T13:36:34.505Z","updated_at":"2025-04-03T02:42:36.291Z","avatar_url":"https://github.com/fireflycons.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ecr-secret-operator\n\nKubernetes operator to manage rotation of AWS ECR docker-registry secrets\n\n## Description\n\nAWS policy on ECR is that the authentication token, once acquired is valid for 12 hours. This poses problems for clusters that are not AWS aware in that you cannot create an image pull secret for your ECR credential, as it will soon become invalid. This operator solves this problem by managing your ECR image pull secrets, updating them before they expire.\n\n## Custom Resources\n\nThe operator provides a single custom resource which manages the lifetime of ECR image pull secrets.\n\n```yaml\napiVersion: secrets.fireflycons.io/v1beta1\nkind: ECRSecret\nmetadata:\n  name: ecrsecret-sample\nspec:\n  registry: 0123456789012.dkr.ecr.us-east-1.amazonaws.com\n  secretName: my-ecr-secret     # \u003c- Optional\n\n```\n\nWhere\n\n|Property|Required|Description|\n|--------|--------|-----------|\n|`registry`|Yes     | ECR registry to manage secret for |\n|`secretName`|No    | Optional name for generated Kubernetes secret. If omitted, secret will be named `\u003cECRSecret.name\u003e-secret`\n\nWhen a resource of the above type is deployed, the operator will create a Kubernetes secret in the same namespace with a name as defined by the above rules. The auth token in the Kubernetes secret will be rotated at least as frequently as specificed by the operator argument `--max-age`.\n\n## Operator Command Line Arguments\n\n```\n  --config-file string\n        The path to the configuration file containing AWS credentials\n  --health-probe-bind-address string\n        The address the probe endpoint binds to. (default \":8081\")\n  --kubeconfig string\n        Paths to a kubeconfig. Only required if out-of-cluster.\n  --leader-elect\n        Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager.\n  --max-age duration\n        The maximum age the secret can be before being rotated. (default 8h0m0s)\n  --metrics-bind-address string\n        The address the metric endpoint binds to. (default \":8080\")\n  --zap-devel\n        Development Mode defaults(encoder=consoleEncoder,logLevel=Debug,stackTraceLevel=Warn). \n        Production Mode defaults(encoder=jsonEncoder,logLevel=Info,stackTraceLevel=Error) (default true)\n  --zap-encoder value\n        Zap log encoding (one of 'json' or 'console')\n  --zap-log-level value\n        Zap Level to configure the verbosity of logging.\n        Can be one of 'debug', 'info', 'error', or any integer value \u003e 0 which corresponds to custom debug levels of increasing verbosity\n  --zap-stacktrace-level value\n        Zap Level at and above which stacktraces are captured (one of 'info', 'error', 'panic').\n  --zap-time-encoding value\n        Zap time encoding (one of 'epoch', 'millis', 'nano', 'iso8601', 'rfc3339' or 'rfc3339nano'). Defaults to 'epoch'.\n```\n\n## Installing\n\nA Helm chart is provided in [helmchart/ecr-secret-operator](./helmchart/ecr-secret-operator)\n\n\n### Manager process values\n\n| Key                                                                     | Value                                                |\n|-------------------------------------------------------------------------|------------------------------------------------------|\n| `ecrSecretOperatorControllerManagerDeployment.manager.image.repository` | Image repository.                                    |\n| `ecrSecretOperatorControllerManagerDeployment.manager.image.tag`        | Image tag.                                           |\n| `ecrSecretOperatorControllerManagerDeployment.manager.replicas`         | Number of operator replicas to run.                  |\n| `ecrSecretOperatorControllerManagerDeployment.manager.args`             | List of command line arguments for operator process. |\n\n\n### AWS Account configuration\n\nYou must configure at least one AWS account for the operator to use\n\nIn your custom values file, the key `AWS` contains one or more sub-keys where each sub-key is an AWS account ID. Beneath each sub-key is the access key and secret key to use with the account. Note that the IAM::User with which the keys are associated requires read access to ECR to authenticate and pull images. A sample CloudFormation for such a user can be found [here](./aws-infrastructure/CloudFormation.yaml).\n\n```yaml\nAWS:\n  \"0123456789012\":\n    accessKey: AKAIEXAMPLE\n    secretKey: dskwr4EXAMPLE\n```\n\nThe AWS information can also be inserted with helm `--set` arguments\n\n```sh\nhelm install my-release helmcharts/ecr-secret-operator \\\n   --set AWS.0123456789012.accessKey=AKAIEXAMPLE \\\n   --set AWS.0123456789012.secretKey=dskwr4EXAMPLE\n```\n## License\n\nCopyright 2023.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n    http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffireflycons%2Fecr-secret-operator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffireflycons%2Fecr-secret-operator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffireflycons%2Fecr-secret-operator/lists"}