{"id":37194701,"url":"https://github.com/flanksource/registry-creds","last_synced_at":"2026-01-14T22:38:23.336Z","repository":{"id":57641244,"uuid":"250025413","full_name":"flanksource/registry-creds","owner":"flanksource","description":"Allow for AWS ECR, Google Registry, \u0026 Azure Container Registry credentials to be refreshed inside your Kubernetes cluster via ImagePullSecrets","archived":true,"fork":true,"pushed_at":"2023-03-29T10:22:26.000Z","size":20229,"stargazers_count":0,"open_issues_count":0,"forks_count":1,"subscribers_count":0,"default_branch":"master","last_synced_at":"2025-12-01T06:47:28.587Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":"upmc-enterprises/registry-creds","license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/flanksource.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-03-25T16:03:32.000Z","updated_at":"2024-04-18T09:24:30.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/flanksource/registry-creds","commit_stats":null,"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"purl":"pkg:github/flanksource/registry-creds","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/flanksource%2Fregistry-creds","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/flanksource%2Fregistry-creds/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/flanksource%2Fregistry-creds/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/flanksource%2Fregistry-creds/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/flanksource","download_url":"https://codeload.github.com/flanksource/registry-creds/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/flanksource%2Fregistry-creds/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28436680,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-14T21:32:52.117Z","status":"ssl_error","status_checked_at":"2026-01-14T21:32:33.442Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-01-14T22:38:22.643Z","updated_at":"2026-01-14T22:38:23.322Z","avatar_url":"https://github.com/flanksource.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Registry Credentials\n\nAllow for Registry credentials to be refreshed inside your Kubernetes cluster via `ImagePullSecrets`.\n\n## How it works\n\n1. The tool runs as a pod in the `kube-system` namespace.\n- It gets credentials from AWS ECR, Google Container Registry, Docker private registry, or Azure Container Registry.\n- Next it creates a secret with credentials for your registry\n- Then it sets up this secret to be used in the `ImagePullSecrets` for the default service account\n- Whenever a pod is created, this secret is attached to the pod\n- The container will refresh the credentials by default every 60 minutes\n- Enabled for use with Minikube as an [addon](https://github.com/kubernetes/minikube#add-ons)\n\n\u003e **NOTE:** This will setup credentials across ALL namespaces!\n\n## Parameters\n\nThe following parameters are driven via Environment variables.\n\n- Environment Variables:\n  - AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY: Credentials to access AWS.\n  - awsaccount: Comma separated list of AWS Account Ids.\n  - awsregion: (optional) Can override the default AWS region by setting this variable.\n  - aws-assume-role (optional) can provide a role ARN that will be assumed for getting ECR authorization tokens\n    \u003e **Note:** The region can also be specified as an arg to the binary.\n  - TOKEN_RETRY_TYPE: The type of Timer to use when getting a registry token fails and must be retried; \"simple\" or \"exponential\" (default: simple)\n  - TOKEN_RETRIES: The number of times to retry getting a registry token if an error occurred (default: 3)\n  - TOKEN_RETRY_DELAY: The number of seconds to delay between successive retries at getting a registry token; applies to \"simple\" retry timer only (default: 5)\n  - GCRURL: URL to Google Container Registry\n  - DOCKER_PRIVATE_REGISTRY_SERVER, DOCKER_PRIVATE_REGISTRY_USER, DOCKER_PRIVATE_REGISTRY_PASSWORD: the URL, user name, and password for a Docker private registry\n  - ACR_URL, ACR_CLIENT_ID, ACR_PASSWORD: the registry URL, client ID, and password to access to access an Azure Container Registry.\n\n## How to setup running in AWS\n\n1. Clone the repo and navigate to directory\n\n2. Configure\n\n   1. If running on AWS EC2, make sure your EC2 instances have the following IAM permissions:\n\n      ```json\n      {\n       \"Effect\": \"Allow\",\n        \"Action\": [\n         \"ecr:GetAuthorizationToken\",\n         \"ecr:BatchCheckLayerAvailability\",\n         \"ecr:GetDownloadUrlForLayer\",\n         \"ecr:GetRepositoryPolicy\",\n         \"ecr:DescribeRepositories\",\n         \"ecr:ListImages\",\n         \"ecr:BatchGetImage\"\n       ],\n       \"Resource\": \"*\"\n      }\n      ```\n\n   2. If you are not running in AWS Cloud, then you can still use this tool! Edit \u0026 create the sample [secret](k8s/secret.yaml) and update values for `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `aws-account`, and `aws-region` (base64 encoded).\n\n      ```bash\n      echo -n \"secret-key\" | base64\n\n      kubectl create -f k8s/secret.yaml\n      ```\n\n3. Create the replication controller.\n\n   ```bash\n   kubectl create -f k8s/replicationController.yaml\n   ```\n\n   \u003e **NOTE:** If running on premise, no need to provide `AWS_ACCESS_KEY_ID` or `AWS_SECRET_ACCESS_KEY` since that will come from the EC2 instance.\n\n4. Use `awsecr-cred` for name of `imagePullSecrets` on your `deployment.yaml` file.\n\n## How to setup running in GCR\n\n1. Clone the repo and navigate to directory\n\n2. Input your `application_default_credentials.json` information into the `secret.yaml` template located [here](k8s/secret.yaml#L17):\nThe value for `application_default_credentials.json` can be obtained with the following command:\n\n   ```bash\n   base64 -w 0 $HOME/.config/gcloud/application_default_credentials.json\n   ```\n\n3. Create the secret in kubernetes\n\n   ```bash\n   kubectl create -f k8s/secret.yml\n   ```\n\n4. Create the replication controller:\n\n   ```bash\n   kubectl create -f k8s/replicationController.yaml\n   ```\n\n## How to setup running in Docker Private Registry\n\n1. Clone the repo and navigate to directory\n\n2. Edit the sample [secret](k8s/secret.yaml) and update values for `DOCKER_PRIVATE_REGISTRY_SERVER`, `DOCKER_PRIVATE_REGISTRY_USER`, and `DOCKER_PRIVATE_REGISTRY_PASSWORD` (base64 encoded).\n\n   ```bash\n   echo -n \"secret-key\" | base64\n   ```\n\n3. Create the secret in kubernetes\n\n   ```bash\n   kubectl create -f k8s/secret.yml\n   ```\n\n4. Create the replication controller:\n\n   ```bash\n   kubectl create -f k8s/replicationController.yaml\n   ```\n\n## How to set up Azure Container Registry\n\n1. [Create a service principal](https://docs.microsoft.com/en-us/azure/container-registry/container-registry-auth-service-principal) that your Kubernetes cluster will use to access the registry.\n\n2. Clone the repo and navigate to the repo root\n\n3. Edit the sample [secret](k8s/secret.yaml) and update values for `ACR_URL`, `ACR_CLIENT_ID`, and `ACR_PASSWORD` (base64 encoded). Use service principal application ID as the client ID, and service principal password (client secret) as the password.\n\n   ```bash\n   echo -n \"secret-key\" | base64\n   ```\n\n3. Create the secret in kubernetes\n\n   ```bash\n   kubectl create -f k8s/secret.yml\n   ```\n\n4. Create the replication controller:\n\n   ```bash\n   kubectl create -f k8s/replicationController.yaml\n   ```\n\n## DockerHub Image\n\n- [upmcenterprises/registry-creds](https://hub.docker.com/r/upmcenterprises/registry-creds/)\n\n## Developing Locally\n\nIf you want to hack on this project:\n\n1. Clone the repo\n2. Build: `make build`\n3. Test: `make test`\n4. Run on your machine: `go run ./main.go --kubecfg-file=\u003cpathToKubecfgFile\u003e`\n\n## About\n\nBuilt by UPMC Enterprises in Pittsburgh, PA. http://enterprises.upmc.com/\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fflanksource%2Fregistry-creds","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fflanksource%2Fregistry-creds","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fflanksource%2Fregistry-creds/lists"}