https://github.com/chainguard-dev/pull-secret-updater
https://github.com/chainguard-dev/pull-secret-updater
Last synced: about 1 year ago
JSON representation
- Host: GitHub
- URL: https://github.com/chainguard-dev/pull-secret-updater
- Owner: chainguard-dev
- License: apache-2.0
- Archived: true
- Created: 2023-08-06T15:09:06.000Z (almost 3 years ago)
- Default Branch: main
- Last Pushed: 2023-08-08T14:19:04.000Z (almost 3 years ago)
- Last Synced: 2025-03-17T15:58:30.334Z (over 1 year ago)
- Language: Go
- Homepage:
- Size: 4.57 MB
- Stars: 6
- Watchers: 2
- Forks: 2
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Chainguard Registry Pull Secret Updater
⚠️**EXPERIMENTAL**⚠️ controller to keep a pull secret updated with short-lived credentials to pull from the [Chainguard Registry](https://edu.chainguard.dev/chainguard/chainguard-images/registry/overview/).
To use this, you must first create an [assumable identity](https://edu.chainguard.dev/chainguard/chainguard-enforce/iam-groups/assumable-ids/) with permission to pull from the registry.
For a KinD cluster:
```sh
chainctl iam identities create kind-pull-secrets \
--issuer-keys="$(kubectl get --raw /openid/v1/jwks)" \
--identity-issuer=https://kubernetes.default.svc.cluster.local \
--subject=system:serviceaccount:pull-secret-updater:controller \
--role=registry.pull
```
For a GKE cluster:
```sh
chainctl iam identities create gke-pull-secrets \
--identity-issuer="https://container.googleapis.com/v1/projects//locations//clusters/" \
--subject-pattern="system:serviceaccount:pull-secret-updater:controller" \
--role=registry.pull
```
**TODO:** EKS, AKS, anything else.
This command will print the identity's UID, which we'll use to configure the updater.
Create an empty pull secret in the same namespace as the service account you want to use it with, and annotate it with the identity UID:
```sh
kubectl create secret generic pull-secret --type=kubernetes.io/dockerconfigjson --from-literal=.dockerconfigjson='{}'
kubectl annotate secret pull-secret pull-secret-updater.chainguard.dev/identity=
```
After creating the empty secret, the controller will update it to contain the short-lived token.
The controller will update the token before it expires.
```sh
kubectl get secret pull-secret -oyaml
```
Now you can use the pull secret to authorize pulls from cgr.dev, as described in official docs:
```sh
kubectl create -f - <