https://github.com/lreimer/aws-ecr-operator

A K8s operator to manage an AWS ECR as a custom resource.
https://github.com/lreimer/aws-ecr-operator

aws aws-ecr hacktoberfest kubernetes kubernetes-operator operator-sdk

Last synced: 3 months ago
JSON representation

A K8s operator to manage an AWS ECR as a custom resource.

• Host: GitHub
• URL: https://github.com/lreimer/aws-ecr-operator
• Owner: lreimer
• License: mit
• Created: 2021-08-10T09:08:12.000Z (about 4 years ago)
• Default Branch: main
• Last Pushed: 2021-08-12T13:47:21.000Z (about 4 years ago)
• Last Synced: 2024-11-16T01:16:00.371Z (11 months ago)
• Topics: aws, aws-ecr, hacktoberfest, kubernetes, kubernetes-operator, operator-sdk
• Language: Go
• Homepage:
• Size: 106 KB
• Stars: 5
• Watchers: 3
• Forks: 3
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# AWS ECR Operator

A K8s operator to manage an AWS ECR Repository as a custom resource. Simply manage your ECR repositories using the `Repository` CRD.

```yaml

apiVersion: ecr.aws.cloud.qaware.de/v1beta1

kind: Repository

metadata:

  # name of the ECR repository

  name: demo-microservice

  # will be used as repository tags

  labels:

    app: demo-microservice

spec:

  # valid values are MUTABLE or IMMUTABLE. Defaults to IMMUTABLE

  imageTagMutability: IMMUTABLE

  imageScanningConfiguration:

    scanOnPush: true

  encryptionConfiguration:

    # valid values are AES256 and KMS. Defaults to AES256

    encryptionType: AES256

    # the ARN of the KMS key to use

    # kmsKey: 

```

You can apply IAM policies to your repository to restrict and controll access

using the `RepositoryPolicy` CRD.

```yaml

apiVersion: ecr.aws.cloud.qaware.de/v1beta1

kind: RepositoryPolicy

metadata:

  name: demo-microservice-policy

spec:

  repositoryName: demo-microservice

  policyText: |-

    {

        "Version": "2012-10-17",

        "Statement": [

            {

                "Sid": "AllowAll",

                "Effect": "Allow",

                "Principal": {

                    "AWS": "arn:aws:iam::450802564356:user/mario-leander.reimer"

                },

                "Action": [

                    "ecr:*"

                ]

            }

        ]

    }

```

You can also apply Repository Lifecycle policies to your repository to control when images get

expired using the `RepositoryLifecycle` CRD. See https://docs.aws.amazon.com/AmazonECR/latest/userguide/lifecycle_policy_examples.html

```yaml

apiVersion: ecr.aws.cloud.qaware.de/v1beta1

kind: RepositoryLifecycle

metadata:

  name: demo-microservice-lifefycle

spec:

  repositoryName: demo-microservice

  policyText: |-

    {

        "rules": [

            {

                "rulePriority": 1,

                "description": "Expire images older than 14 days",

                "selection": {

                    "tagStatus": "untagged",

                    "countType": "sinceImagePushed",

                    "countUnit": "days",

                    "countNumber": 14

                },

                "action": {

                    "type": "expire"

                }

            }

        ]

    }    

```

## Development

```bash

# perform skaffolding with the Operator SDK

$ operator-sdk init --project-version=3 --domain aws.cloud.qaware.de --repo github.com/lreimer/aws-ecr-operator

$ operator-sdk create api --group ecr --version=v1beta1 --kind Repository --resource --controller

$ operator-sdk create api --group ecr --version=v1beta1 --kind RepositoryPolicy --resource --controller

$ operator-sdk create api --group ecr --version=v1beta1 --kind RepositoryLifecycle --resource --controller

# install AWS SDK for Go v2

$ go get github.com/aws/aws-sdk-go-v2

$ go get github.com/aws/aws-sdk-go-v2/config

$ go get github.com/aws/aws-sdk-go-v2/service/ecr

# define CRD in api/repository_types.go

# see https://book.kubebuilder.io/reference/markers/crd-validation.html

$ make generate && make manifests

$ make build

# run operator locally outside the cluster

# see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html

# see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html

# THESE ARE DUMMY CREDENTIALS :-) !

$ export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE

$ export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

$ export AWS_DEFAULT_REGION=eu-central-1

$ make install run

# try to create an ECR and do cleanup afterwards

$ kubectl apply -k config/samples

$ kubectl delete -k config/samples

# for (local) in-cluster deployment

# you need to add the above environment variables to a hidden .env.secret file

# MAKE SURE NOT TO COMMIT THIS FILE :-) !

$ echo AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE >> config/manager/.env.secret

$ echo AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY >> config/manager/.env.secret

$ echo AWS_DEFAULT_REGION=eu-central-1 >> config/manager/.env.secret

# build Docker image locally (optional) and deploy

$ make docker-build

$ make deploy

# try to create an ECR and do cleanup afterwards

$ kubectl apply -k config/samples

$ kubectl delete -k config/samples

```

## Maintainer

M.-Leander Reimer (@lreimer), 

## License

This software is provided under the MIT open source license, read the `LICENSE`

file for details.