Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/sarmad-abualkaz/argo-ecr-auth

A tool to automate authentication to ECR helm (OCI) for ArgoCD
https://github.com/sarmad-abualkaz/argo-ecr-auth

Last synced: about 1 month ago
JSON representation

A tool to automate authentication to ECR helm (OCI) for ArgoCD

Host: GitHub
URL: https://github.com/sarmad-abualkaz/argo-ecr-auth
Owner: sarmad-abualkaz
Created: 2022-08-11T17:34:52.000Z (over 2 years ago)
Default Branch: main
Last Pushed: 2022-09-06T16:57:06.000Z (over 2 years ago)
Last Synced: 2024-11-07T14:56:34.483Z (3 months ago)
Language: Go
Size: 17.8 MB
Stars: 0
Watchers: 3
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

        # argo-ecr-auth

A tool to automate authentication to ECR helm (OCI) for ArgoCD

## Purpose

Argo CD does not have a native mechanism to stay authetnicated to ECR (given that ECR requires a short-lived token, with maximum 12 hours expirey time). 

Argo CD gives the option to provied a secret with specific labels to provide authentication details (e.g. username/password etc.) to authetnicate to private registries.

This tool creates and continously updates a secret in the namespace where Argo CD is running. The tool authenticates against the ECR endpoint - `.dkr.ecr.us-east-1.amazonaws.com>` and updates the secret with the token.

## How to install

This project can be deployed to a Kubenretes cluster via Helm using the following:

```

helm repo add sarmad-helm-charts https://sarmad-abualkaz.github.io/my-helm-charts/

helm install  sarmad-helm-charts/argo-ecr-auth --set args='{"--ecr-registry=","--aws-region=", "--namespace=}"'

```

Flags to note:

| flag | purpose | default |

| --- | --- | --- | 

|`--aws-profile` | aws profile to use in `~//.aws` folder. If set to empty it will perform proper aws-cred cascade. Set to empty to make use of AssumeWebIdentity through a service account. |``|

|`--aws-region` | aws region to target. |`us-east-1` |

| `--ecr-registry` | Name of ECR registry to authenticate to. | `` |

| `--kube-config` | where the process is running, i.e. how kubeconfig will be setup. `"in-cluster"` and `local` are the only other acceptable options. | `in-cluster` |

| `--namespace` | namespace where the secret is stored. | `"argocd"` |

| `--secret-name` | kubernetes secret name to sync from/to. | `ecr-auth` |

| `--sleep-between-checks` | sleep time between syncs in seconds. | 120 |

## How it works

The tool calls AWS ECR to retrieve the token (i.e. auth password) and expirey time. It will then updated the ecr-auth secret (the name of the secret can be specified at start time). 

The secret will consist of data equivalent to the below structure:

```

apiVersion: v1

kind: Secret

metadata:

  name: 

  namespace: 

  labels:

    argocd.argoproj.io/secret-type: repository

type: Opaque

StringData:

  enableOCI: true

  name: ecr

  password: 

  type: helm

  url: 

  username: AWS

```

The tool will also create and continously update a ConfigMap on the same namepsace with data below:

```

apiVersion: v1

kind: ConfigMap

metadata:

  name: 

  namespace: 

  labels:

    argo-ecr-auth: managed-resource

data:

  expireyTime: 

  name: 

```

## Permission Reqiured

The tool requires a cluster-admin permission on the namespace (not across the cluster).

For authetnication to an ECR in the same AWS account as where the pod is running (same account as the EKS cluster), relying on the pod to use the same IAM role as the ec2 instance profile is sufficient.

While cross-account authetnication is not tested, however using an IAM role for service account might be the correct option here.