Created
March 28, 2023 12:44
-
-
Save willgarcia/01533b61141dfe60e5ca7f268c32ee27 to your computer and use it in GitHub Desktop.
ECR ROSA
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| oc delete subscription ecr-secret-operator \ | |
| --namespace ecr-secret-operator | |
| oc delete subscription ecr-secret-operator \ | |
| --namespace ecr-secret-operator | |
| oc delete clusterserviceversion ecr-secret-operator.v0.3.2 \ | |
| --namespace ecr-secret-operator | |
| oc delete project ecr-secret-operator | |
| oc delete project my-app | |
| POLICY_ARN=$(aws iam list-policies \ | |
| --query 'Policies[?PolicyName==`ECRLoginPolicy`].Arn' --output text) | |
| aws iam detach-role-policy \ | |
| --role-name ECRLogin \ | |
| --policy-arn $POLICY_ARN | |
| aws iam delete-role \ | |
| --role-name ECRLogin | |
| aws iam delete-policy \ | |
| --policy-arn ${POLICY_ARN} | |
| aws ecr delete-repository-policy \ | |
| --repository-name my-repository | |
| aws ecr batch-delete-image \ | |
| --repository-name my-repository \ | |
| --image-ids imageTag=latest | |
| aws ecr delete-repository \ | |
| --repository-name my-repository | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| set -eux | |
| aws ecr create-repository --repository-name my-repository | |
| cat <<EOF > /tmp/ecr-authz.json | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Effect": "Allow", | |
| "Action": [ | |
| "ecr:GetAuthorizationToken" | |
| ], | |
| "Resource": "*" | |
| } | |
| ] | |
| } | |
| EOF | |
| aws iam create-policy \ | |
| --policy-name ECRLoginPolicy \ | |
| --policy-document file:///tmp/ecr-authz.json | |
| export OIDC_PROVIDER=$(oc get authentication.config.openshift.io cluster -ojson | jq -r .spec.serviceAccountIssuer | sed 's/https:\/\///') | |
| export AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) | |
| cat <<EOF > /tmp/rosa-ecr-trust-policy.json | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Effect": "Allow", | |
| "Principal": { | |
| "Federated": "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/${OIDC_PROVIDER}" | |
| }, | |
| "Action": "sts:AssumeRoleWithWebIdentity", | |
| "Condition": { | |
| "StringEquals": { | |
| "${OIDC_PROVIDER}:sub": "system:serviceaccount:ecr-secret-operator:ecr-secret-operator-controller-manager" | |
| } | |
| } | |
| } | |
| ] | |
| } | |
| EOF | |
| aws iam create-role \ | |
| --role-name ECRLogin \ | |
| --assume-role-policy-document file:///tmp/rosa-ecr-trust-policy.json | |
| aws iam attach-role-policy \ | |
| --role-name ECRLogin \ | |
| --policy-arn arn:aws:iam::${AWS_ACCOUNT_ID}:policy/ECRLoginPolicy | |
| cat <<EOF > /tmp/ecr-registry-repo-policy.json | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Sid": "AllowPushPull", | |
| "Effect": "Allow", | |
| "Principal": { | |
| "AWS": [ | |
| "arn:aws:iam::${AWS_ACCOUNT_ID}:role/ECRLogin" | |
| ] | |
| }, | |
| "Action": [ | |
| "ecr:BatchGetImage", | |
| "ecr:BatchCheckLayerAvailability", | |
| "ecr:CompleteLayerUpload", | |
| "ecr:GetDownloadUrlForLayer", | |
| "ecr:InitiateLayerUpload", | |
| "ecr:PutImage", | |
| "ecr:UploadLayerPart" | |
| ] | |
| } | |
| ] | |
| } | |
| EOF | |
| aws ecr set-repository-policy \ | |
| --repository-name my-repository \ | |
| --policy-text file:///tmp/ecr-registry-repo-policy.json | |
| cat <<EOF > /tmp/ecr-credentials | |
| [default] | |
| role_arn = arn:aws:iam::${AWS_ACCOUNT_ID}:role/ECRLogin | |
| web_identity_token_file = /var/run/secrets/openshift/serviceaccount/token | |
| EOF | |
| oc new-project ecr-secret-operator | |
| oc create secret generic aws-ecr-cloud-credentials \ | |
| --from-file=credentials=/tmp/ecr-credentials \ | |
| --namespace ecr-secret-operator | |
| cat <<EOF > /tmp/ecr-secret-operator.yaml | |
| apiVersion: operators.coreos.com/v1 | |
| kind: OperatorGroup | |
| metadata: | |
| name: ecr-secret-operator | |
| namespace: ecr-secret-operator | |
| spec: | |
| upgradeStrategy: Default | |
| --- | |
| apiVersion: operators.coreos.com/v1alpha1 | |
| kind: Subscription | |
| metadata: | |
| name: ecr-secret-operator | |
| namespace: ecr-secret-operator | |
| spec: | |
| channel: alpha | |
| installPlanApproval: Automatic | |
| name: ecr-secret-operator | |
| source: community-operators | |
| sourceNamespace: openshift-marketplace | |
| startingCSV: ecr-secret-operator.v0.3.2 | |
| EOF | |
| oc apply -f /tmp/ecr-secret-operator.yaml | |
| sleep 30 | |
| export AWS_ECR_IMAGE_URI=${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/my-repository:latest | |
| oc new-project my-app | |
| cat <<EOF > /tmp/ecr-secret.yaml | |
| apiVersion: ecr.mobb.redhat.com/v1alpha1 | |
| kind: Secret | |
| metadata: | |
| name: ecr-docker-secret | |
| namespace: my-app | |
| spec: | |
| generated_secret_name: ecr-docker-secret | |
| ecr_registry: ${AWS_ECR_IMAGE_URI} | |
| frequency: 10h | |
| region: ${AWS_REGION} | |
| EOF | |
| oc apply -f /tmp/ecr-secret.yaml | |
| oc secrets link builder ecr-docker-secret | |
| oc secrets link default ecr-docker-secret | |
| oc secrets link deployer ecr-docker-secret | |
| docker push ${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/my-repository:latest | |
| oc new-app --name hello-world --image ${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/my-repository:latest | |
| oc create imagestream ruby | |
| oc tag openshift/ruby:2.5-ubi8 ruby:2.5 | |
| oc create -f deploy.yml | |
| oc start-build ruby-sample-build --wait | |
| oc get pods |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment