Skip to content

Commit

Permalink
operator [CI] ecr-secret-operator (0.4.1)
Browse files Browse the repository at this point in the history
  • Loading branch information
@datianshi
datianshi authored Apr 14, 2023
1 parent c55faa5 commit 06923b8
Show file tree
Hide file tree
Showing 10 changed files with 554 additions and 3 deletions.
17 changes: 17 additions & 0 deletions ...ret-operator/0.4.1/ecr-secret-operator-controller-manager-metrics-service_v1_service.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
apiVersion: v1
kind: Service
metadata:
creationTimestamp: null
labels:
control-plane: controller-manager
name: ecr-secret-operator-controller-manager-metrics-service
spec:
ports:
- name: https
port: 8443
protocol: TCP
targetPort: https
selector:
control-plane: controller-manager
status:
loadBalancer: {}
17 changes: 17 additions & 0 deletions operators/ecr-secret-operator/0.4.1/ecr-secret-operator-manager-config_v1_configmap.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
apiVersion: v1
data:
controller_manager_config.yaml: |
apiVersion: controller-runtime.sigs.k8s.io/v1alpha1
kind: ControllerManagerConfig
health:
healthProbeBindAddress: :8081
metrics:
bindAddress: 127.0.0.1:8080
webhook:
port: 9443
leaderElection:
leaderElect: true
resourceName: bc9c1120.mobb.redhat.com
kind: ConfigMap
metadata:
name: ecr-secret-operator-manager-config
10 changes: 10 additions & 0 deletions ...or/0.4.1/ecr-secret-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: ecr-secret-operator-metrics-reader
rules:
- nonResourceURLs:
- /metrics
verbs:
- get
339 changes: 339 additions & 0 deletions operators/ecr-secret-operator/0.4.1/ecr-secret-operator.clusterserviceversion.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,339 @@
apiVersion: operators.coreos.com/v1alpha1
kind: ClusterServiceVersion
metadata:
annotations:
alm-examples: |-
[
{
"apiVersion": "ecr.mobb.redhat.com/v1alpha1",
"kind": "Secret",
"metadata": {
"name": "ecr-secret-sample",
"namespace": "test-ecr-secret-operator"
},
"spec": {
"ecr_registry": "ACCOUNT_ID.dkr.ecr.us-east-2.amazonaws.com",
"frequency": "10h",
"generated_secret_name": "ecr-docker-secret",
"region": "us-east-2"
}
},
{
"apiVersion": "ecr.mobb.redhat.com/v1alpha1",
"kind": "ArgoHelmRepoSecret",
"metadata": {
"labels": {
"app.kubernetes.io/created-by": "ecr-secret-operator",
"app.kubernetes.io/instance": "argohelmreposecret-sample",
"app.kubernetes.io/managed-by": "kustomize",
"app.kubernetes.io/name": "argohelmreposecret",
"app.kubernetes.io/part-of": "ecr-secret-operator"
},
"name": "argohelmreposecret-sample"
},
"spec": null
}
]
capabilities: Basic Install
categories: Integration & Delivery
containerImage: quay.io/mobb/ecr-secret-operator:v0.4.1
createdAt: "2023-04-14T14:52:13Z"
operatorframework.io/suggested-namespace: ecr-secret-operator
operators.operatorframework.io/builder: operator-sdk-v1.28.0
operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
repository: https://github.com/rh-mobb/ecr-secret-operator
support: Managed Openshift Black Belt
name: ecr-secret-operator.v0.4.1
namespace: placeholder
spec:
apiservicedefinitions: {}
customresourcedefinitions:
owned:
- description: ArgoHelmRepoSecret is the Schema for the argohelmreposecrets API
displayName: Argo Helm Repo Secret
kind: ArgoHelmRepoSecret
name: argohelmreposecrets.ecr.mobb.redhat.com
version: v1alpha1
- description: Secret is the Schema for the secrets API
displayName: Secret
kind: Secret
name: secrets.ecr.mobb.redhat.com
version: v1alpha1
description: "# ECR Secret Operator\n\nAmazon Elastic Container Registry [Private
Registry Authentication](https://docs.aws.amazon.com/AmazonECR/latest/userguide/registry_auth.html)
provides a temporary token that is valid only for 12 hours. It is a challenge
for automatic container image build process to refresh the token or secret in
a timely manner.\n\nThis operators frequently talks with AWS ECR GetAuthroization
Token and create/update the secret, so that the service account can perform docker
image build.\n\n\n## How to use this operator\n\n### Prerequisites\n\n* [Create
an ECR private repository](https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-create.html)\n*
Create An Openshift Cluster\n* Provide AWS Authentication to the operator. Two
Options:\n **Note: You have to provide a secret aws-ecr-cloud-credentials in
the installed namespace**\n * [IAM User](https://github.com/rh-mobb/ecr-secret-operator/tree/main/docs/iam_user.md)\n
\ * [STS Assume Role](https://github.com/rh-mobb/ecr-secret-operator/tree/main/docs/iam_assume_role.md)\n\n###
Install the operator\n\n### Create the ECR Secret CRD\n\n```\napiVersion: ecr.mobb.redhat.com/v1alpha1\nkind:
Secret\nmetadata:\n name: ecr-secret\n namespace: test-ecr-secret-operator\nspec:\n
\ generated_secret_name: ecr-docker-secret\n ecr_registry: [ACCOUNT_ID].dkr.ecr.us-east-2.amazonaws.com\n
\ frequency: 10h\n region: us-east-2\n```\n\n```\noc create -f CRD_FILE\n```\n\nA
docker registry secret is created by the operator momentally and the token is
patched every 10 hours\n\n```\noc get secret ecr-docker-secret \nNAME TYPE
\ DATA AGE\necr-docker-secret kubernetes.io/dockerconfigjson
\ 1 16h\n```\n\n### A sample build process with generated secret\n\n\nLink
the secret to builder\n\n```\noc secrets link builder ecr-docker-secret \n```\n\nConfigure
[build config](https://github.com/rh-mobb/ecr-secret-operator/tree/main/samples/build-config.yaml)
to point to your ECR Container repository\n\n```\noc create imagestream ruby\noc
tag openshift/ruby:2.5-ubi8 ruby:2.5\noc create -f samples/build-config.yaml\noc
start-build ruby-sample-build --wait\n```\n\nBuild should succeed and push the
image to the the private ECR Container repository\n\n"
displayName: ECR Secret Operator
icon:
- base64data: /9j/4AAQSkZJRgABAQAAAQABAAD/2wCEAAkGBwgHBgkIBwgKCgkLDRYPDQwMDRsUFRAWIB0iIiAdHx8kKDQsJCYxJx8fLT0tMTU3Ojo6Iys/RD84QzQ5OjcBCgoKDQwNGg8PGjclHyU3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3N//AABEIAH8AfwMBIgACEQEDEQH/xAAcAAEAAgIDAQAAAAAAAAAAAAAABwgFBgEDBAL/xABEEAABAwIDBQQGBAsJAQAAAAABAAIDBBEFBiEHEjFBYRMiUaEUMkJxgZGCscHCFRYjMzRSYnKy0fAXJCVjhJKiw+EI/8QAFAEBAAAAAAAAAAAAAAAAAAAAAP/EABQRAQAAAAAAAAAAAAAAAAAAAAD/2gAMAwEAAhEDEQA/AJxREQEREBERAREQEREBERAREQEREBERAREQEREBERAREQEREBERAREQeSXE6GGtjoZqynjq5G77IHyAPe29rgcSvWoG2+Qg5qoXPaHNfQANDuj3X+sLTMOzPmDDAG0GM18LRwZ2xe0fRdceSC1iKt9PtUzhTtAdiUM1uc1Owny3VkafbNmdlu1psLlA4/3d7SfiJCPJBP6KD2bb8Vb+cwOjd1E0jfulehu3Ke1n5ciJ6YgW/wDUgmhFXar2u5prJ5XU89NRxb53IooQ/cby7zr73U6a8gulu1bOMbHbtfBIf8ymZp8gEFj0VZDtLzfIe1/D8zQdbCGGw/4LN4Htox6j3hi1LS4hFwbd/o8oPUgEH3WQWARQq/brNbuZdhB64g4/VEvPJtxxQ/m8Eo2++WR/3QgnJFX2fbPmp9+yp8NiHK1K8kf7pLLG1O1PONSLDE2wdYYIm/WHILKLy0uJUVZNPDSVcE8tOQ2ZkUgcYyeAdbgqs4hmTHsUYWYjjFdUMd6zHTO3T9EWFvgpP/8AnuLcjxx7Rus3oWgAWFwHn7UGzbS8gy5wNHU0VZHTVlKx7AJmFzJGusbEjUWI42PHgopxDZdm+ivu4ZFVNHtUk7XeTi0+SsiiCqNVlrMFF+kYJicf+me76gVipWPidadj2OHESMsR87K4Vlrmds24ZlXDu2rrTVEgPo9ICN6U/Y0czy6mwQVba9h9UsP7rb/DQprIO9o0m26NR/79SyuYcbrMw4m/EK7c3nd2OOJu61jb8Gjw8TxPyWNtbU+4W59B0QcOO7Z/6ujtb6Hjqvs3BsbXHD7P5Lc9n2zypze91VWPkpcJYCztWDvSu4bsd9NObvgOdstiuxfH6dxOF11FXRWsO1LoZOmliD8wgjC1pAL9094Dxd/XLxC553Bs7xvxHgf60W5f2WZzdMIvwOxoDvzjqqIs8nb3jy5rU54JqaolgqIpIp4nlj43izmuHEHqPMIOouGtwRY2ILiV8mVgdbejv4G1/MrMZbxj8B4tDX+iU1XGzuywTxhzXsPIEg26Hl7lZfLlRgmNYVBiOEQUxp5RpuxNaWHm0gcCOYQVWggnndamp5JHeEUW8fK6y1JlXMtZ+j4HiTwfGBzP4gFawAAWAsOi5QVyw7ZPm+tLe2pKeiaeLqqoFx8G7ymDZ3k78TsLnpn1Iqqipl7WWRrNxos0AAC54W49VtqICIsfjuL0eBYVUYliMvZ08Dd5x5uPJo8STYAdUGLzzm6jyjhJqZx2tVLdlLTA2Mr7eTRxJ+0gKtmNYtXY9iUuI4nMZ6iY68hYcGtHJg10+u+vqzTmCszPjM+J15I3u7HEDcQsvpGPtPM+WJ4ak6273QeAQcG2t9fvHwC3jZrkGbNlV6diAfFgsTt1zmktdUuHFjDyaPad8Bre3k2dZLnzdix7YPiwumI9Jlbpfn2bT+seZ5C3iFZCjpIKGlipaSFkNPCwMjjYLBrRwACDmlpoKWnip6WJkMETQyOONoa1rRwAA4BdyIgKKtsmRhiFLJmHCoT6bC0GrjYNZox7YH6zR8wLa2ClVcEXCCnYN9QdOPTX7CtpyBnGpyhinagPlw+cgVVONSf2h+2PMaeFvbtWyl+LWPmakithleXPhAHdjd7cf3h0uOS0q4HMkcb+I5FBb2hrKevo4aujmZNTzMD45GG4c08Cu9QTsZzicLrxl/EZQKKqefRnOOkUxPq/uv8A4vep2ugIiIBNlXva3nA5ixg4bQSf4bQSFocOE0wuHP6gageOp8FYKRjZGFjhdrhYjoq8bRsgS5Tl9LoA+XBpHbrHnV1MTwY48xyDvgdbEhotuFhw9UeJ8VkcvYNVZhximwygF5pneuRcRtHrSO6AedhzC8BGuugt8gp62L5XGE4CcYqo7VmJAOYCNY4PYHx9Y+8Dkg3XL2CUeX8Ip8Mw+Pdghba54vdzc48yTqVkkRAREQEREGDznl2DNGXqrDJiGSPbvQSkX7KUatd8+PS6q3NBNS1MtNVRGGohkcySN3FjwbOargKDNuuXPQ8VpsfpWWirbQ1Fho2Zo7rvpNBH0Qgi8aAEEgjhY2Nv5hWN2V5u/GbA+xrJAcTog2Oo8ZR7MnxHHqD0Vc+rR1C2TZ5W4lh+cMPlwankqZ3u7OSBntwuI37+AGhueYCCzyIOCIC6aumgrKaWmqoWTQTNLJI5BdrmniCF3IggrE9lFZBnGipKNj5sAqZw90xNzBGO86N/vA3Qed9dQpzja1jA1gAaNABwAX0iAiIgIiICIiAsHnbA25iyviGG2HayREwk+zK3Vh+YCziIKv5NyhiubqgNoI/R6Vp/L1crTuR+IA9p3QfGysFlPKeFZWofR8Nh/KvA7apeAZJj4uPh4DgFm4omQs3ImNY0ahrRYL7QEREBERAREQEREBERAREQEREBERAREQf/2Q==
mediatype: image/jpeg
install:
spec:
clusterPermissions:
- rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ecr.mobb.redhat.com
resources:
- argohelmreposecrets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ecr.mobb.redhat.com
resources:
- argohelmreposecrets/finalizers
verbs:
- update
- apiGroups:
- ecr.mobb.redhat.com
resources:
- argohelmreposecrets/status
verbs:
- get
- patch
- update
- apiGroups:
- ecr.mobb.redhat.com
resources:
- secrets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ecr.mobb.redhat.com
resources:
- secrets/finalizers
verbs:
- update
- apiGroups:
- ecr.mobb.redhat.com
resources:
- secrets/status
verbs:
- get
- patch
- update
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
serviceAccountName: ecr-secret-operator-controller-manager
deployments:
- label:
control-plane: controller-manager
name: ecr-secret-operator-controller-manager
spec:
replicas: 1
selector:
matchLabels:
control-plane: controller-manager
strategy: {}
template:
metadata:
annotations:
kubectl.kubernetes.io/default-container: manager
labels:
control-plane: controller-manager
spec:
containers:
- args:
- --secure-listen-address=0.0.0.0:8443
- --upstream=http://127.0.0.1:8080/
- --logtostderr=true
- --v=0
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0
name: kube-rbac-proxy
ports:
- containerPort: 8443
name: https
protocol: TCP
resources:
limits:
cpu: 500m
memory: 128Mi
requests:
cpu: 5m
memory: 64Mi
- args:
- --health-probe-bind-address=:8081
- --metrics-bind-address=127.0.0.1:8080
- --leader-elect
command:
- /manager
env:
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
key: aws_access_key_id
name: aws-ecr-cloud-credentials
optional: true
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
key: aws_secret_access_key
name: aws-ecr-cloud-credentials
optional: true
- name: AWS_SDK_LOAD_CONFIG
value: "1"
- name: AWS_CONFIG_FILE
value: /var/run/secrets/aws/credentials
- name: WATCH_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.annotations['olm.targetNamespaces']
image: quay.io/mobb/ecr-secret-operator:v0.4.1
livenessProbe:
httpGet:
path: /healthz
port: 8081
initialDelaySeconds: 15
periodSeconds: 20
name: manager
readinessProbe:
httpGet:
path: /readyz
port: 8081
initialDelaySeconds: 5
periodSeconds: 10
resources:
limits:
cpu: 500m
memory: 1000Mi
requests:
cpu: 10m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
volumeMounts:
- mountPath: /var/run/secrets/aws
name: aws-credentials
readOnly: true
- mountPath: /var/run/secrets/openshift/serviceaccount
name: bound-sa-token
readOnly: true
securityContext:
runAsNonRoot: true
serviceAccountName: ecr-secret-operator-controller-manager
terminationGracePeriodSeconds: 10
volumes:
- name: aws-credentials
secret:
optional: true
secretName: aws-ecr-cloud-credentials
- name: bound-sa-token
projected:
sources:
- serviceAccountToken:
audience: openshift
path: token
permissions:
- rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
serviceAccountName: ecr-secret-operator-controller-manager
strategy: deployment
installModes:
- supported: true
type: OwnNamespace
- supported: true
type: SingleNamespace
- supported: true
type: MultiNamespace
- supported: true
type: AllNamespaces
keywords:
- ecr
- aws
- redhat
links:
- name: Ecr Secret Operator
url: https://github.com/rh-mobb/ecr-secret-operator
maintainers:
- email: [email protected]
name: Shaozhen Ding
maturity: alpha
provider:
name: Managed Openshift Black Belt
replaces: ecr-secret-operator.v0.4.0
version: 0.4.1
9 changes: 9 additions & 0 deletions ...tors/ecr-secret-operator/0.4.1/ecr-secret-sample_ecr.mobb.redhat.com_v1alpha1_secret.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
apiVersion: ecr.mobb.redhat.com/v1alpha1
kind: Secret
metadata:
name: ecr-secret-sample
spec:
ecr_registry: ACCOUNT_ID.dkr.ecr.us-east-2.amazonaws.com
frequency: 10h
generated_secret_name: ecr-docker-secret
region: us-east-2
Loading

0 comments on commit 06923b8

Please sign in to comment.