项目作者: lreimer

项目描述 :
A K8s operator to manage an AWS ECR as a custom resource.
高级语言: Go
项目地址: git://github.com/lreimer/aws-ecr-operator.git
创建时间: 2021-08-10T09:08:12Z
项目社区:https://github.com/lreimer/aws-ecr-operator

开源协议:MIT License

下载


AWS ECR Operator

A K8s operator to manage an AWS ECR Repository as a custom resource. Simply manage your ECR repositories using the Repository CRD.

  1. apiVersion: ecr.aws.cloud.qaware.de/v1beta1
  2. kind: Repository
  3. metadata:
  4. # name of the ECR repository
  5. name: demo-microservice
  6. # will be used as repository tags
  7. labels:
  8. app: demo-microservice
  9. spec:
  10. # valid values are MUTABLE or IMMUTABLE. Defaults to IMMUTABLE
  11. imageTagMutability: IMMUTABLE
  12. imageScanningConfiguration:
  13. scanOnPush: true
  14. encryptionConfiguration:
  15. # valid values are AES256 and KMS. Defaults to AES256
  16. encryptionType: AES256
  17. # the ARN of the KMS key to use
  18. # kmsKey:

You can apply IAM policies to your repository to restrict and controll access
using the RepositoryPolicy CRD.

  1. apiVersion: ecr.aws.cloud.qaware.de/v1beta1
  2. kind: RepositoryPolicy
  3. metadata:
  4. name: demo-microservice-policy
  5. spec:
  6. repositoryName: demo-microservice
  7. policyText: |-
  8. {
  9. "Version": "2012-10-17",
  10. "Statement": [
  11. {
  12. "Sid": "AllowAll",
  13. "Effect": "Allow",
  14. "Principal": {
  15. "AWS": "arn:aws:iam::450802564356:user/mario-leander.reimer"
  16. },
  17. "Action": [
  18. "ecr:*"
  19. ]
  20. }
  21. ]
  22. }

You can also apply Repository Lifecycle policies to your repository to control when images get
expired using the RepositoryLifecycle CRD. See https://docs.aws.amazon.com/AmazonECR/latest/userguide/lifecycle_policy_examples.html

  1. apiVersion: ecr.aws.cloud.qaware.de/v1beta1
  2. kind: RepositoryLifecycle
  3. metadata:
  4. name: demo-microservice-lifefycle
  5. spec:
  6. repositoryName: demo-microservice
  7. policyText: |-
  8. {
  9. "rules": [
  10. {
  11. "rulePriority": 1,
  12. "description": "Expire images older than 14 days",
  13. "selection": {
  14. "tagStatus": "untagged",
  15. "countType": "sinceImagePushed",
  16. "countUnit": "days",
  17. "countNumber": 14
  18. },
  19. "action": {
  20. "type": "expire"
  21. }
  22. }
  23. ]
  24. }

Development

  1. # perform skaffolding with the Operator SDK
  2. $ operator-sdk init --project-version=3 --domain aws.cloud.qaware.de --repo github.com/lreimer/aws-ecr-operator
  3. $ operator-sdk create api --group ecr --version=v1beta1 --kind Repository --resource --controller
  4. $ operator-sdk create api --group ecr --version=v1beta1 --kind RepositoryPolicy --resource --controller
  5. $ operator-sdk create api --group ecr --version=v1beta1 --kind RepositoryLifecycle --resource --controller
  6. # install AWS SDK for Go v2
  7. $ go get github.com/aws/aws-sdk-go-v2
  8. $ go get github.com/aws/aws-sdk-go-v2/config
  9. $ go get github.com/aws/aws-sdk-go-v2/service/ecr
  10. # define CRD in api/repository_types.go
  11. # see https://book.kubebuilder.io/reference/markers/crd-validation.html
  12. $ make generate && make manifests
  13. $ make build
  14. # run operator locally outside the cluster
  15. # see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html
  16. # see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html
  17. # THESE ARE DUMMY CREDENTIALS :-) !
  18. $ export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
  19. $ export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
  20. $ export AWS_DEFAULT_REGION=eu-central-1
  21. $ make install run
  22. # try to create an ECR and do cleanup afterwards
  23. $ kubectl apply -k config/samples
  24. $ kubectl delete -k config/samples
  25. # for (local) in-cluster deployment
  26. # you need to add the above environment variables to a hidden .env.secret file
  27. # MAKE SURE NOT TO COMMIT THIS FILE :-) !
  28. $ echo AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE >> config/manager/.env.secret
  29. $ echo AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY >> config/manager/.env.secret
  30. $ echo AWS_DEFAULT_REGION=eu-central-1 >> config/manager/.env.secret
  31. # build Docker image locally (optional) and deploy
  32. $ make docker-build
  33. $ make deploy
  34. # try to create an ECR and do cleanup afterwards
  35. $ kubectl apply -k config/samples
  36. $ kubectl delete -k config/samples

Maintainer

M.-Leander Reimer (@lreimer), mario-leander.reimer@qaware.de

License

This software is provided under the MIT open source license, read the LICENSE
file for details.