Connect Spinnaker to Amazon Elastic Container Registry

Learn how to configure Spinnaker to connect to AWS ECR.

Adding ECR as a Docker registry

When configuring a registry, you normally use standard SpinnakerService configuration if using the Operator, or the hal command for adding a Docker Registry if using Halyard.

This works great for Dockerhub, but ECR requires a bit more work for configuration. Amazon ECR requires access tokens to access the images and those access tokens expire after a time.

In order to automate updating the token, use a sidecar container with a script that does it for you. Since both Clouddriver and the sidecar container need access to the ECR access token, you use a shared volume to store the access token.

The sidecar you’re going to add does not start with an access token. It needs to be able to request an access token from ECR. The Spinnaker installation must have the AmazonEC2ContainerRegistryReadOnly policy attached to the role assigned in order to request and update the required access token.

If using Halyard, this process is easier in version v1.10 and later. In these later versions, use the --password-command option to pass the command to update your access token.

Update configs

Add a sidecar for token refresh

In your SpinnakerService manifest, update the spec.spinnakerConfig.config.deploymentEnvironment.sidecars section if using Operator. If using Halyard, update your ~/.hal/config in the deploymentEnvironment.sidecars section:

      - name: token-refresh
        mountPath: /etc/passwords
        - configMapName: token-refresh-config
          mountPath: /opt/config/ecr-token-refresh

Define an ECR registry

Add the following snippet in SpinnakerService manifest under section spec.spinnakerConfig.profiles.clouddriver if using the Operator, or create the file ~/.hal/<deployment>/profiles/clouddriver-local.yml if using Halyard:

  enabled: true
  - name: my-ecr-registry
    address: https://<aws-account-id>.dkr.ecr.<aws-region>
    username: AWS
    passwordFile: /etc/passwords/my-ecr-registry.pass

Create a config.yaml to be used as a configmap

interval: 30m # defines refresh interval
registries: # list of registries to refresh
  - registryId: "<aws-account-id>"
    region: "<aws-region>"
    passwordFile: "/etc/passwords/my-ecr-registry.pass"

Note: You can configure multiple registries here by adding another registry to both files listed above.

Apply it to the cluster with:

kubectl -n <namespace> create configmap token-refresh-config --from-file <config.yaml location>

Update your Spinnaker installation

kubectl -n <spinnaker namespace> apply -f <SpinnakerService manifest>

hal deploy apply --service-names clouddriver

Success! Now you will be able to use ECR as a Docker registry in the configuration stage.

Last modified December 10, 2021: (556c295)