Connect Spinnaker to Amazon Elastic Container Registry
Adding ECR as a Docker registry
When configuring a registry, you normally use standard
SpinnakerService configuration if using the Operator, or the
hal command for adding a Docker Registry if using Halyard.
This works great for Dockerhub, but ECR requires a bit more work for configuration. Amazon ECR requires access tokens to access the images and those access tokens expire after a time.
In order to automate updating the token, use a sidecar container with a script that does it for you. Since both Clouddriver and the sidecar container need access to the ECR access token, you use a shared volume to store the access token.
The sidecar you’re going to add does not start with an access token. It needs to be able to request an access token from ECR. The Spinnaker installation must have the
AmazonEC2ContainerRegistryReadOnly policy attached to the role assigned in order to request and update the required access token.
If using Halyard, this process is easier in version
v1.10and later. In these later versions, use the
--password-commandoption to pass the command to update your access token.
Add a sidecar for token refresh
SpinnakerService manifest, update the
spec.spinnakerConfig.config.deploymentEnvironment.sidecars section if using Operator. If using Halyard, update your
~/.hal/config in the
deploymentEnvironment: sidecars: spin-clouddriver: - name: token-refresh dockerImage: quay.io/skuid/ecr-token-refresh:latest mountPath: /etc/passwords configMapVolumeMounts: - configMapName: token-refresh-config mountPath: /opt/config/ecr-token-refresh
Define an ECR registry
Add the following snippet in
SpinnakerService manifest under section
spec.spinnakerConfig.profiles.clouddriver if using the Operator, or create the file
~/.hal/<deployment>/profiles/clouddriver-local.yml if using Halyard:
dockerRegistry: enabled: true accounts: - name: my-ecr-registry address: https://<aws-account-id>.dkr.ecr.<aws-region>.amazonaws.com username: AWS passwordFile: /etc/passwords/my-ecr-registry.pass
config.yaml to be used as a configmap
interval: 30m # defines refresh interval registries: # list of registries to refresh - registryId: "<aws-account-id>" region: "<aws-region>" passwordFile: "/etc/passwords/my-ecr-registry.pass"
Note: You can configure multiple registries here by adding another registry to both files listed above.
Apply it to the cluster with:
kubectl -n <namespace> create configmap token-refresh-config --from-file <config.yaml location>
Update your Spinnaker installation
kubectl -n <spinnaker namespace> apply -f <SpinnakerService manifest>
hal deploy apply --service-names clouddriver
Success! Now you will be able to use ECR as a Docker registry in the configuration stage.
Was this page helpful?
Thank you for letting us know!
Sorry to hear that. Please tell us how we can improve.
Last modified December 10, 2021: (556c295)