-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Helm OCI Registry with refresh token #8097
Comments
I'm facing the same issue:
|
Someone posted on slack this workaround:
|
+1 on this. Would really appreciate if someone could implement this natively in ArgoCD, similar to how it's implemented here: |
I had tried to use @fokolo tool but once I migrated my App to purely Helm, I faced "Manifest error cache hit", it remembered the old CMP, and don't run the And this cache is very hard clear, I delete all pods and use UI "Invalidate Cache" for the cluster, but it keep coming up. CC: @wanghong230 , this is what happen, have this shed the light. source of discussion: https://cloud-native.slack.com/archives/C01TSERG0KZ/p1663165535172039 |
You guys can give this cronjob a try, it renew both the ecr registry and ecr helm chart credentials: kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ecr-credentials-sync
namespace: argocd
rules:
- apiGroups: [""]
resources:
- secrets
verbs:
- get
- create
- patch
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ecr-credentials-sync
namespace: argocd
subjects:
- kind: ServiceAccount
name: ecr-credentials-sync
roleRef:
kind: Role
name: ecr-credentials-sync
apiGroup: ""
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: ecr-credentials-sync
namespace: argocd
---
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: ecr-credentials-sync
namespace: argocd
spec:
schedule: "*/2 * * * *"
failedJobsHistoryLimit: 1
successfulJobsHistoryLimit: 1
jobTemplate:
spec:
template:
spec:
serviceAccountName: ecr-credentials-sync
restartPolicy: Never
volumes:
- name: token
emptyDir:
medium: Memory
initContainers:
- image: amazon/aws-cli
name: get-token
imagePullPolicy: IfNotPresent
env:
- name: REGION
value: ap-southeast-1 # change this if ECR repo is in a different region
volumeMounts:
- mountPath: /token
name: token
command:
- /bin/sh
- -ce
- aws ecr get-login-password --region ${REGION} > /token/ecr-token
containers:
- image: bitnami/kubectl
name: create-secret
imagePullPolicy: IfNotPresent
env:
- name: SECRET_NAME
value: ecr-credentials
- name: ECR_REGISTRY
value: <accountid>.dkr.ecr.<region>.amazonaws.com # fill in the account id and region
volumeMounts:
- mountPath: /token
name: token
command:
- /bin/bash
- -ce
- |-
kubectl -n argocd create secret docker-registry $SECRET_NAME \
--dry-run=client \
--docker-server="$ECR_REGISTRY" \
--docker-username=AWS \
--docker-password="$(</token/ecr-token)" \
-o yaml | kubectl apply -f - && \
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
name: argocd-ecr-helm-credentials
namespace: argocd
labels:
argocd.argoproj.io/secret-type: repository
stringData:
username: AWS
password: $(</token/ecr-token)
EOF |
My problem was complicated because the logging system didn't say anything about the App was not allowed to access to the Helm repo. After I configured the Project to allow the Apps to access the repo (Chart Museum repo), I didn't have the "caching error hit" anymore ('helm pull failed - Authorisation problem') I haven't tried with Helm OCI repo but I think it would work as well. |
@minhnnhat does it work for you without setting the |
@prein I use ECR for storing both image and helm chart, and |
Thanks @minhnnhat, nice workaround.
Check the created secret, and merge it to the cronjob solution. |
Hey @minhnnhat also thanks from my side, got it working. Just wanted to share some insights I had during doing this
|
Is the solution proposed by @minhnnhat , the one recommended for now please? |
just wanted to share as alternative to cronjob, I have build small app that is able to refresh tokens in interval. I'm planning to write a article about it. Using external secrets sounds like the optimal solution, but I have no tested it yet. However this solution works for me until we have something better |
based on both @minhnnhat and @lukonjun awswers here is the cronjob I use and that works like a charm: kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ecr-credentials-sync
namespace: argocd
rules:
- apiGroups: [""]
resources:
- secrets
verbs:
- get
- create
- patch
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ecr-credentials-sync
namespace: argocd
subjects:
- kind: ServiceAccount
name: ecr-credentials-sync
roleRef:
kind: Role
name: ecr-credentials-sync
apiGroup: ""
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: ecr-credentials-sync
namespace: argocd
spec:
schedule: "*/10 * * * *"
successfulJobsHistoryLimit: 1
jobTemplate:
spec:
template:
spec:
restartPolicy: Never
serviceAccountName: ecr-credentials-sync
volumes:
- emptyDir:
medium: Memory
name: token
initContainers:
- image: amazon/aws-cli
name: get-token
imagePullPolicy: IfNotPresent
env:
- name: REGION
value: <region> #!!! PUT YOUR AWS REGION HERE
command:
- /bin/sh
- -ce
- aws ecr get-login-password --region ${REGION} > /token/ecr-token
volumeMounts:
- mountPath: /token
name: token
containers:
- name: create-secret
image: bitnami/kubectl
imagePullPolicy: IfNotPresent
env:
- name: SECRET_NAME
value: ecr-credentials
- name: ECR_REGISTRY
value: <account>.dkr.ecr.<region>.amazonaws.com #!!! PUT YOUR ECR REGISTRY HERE
command:
- /bin/bash
- -ce
- |-
kubectl -n argocd create secret docker-registry $SECRET_NAME \
--dry-run=client \
--docker-server="$ECR_REGISTRY" \
--docker-username=AWS \
--docker-password="$(</token/ecr-token)" \
-o yaml | kubectl apply -f - && \
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
name: argocd-ecr-helm-credentials
namespace: argocd
labels:
argocd.argoproj.io/secret-type: repository
stringData:
username: AWS
password: $(</token/ecr-token)
enableOCI: "true"
name: "ECR"
type: "helm"
url: "<account>.dkr.ecr.<region>.amazonaws.com/helm-charts" #!!! PUT YOUR ECR URL HERE
EOF
volumeMounts:
- mountPath: /token
name: token |
Thanks mate! That's work perfectly |
is this still the recommended way now? there should be better way to do this. |
yes, the cronjob is the only way to deal with this for now. However, see this other conversation about an alternative using ESO |
useful for ECR OCI helm repositories which require credential refresh after 12 hours ✅ Closes: argoproj#8097 Signed-off-by: Isaac Gaskin <[email protected]>
I was able to successfully implement the CronJob from #8097 (comment). However, when trying to deploy a helm chart from one of our git repositories that uses a chart from the ECR registry as dependency, it fails the The Application looks like this: apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: test-application
namespace: argocd
spec:
project: default
source:
path: charts/wrapper
repoURL: "https://github.com/org/repo"
targetRevision: main
helm:
releaseName: test-charts
valueFiles:
- values/environment.yaml
destination:
namespace: namespace
name: some-cluster The Chart.yaml: apiVersion: v2
name: wrapper
description: wrapper chart for dependency
type: application
version: 0.3.0
dependencies:
- name: dependency
version: 0.3.0
repository: oci://AWS_ACCOUNT_ID.dkr.ecr.us-east-1.amazonaws.com/charts And the error is
Question: Am I right with the assumption that the authentication only works for the configured helm repository? Meaning it will not work for a git repository that uses helm with a dependency in the same helm repository? In that case, I assume we'll have to wait for ArgoCD 2.6 where we can do multi-source Applications (which will remove the need for the helm chart dependency in our use case). |
I would strongly recommend looking at this option: https://external-secrets.io/v0.7.2/guides/generator/ |
I can verify this works with external-secrets generator
Confiugre ECR generator and external secret (this is installed with Helm):
This works well with chart dependencies (Chart.yaml):
|
Do these objects need to be created in the argocd namespace? |
Yes, same namespace as ArgoCD is running in |
Does ESO also need to be running in the ArgoCD namespace? When using JWT with IRSA auth for the ECR Token, it seems to be looking for the "external-secrets" service account in the argocd namespace, when its usually installed to a different namespace. |
External-secrets can be installed in any namespace (we are running it in kube-system). |
This conversation overlaps with #10218, and can be further discussed there. |
FYI: I searched for a couple of hours and tried the cronjobs and ExternalSecret solutions. After adding the property to my applications, It then worked for OCI dependency charts with both the ExternalSecret and cronjob solutions. |
Can you please help me to provide steps or sample files , i am new to this technology. I have installed argo-ecr-update through helm chart in my argocd repo. What should i do next |
Summary
Right now when using AWS ECR as an OCI Helm chart registry you need to manually refresh the token.
as the below said, you get the password as an input and not a command line.
https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#helm-chart-repositories
as you can see below, in AWS docs one always generate the password
https://docs.aws.amazon.com/AmazonECR/latest/userguide/push-oci-artifact.html
Motivation
I added the AWS ECR repo to argo with the password auto-generated that was autogenerated today, but the token expires tomorrow. The helm registry will stop working tomorrow.
Proposal
Over there is the code that takes a password. I wonder if it will be possible to give a command line to execute instead?
argo-cd/util/helm/cmd.go
Line 79 in 2770c69
The text was updated successfully, but these errors were encountered: