ECR Credentials


#1

Hi,

Does the Rancher credentials updater work in 2.0. I am unable to get the container to launch.

Any help for any strategy to pull images from AWS ECR would be greatly appreciated. I have everything spun up and ready to go, this is my last hurdle to seeing our app running on this!!

Many thanks,
Alex


AWS ECR Authentication issue
#2

Stuck in the same spot :frowning:


#3

You don’t need that, kubernetes handles it https://kubernetes.io/docs/concepts/containers/images/#using-aws-ec2-container-registry


#4

disregard, it looks like i forgot to enable the aws cloud provider on that test instance. seems to be able to pull from ECR just fine.


#5

I installed Rancher 2.0 today and created a cluster with a few nodes. The version of Kubelet is v1.10.1 and the document linked in @alex88 message specify that Kubernetes handles it if Kubelet is v1.2.0 or newer. Did I miss something when I setup my nodes? Thank you.

Edit: Waiting fixed the issue. Woke up this morning and the docker image was successfully pulled and downloaded. Would love to know if there is a way to trigger manually the ecr authentication.


#6

I have a local server where I run rancher 2.0 now.
But I have images that are located in the AWS ECR, so I would like to be able to pull the images out of the cloud.

The closest I found to deal with this was on this site:

but it would be very interesting if the rancher did this automatically to the user.


#7

Hello,

I have exactly the same problem. I have followed the link to that Docker rancher/rancher-ecr-credentials but I really dont understand how this would work.

So I can put the container on one of my nodes of Rancher and start it but I dont get which ENV variables you have to pass to the container on start.

I understand AWS_KEY AWS_SECRET which I have but I dont get why do I need this AWS_ROLE_ARN …

I mean I have the KEY and the SECRET and normally this is enough to authenticate on all AWS services why do I need to provide that AWS_ROLE_ARN ? Do I really need that ? Also why do I have to map /root/.aws to the container if I am already passing it KEY and SECRET via ENV variables ?

This is really crap guys how is the hell possible such an important thing as using AWS ECR is NOT integrated in Rancher 2.0 ? What the heck ?

Could you please help me understanding this ?

Thanks.


#8

You’re looking at a service for 1.x. Kubernetes has built in support for ECR, on clusters in AWS using the AWS cloud provider. For anything else, Amazon chooses to make their registry hard to use outside of their garden by requiring session tokens.

If you can’t be polite you will not be welcome here.


#9

Hi Vincent,

My apologies. I have been rather under pressure lately and the last thing I was expecting was having troubles using one of the simplest services out there. I mean ECR is probably one of the most used Container Registries in the world how can it be so difficult to have it working ?

Please take a look at my post … could you be able to help me ? For our organization using AWS ECR is an absolute must.

Any help would be immensely appreciated.

Thanks in advance.


#10

You can spin up a special container that handles the updates of your ECR session tokens:

Here is a version with some tweaks, too:
https://github.com/sehucke/ecr-updater. Minor tweaks aside, most important change was to use a kubectl-proxy implementation that is more open sourced and has a credible author (Lachlan Evenson / lachie83 @ Github). But this is up to you. :slight_smile:

See as well: https://github.com/rancher/rancher/issues/14907

The above mentioned solution works pretty well to keep your ECR login token valid. But currently there are some obstacles to work around to successfully deploy using your ECR registry.

  1. See Private registry not working -> You have to manually alter the yaml file of your workloads to include this:

    imagePullSecrets:
      - name: myk8sregistrysecret
    

    And you have to do that every time you alter your workload.
    So…

    1. Configure a new workload to use your ECR registry and launch it.
    2. Edit your workload’s yaml definition and insert imagePullSecrets... at the correct line.
    3. Upgrade your workload with the new yaml definition.
  2. And a minor one: You have to specify the full URI to your ECR registry when you deploy a workload. It is not possible to choose a registry to pull from and just type myimage:stable as you are used to when pulling from Docker Hub.


#12

AFAIK, the guys @ Rancher Labs are working on both topics (scheduled for v2.1.2 and v2.2). See @ Github: rancher/rancher/issues/15725, rancher/rancher/issues/13339 and rancher/rancher/issues/15554 (the Github issues got a bit confusing, though :slight_smile: )