You can spin up a special container that handles the updates of your ECR session tokens:
Here is a version with some tweaks, too:
GitHub - sehucke/ecr-updater: Allows use of AWS ECR registries with Kubernetes no matter where your cluster is running.. Minor tweaks aside, most important change was to use a kubectl-proxy implementation that is more open sourced and has a credible author (Lachlan Evenson / lachie83 @ Github). But this is up to you.
See as well: How to refresh ECR credentials in a non-AWS Rancher 2.x installation · Issue #14907 · rancher/rancher · GitHub
The above mentioned solution works pretty well to keep your ECR login token valid. But currently there are some obstacles to work around to successfully deploy using your ECR registry.
-
See Private registry not working → You have to manually alter the yaml file of your workloads to include this:
imagePullSecrets: - name: myk8sregistrysecret
And you have to do that every time you alter your workload.
So…- Configure a new workload to use your ECR registry and launch it.
- Edit your workload’s yaml definition and insert
imagePullSecrets...
at the correct line. - Upgrade your workload with the new yaml definition.
-
And a minor one: You have to specify the full URI to your ECR registry when you deploy a workload. It is not possible to choose a registry to pull from and just type
myimage:stable
as you are used to when pulling from Docker Hub.