How can you update the password for an AWS ECR repo in Kubernetes?

Solution 1:

The easiest way to create and update a docker-registry secret in Rancher 2.x for an AWS ECR repo is to set up a CRON job that uses the AWS CLI and Kubectl.

  • Log into the host machine where the cluster is running
  • Install the AWS CLI and configure it to use an IAM role that can read the ECR credentials.
  • Test the CLI config using this command:

aws ecr --region <your_ecr's_region> get-login-password

  • Install kubectl and configure it with the yaml for the cluster in which you want to define the secret, then run a kubectl get pods to make sure it's all good.
  • Create a shell script like this (delete is necessary because for some reason there is no way to update/overwrite a secret):
kubectl delete secret <name_of_the_docker_registry_secret>
kubectl create secret docker-registry <name_of_the_docker_registry_secret> \
  --docker-server=<your_ecr_registry_uri> \
  --docker-username=AWS \
  --docker-password=$(aws ecr --region <your_ecr's_region> get-login-password) \
  --docker-email=<your_notification_email>
  • Setup a cron job to run this shell script every 6 hours (AWS resets the password every 12, so just to be on the safe side).

The secret will show up in the default project for the cluster and will be used anytime Kubernetes wants to do something related to your ECR registry.