我想使用 ArgoCD 在 kubernetes 集群中部署 helm 图表,这些图表存储在 AWS ECR 的存储库中。但我遇到了 401 未经授权的问题。我已将整个问题粘贴在下面
Unable to create application: application spec is invalid: InvalidSpecError: Unable to get app details: rpc error: code = Unknown desc = `helm chart pull <aws account id>.dkr.ecr.<region>.amazonaws.com/testrepo:1.1.0` failed exit status 1: Error: unexpected status code [manifests 1.1.0]: 401 Unauthorized
是的,您可以使用 ECR 来存储 helm 图表 (https://docs.aws.amazon.com/AmazonECR/latest/userguide/push-oci-artifact.html)
我已成功将存储库添加到 ArgoCD,但令牌已过期,因此这不是一个完整的解决方案。
argocd repo add XXXXXXXXXX.dkr.ecr.us-east-1.amazonaws.com --type helm --name some-helmreponame --enable-oci --username AWS --password $(aws ecr get-login-password --region us-east-1)
使用声明性存储库定义(请参阅 https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#repositories,或者只是覆盖 Helm 图表中的
.argo-cd.configs.repositoriesapiVersion: batch/v1
kind: CronJob
metadata:
name: argocd-ecr-credentials
spec:
schedule: '0 */6 * * *' # every 6 hours, since credentials expire every 12 hours
jobTemplate:
metadata:
name: argocd-ecr-credentials
spec:
template:
spec:
serviceAccountName: argocd-server
restartPolicy: OnFailure
containers:
- name: update-secret
image: alpine/k8s # Anything that contains kubectl + aws cli
command:
- /bin/bash
- "-c"
- |
PASSWORD=$(aws ecr get-login-password --region [your aws region] | base64 -w 0)
kubectl patch secret -n argocd argocd-repo-[name of your repository] --type merge -p "{\"data\": {\"password\": \"$PASSWORD\"}}"
ArgoCD 存储库机密通常称为
argocd-repo-*这将每 6 小时启动一个 pod 进行 ECR 登录并更新 kubernetes 中的密钥,其中包含 ArgoCD 的存储库定义。
确保使用 argocd-server 服务帐户(或创建您自己的),否则容器将无法修改密钥。
我正在尝试以下内容(尚未完成)
为 AWS IAM 角色创建一个密钥,以允许您获取 ECR 登录密码。
apiVersion: v1
kind: Secret
metadata:
name: aws-ecr-get-login-password-creds
namespace: argocd
labels:
argocd.argoproj.io/secret-type: repository
stringData:
AWS_ACCESS_KEY_ID: <Fill In>
AWS_SECRET_ACCESS_KEY: <Fill In>
现在创建一个 ArgoCD 工作流程,该工作流程每 12 小时运行一次或在 PreSync Hook 上运行(完全未经测试,将尝试保持更新,任何人都可以为我更新)。
apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
generateName: aws-ecr-get-login-password-
annotations:
argocd.argoproj.io/hook: PreSync
spec:
entrypoint: update-ecr-login-password
templates:
# This is what will run.
# First the awscli
# Then the resource creation using the stdout of the previous step
- name: update-ecr-login-password
steps:
- - name: awscli
template: awscli
- - name: argocd-ecr-credentials
template: argocd-ecr-credentials
arguments:
parameters:
- name: password
value: "{{steps.awscli.outputs.result}}"
# Create a container that has awscli in it
# and run it to get the password using `aws ecr get-login-password`
- name: awscli
script:
image: amazon/aws-cli:latest
command: [bash]
source: |
aws ecr get-login-password --region us-east-1
# We need aws secrets that can run `aws ecr get-login-password`
envFrom:
- secretRef:
name: aws-ecr-get-login-password-creds
# Now we can create the secret that has the password in it
- name: argocd-ecr-credentials
inputs:
parameters:
- name: password
resource:
action: create
manifest: |
apiVersion: v1
kind: Secret
metadata:
name: argocd-ecr-credentials
namespace: argocd
labels:
argocd.argoproj.io/secret-type: repository
stringData:
url: 133696059149.dkr.ecr.us-east-1.amazonaws.com
username: AWS
password: {{inputs.parameters.password}}
您可以使用外部机密控制器来完成此操作,如文章中所述: