Issue 66 - AWS ECR Credentials

cmd/app/options.go

@@ -27,10 +27,6 @@ const (
 	envDockerPassword = "DOCKER_PASSWORD"
 	envDockerToken    = "DOCKER_TOKEN"
 
-	envECRAccessKeyID     = "ECR_ACCESS_KEY_ID"
-	envECRSecretAccessKey = "ECR_SECRET_ACCESS_KEY"
-	envECRSessionToken    = "ECR_SESSION_TOKEN"
-
 	envGCRAccessToken = "GCR_TOKEN"
 
 	envQuayToken = "QUAY_TOKEN"
@@ -153,27 +149,6 @@ func (o *Options) addAuthFlags(fs *pflag.FlagSet) {
 		))
 	///
 
-	/// ECR
-	fs.StringVar(&o.Client.ECR.AccessKeyID,
-		"ecr-access-key-id", "",
-		fmt.Sprintf(
-			"ECR access key ID for read access to private registries (%s_%s).",
-			envPrefix, envECRAccessKeyID,
-		))
-	fs.StringVar(&o.Client.ECR.SecretAccessKey,
-		"ecr-secret-access-key", "",
-		fmt.Sprintf(
-			"ECR secret access key for read access to private registries (%s_%s).",
-			envPrefix, envECRSecretAccessKey,
-		))
-	fs.StringVar(&o.Client.ECR.SessionToken,
-		"ecr-session-token", "",
-		fmt.Sprintf(
-			"ECR session token for read access to private registries (%s_%s).",
-			envPrefix, envECRSessionToken,
-		))
-	///
-
 	/// GCR
 	fs.StringVar(&o.Client.GCR.Token,
 		"gcr-token", "",
@@ -237,10 +212,6 @@ func (o *Options) complete() {
 		{envDockerPassword, &o.Client.Docker.Password},
 		{envDockerToken, &o.Client.Docker.Token},
 
-		{envECRAccessKeyID, &o.Client.ECR.AccessKeyID},
-		{envECRSessionToken, &o.Client.ECR.SessionToken},
-		{envECRSecretAccessKey, &o.Client.ECR.SecretAccessKey},
-
 		{envGCRAccessToken, &o.Client.GCR.Token},
 
 		{envQuayToken, &o.Client.Quay.Token},

cmd/app/options_test.go

@@ -8,7 +8,6 @@ import (
 	"github.com/jetstack/version-checker/pkg/client"
 	"github.com/jetstack/version-checker/pkg/client/acr"
 	"github.com/jetstack/version-checker/pkg/client/docker"
-	"github.com/jetstack/version-checker/pkg/client/ecr"
 	"github.com/jetstack/version-checker/pkg/client/gcr"
 	"github.com/jetstack/version-checker/pkg/client/quay"
 	"github.com/jetstack/version-checker/pkg/client/selfhosted"
@@ -33,9 +32,6 @@ func TestComplete(t *testing.T) {
 				{"VERSION_CHECKER_DOCKER_USERNAME", "docker-username"},
 				{"VERSION_CHECKER_DOCKER_PASSWORD", "docker-password"},
 				{"VERSION_CHECKER_DOCKER_TOKEN", "docker-token"},
-				{"VERSION_CHECKER_ECR_ACCESS_KEY_ID", "ecr-access-token"},
-				{"VERSION_CHECKER_ECR_SECRET_ACCESS_KEY", "ecr-secret-access-token"},
-				{"VERSION_CHECKER_ECR_SESSION_TOKEN", "ecr-session-token"},
 				{"VERSION_CHECKER_GCR_TOKEN", "gcr-token"},
 				{"VERSION_CHECKER_QUAY_TOKEN", "quay-token"},
 				{"VERSION_CHECKER_SELFHOSTED_HOST_FOO", "docker.joshvanl.com"},
@@ -54,11 +50,6 @@ func TestComplete(t *testing.T) {
 					Password: "docker-password",
 					Token:    "docker-token",
 				},
-				ECR: ecr.Options{
-					AccessKeyID:     "ecr-access-token",
-					SecretAccessKey: "ecr-secret-access-token",
-					SessionToken:    "ecr-session-token",
-				},
 				GCR: gcr.Options{
 					Token: "gcr-token",
 				},
@@ -87,9 +78,6 @@ func TestComplete(t *testing.T) {
 				{"VERSION_CHECKER_DOCKER_USERNAME", "docker-username"},
 				{"VERSION_CHECKER_DOCKER_PASSWORD", "docker-password"},
 				{"VERSION_CHECKER_DOCKER_TOKEN", "docker-token"},
-				{"VERSION_CHECKER_ECR_ACCESS_KEY_ID", "ecr-access-token"},
-				{"VERSION_CHECKER_ECR_SECRET_ACCESS_KEY", "ecr-secret-access-token"},
-				{"VERSION_CHECKER_ECR_SESSION_TOKEN", "ecr-session-token"},
 				{"VERSION_CHECKER_GCR_TOKEN", "gcr-token"},
 				{"VERSION_CHECKER_QUAY_TOKEN", "quay-token"},
 				{"VERSION_CHECKER_SELFHOSTED_HOST_FOO", "docker.joshvanl.com"},
@@ -108,11 +96,6 @@ func TestComplete(t *testing.T) {
 					Password: "docker-password",
 					Token:    "docker-token",
 				},
-				ECR: ecr.Options{
-					AccessKeyID:     "ecr-access-token",
-					SecretAccessKey: "ecr-secret-access-token",
-					SessionToken:    "ecr-session-token",
-				},
 				GCR: gcr.Options{
 					Token: "gcr-token",
 				},

deploy/charts/version-checker/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
-appVersion: "v0.2.1"
-version: 0.2.2
+appVersion: "v0.3.0"
+version: 0.3.0
 description: A Helm chart for version-checker
 home: https://github.com/joshvanl/verison-checker
 name: version-checker

deploy/charts/version-checker/templates/deployment.yaml

@@ -1,5 +1,5 @@
 {{- $secretEnabled := false }}
-{{- if or .Values.acr.refreshToken .Values.acr.username .Values.acr.password .Values.docker.token .Values.docker.username .Values.docker.password .Values.ecr.accessKeyID .Values.ecr.secretAccessKey .Values.ecr.sessionToken .Values.gcr.token .Values.quay.token (not (eq (len .Values.selfhosted) 0)) }}
+{{- if or .Values.acr.refreshToken .Values.acr.username .Values.acr.password .Values.docker.token .Values.docker.username .Values.docker.password .Values.gcr.token .Values.quay.token (not (eq (len .Values.selfhosted) 0)) }}
 {{- $secretEnabled = true }}
 {{- end }}
 {{ $chartname := include "version-checker.name" . }}
@@ -64,29 +64,6 @@ spec:
               key: acr.password
         {{- end }}
 
-        # ECR
-        {{- if .Values.ecr.accessKeyID }}
-        - name: VERSION_CHECKER_ECR_ACCESS_KEY_ID
-          valueFrom:
-            secretKeyRef:
-              name: {{ $chartname }}
-              key: ecr.accessKeyID
-        {{- end }}
-        {{- if .Values.ecr.secretAccessKey }}
-        - name: VERSION_CHECKER_ECR_SECRET_ACCESS_KEY
-          valueFrom:
-            secretKeyRef:
-              name: {{ $chartname }}
-              key: ecr.secretAccessKey
-        {{- end }}
-        {{- if .Values.ecr.sessionToken }}
-        - name: VERSION_CHECKER_ECR_SESSION_TOKEN
-          valueFrom:
-            secretKeyRef:
-              name: {{ $chartname }}
-              key: ecr.sessionToken
-        {{- end }}
-
         # Docker
         {{- if .Values.docker.token }}
         - name: VERSION_CHECKER_DOCKER_TOKEN

deploy/charts/version-checker/templates/secret.yaml

@@ -1,4 +1,4 @@
-{{- if or .Values.acr.refreshToken .Values.acr.username .Values.acr.password .Values.docker.token .Values.ecr.accessKeyID .Values.ecr.secretAccessKey .Values.ecr.sessionToken .Values.docker.username .Values.docker.password .Values.gcr.token .Values.quay.token (not (eq (len .Values.selfhosted) 0)) }}
+{{- if or .Values.acr.refreshToken .Values.acr.username .Values.acr.password .Values.docker.token .Values.docker.username .Values.docker.password .Values.gcr.token .Values.quay.token (not (eq (len .Values.selfhosted) 0)) }}
 apiVersion: v1
 data:
   # ACR
@@ -23,17 +23,6 @@ data:
   docker.password: {{.Values.docker.password | b64enc }}
   {{- end}}
 
-  # ECR
-  {{- if .Values.ecr.accessKeyID }}
-  ecr.accessKeyID: {{ .Values.ecr.accessKeyID | b64enc }}
-  {{- end}}
-  {{- if .Values.ecr.secretAccessKey }}
-  ecr.secretAccessKey: {{ .Values.ecr.secretAccessKey | b64enc }}
-  {{- end}}
-  {{- if .Values.ecr.sessionToken }}
-  ecr.sessionToken: {{ .Values.ecr.sessionToken | b64enc }}
-  {{- end}}
-
   # GCR
   {{- if .Values.gcr.token }}
   gcr.token: {{ .Values.gcr.token | b64enc }}

deploy/charts/version-checker/templates/serviceaccount.yaml

@@ -3,4 +3,7 @@ kind: ServiceAccount
 metadata:
   labels:
 {{ include "version-checker.labels" . | indent 4 }}
+{{- with .Values.serviceAccount.annotations }}
+{{ toYaml . | indent 8 }}
+{{- end }}
   name: {{ include "version-checker.name" . }}

deploy/charts/version-checker/values.yaml

@@ -12,6 +12,9 @@ image:
 service:
   port: 8080
 
+serviceAccount:
+  annotations: {}
+
 versionChecker:
   imageCacheTimeout: 30m
   logLevel: info # debug, info, warn, error, fatal, panic
@@ -28,11 +31,6 @@ docker:
   password:
   token:
 
-ecr:
-  accessKeyID:
-  secretAccessKey:
-  sessionToken:
-
 gcr:
   token:
 
@@ -42,7 +40,8 @@ quay:
 # Can be used to provide custom environment variables e.g. proxy settings
 env: {}
 
-selfhosted: {}
+selfhosted:
+  {}
   #- name: REGISTRY
   #  host: http://registry:5000
   #  username:
@@ -54,7 +53,8 @@ selfhosted: {}
   #  password: bar
   #  token:
 
-resources: {}
+resources:
+  {}
   # limits:
   #   cpu: 100m
   #   memory: 128Mi

pkg/client/client.go

@@ -45,7 +45,6 @@ type Client struct {
 // Options used to configure client authentication.
 type Options struct {
 	ACR        acr.Options
-	ECR        ecr.Options
 	GCR        gcr.Options
 	Docker     docker.Options
 	Quay       quay.Options
@@ -82,7 +81,7 @@ func New(ctx context.Context, log *logrus.Entry, opts Options) (*Client, error)
 		clients: append(
 			selfhostedClients,
 			acrClient,
-			ecr.New(opts.ECR),
+			ecr.New(),
 			dockerClient,
 			gcr.New(opts.GCR),
 			quay.New(opts.Quay),

pkg/client/ecr/ecr.go

@@ -6,7 +6,6 @@ import (
 	"sync"
 
 	"github.com/aws/aws-sdk-go/aws"
-	"github.com/aws/aws-sdk-go/aws/credentials"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/ecr"
 
@@ -17,19 +16,10 @@ import (
 type Client struct {
 	cacheMu             sync.Mutex
 	cachedRegionClients map[string]*ecr.ECR
-
-	Options
-}
-
-type Options struct {
-	AccessKeyID     string
-	SecretAccessKey string
-	SessionToken    string
 }
 
-func New(opts Options) *Client {
+func New() *Client {
 	return &Client{
-		Options:             opts,
 		cachedRegionClients: make(map[string]*ecr.ECR),
 	}
 }
@@ -108,8 +98,7 @@ func (c *Client) getClient(region string) (*ecr.ECR, error) {
 
 func (c *Client) createRegionClient(region string) (*ecr.ECR, error) {
 	sess, err := session.NewSession(&aws.Config{
-		Credentials: credentials.NewStaticCredentials(c.AccessKeyID, c.SecretAccessKey, c.SessionToken),
-		Region:      &region,
+		Region: &region,
 	})
 	if err != nil {
 		return nil, fmt.Errorf("failed to construct aws credentials: %s", err)