diff --git a/cmd/app/options.go b/cmd/app/options.go index 358a04af..1ef87952 100644 --- a/cmd/app/options.go +++ b/cmd/app/options.go @@ -29,11 +29,6 @@ const ( envDockerPassword = "DOCKER_PASSWORD" envDockerToken = "DOCKER_TOKEN" - envECRIamRoleArn = "ECR_IAM_ROLE_ARN" - envECRAccessKeyID = "ECR_ACCESS_KEY_ID" - envECRSecretAccessKey = "ECR_SECRET_ACCESS_KEY" - envECRSessionToken = "ECR_SESSION_TOKEN" - envGCRAccessToken = "GCR_TOKEN" envGHCRAccessToken = "GHCR_TOKEN" @@ -164,33 +159,6 @@ func (o *Options) addAuthFlags(fs *pflag.FlagSet) { )) /// - /// ECR - fs.StringVar(&o.Client.ECR.IamRoleArn, - "ecr-iam-role-arn", "", - fmt.Sprintf( - "IAM role ARN for read access to private registries, can not be used with access-key/secret-key/session-token (%s_%s).", - envPrefix, envECRIamRoleArn, - )) - fs.StringVar(&o.Client.ECR.AccessKeyID, - "ecr-access-key-id", "", - fmt.Sprintf( - "ECR access key ID for read access to private registries (%s_%s).", - envPrefix, envECRAccessKeyID, - )) - fs.StringVar(&o.Client.ECR.SecretAccessKey, - "ecr-secret-access-key", "", - fmt.Sprintf( - "ECR secret access key for read access to private registries (%s_%s).", - envPrefix, envECRSecretAccessKey, - )) - fs.StringVar(&o.Client.ECR.SessionToken, - "ecr-session-token", "", - fmt.Sprintf( - "ECR session token for read access to private registries (%s_%s).", - envPrefix, envECRSessionToken, - )) - /// - /// GCR fs.StringVar(&o.Client.GCR.Token, "gcr-token", "", @@ -283,11 +251,6 @@ func (o *Options) complete() { {envDockerPassword, &o.Client.Docker.Password}, {envDockerToken, &o.Client.Docker.Token}, - {envECRIamRoleArn, &o.Client.ECR.IamRoleArn}, - {envECRAccessKeyID, &o.Client.ECR.AccessKeyID}, - {envECRSessionToken, &o.Client.ECR.SessionToken}, - {envECRSecretAccessKey, &o.Client.ECR.SecretAccessKey}, - {envGCRAccessToken, &o.Client.GCR.Token}, {envGHCRAccessToken, &o.Client.GHCR.Token}, diff --git a/cmd/app/options_test.go b/cmd/app/options_test.go index 3f8b60a3..d5e5a629 100644 --- a/cmd/app/options_test.go +++ b/cmd/app/options_test.go @@ -8,7 +8,6 @@ import ( "github.com/jetstack/version-checker/pkg/client" "github.com/jetstack/version-checker/pkg/client/acr" "github.com/jetstack/version-checker/pkg/client/docker" - "github.com/jetstack/version-checker/pkg/client/ecr" "github.com/jetstack/version-checker/pkg/client/gcr" "github.com/jetstack/version-checker/pkg/client/ghcr" "github.com/jetstack/version-checker/pkg/client/quay" @@ -34,10 +33,6 @@ func TestComplete(t *testing.T) { {"VERSION_CHECKER_DOCKER_USERNAME", "docker-username"}, {"VERSION_CHECKER_DOCKER_PASSWORD", "docker-password"}, {"VERSION_CHECKER_DOCKER_TOKEN", "docker-token"}, - {"VERSION_CHECKER_ECR_IAM_ROLE_ARN", "iam-role-arn"}, - {"VERSION_CHECKER_ECR_ACCESS_KEY_ID", "ecr-access-token"}, - {"VERSION_CHECKER_ECR_SECRET_ACCESS_KEY", "ecr-secret-access-token"}, - {"VERSION_CHECKER_ECR_SESSION_TOKEN", "ecr-session-token"}, {"VERSION_CHECKER_GCR_TOKEN", "gcr-token"}, {"VERSION_CHECKER_GHCR_TOKEN", "ghcr-token"}, {"VERSION_CHECKER_QUAY_TOKEN", "quay-token"}, @@ -57,12 +52,6 @@ func TestComplete(t *testing.T) { Password: "docker-password", Token: "docker-token", }, - ECR: ecr.Options{ - IamRoleArn: "iam-role-arn", - AccessKeyID: "ecr-access-token", - SecretAccessKey: "ecr-secret-access-token", - SessionToken: "ecr-session-token", - }, GCR: gcr.Options{ Token: "gcr-token", }, @@ -95,10 +84,6 @@ func TestComplete(t *testing.T) { {"VERSION_CHECKER_DOCKER_USERNAME", "docker-username"}, {"VERSION_CHECKER_DOCKER_PASSWORD", "docker-password"}, {"VERSION_CHECKER_DOCKER_TOKEN", "docker-token"}, - {"VERSION_CHECKER_ECR_IAM_ROLE_ARN", "iam-role-arn"}, - {"VERSION_CHECKER_ECR_ACCESS_KEY_ID", "ecr-access-token"}, - {"VERSION_CHECKER_ECR_SECRET_ACCESS_KEY", "ecr-secret-access-token"}, - {"VERSION_CHECKER_ECR_SESSION_TOKEN", "ecr-session-token"}, {"VERSION_CHECKER_GCR_TOKEN", "gcr-token"}, {"VERSION_CHECKER_GHCR_TOKEN", "ghcr-token"}, {"VERSION_CHECKER_QUAY_TOKEN", "quay-token"}, @@ -125,12 +110,6 @@ func TestComplete(t *testing.T) { Password: "docker-password", Token: "docker-token", }, - ECR: ecr.Options{ - IamRoleArn: "iam-role-arn", - AccessKeyID: "ecr-access-token", - SecretAccessKey: "ecr-secret-access-token", - SessionToken: "ecr-session-token", - }, GCR: gcr.Options{ Token: "gcr-token", }, diff --git a/deploy/charts/version-checker/templates/deployment.yaml b/deploy/charts/version-checker/templates/deployment.yaml index 2004b210..17866241 100644 --- a/deploy/charts/version-checker/templates/deployment.yaml +++ b/deploy/charts/version-checker/templates/deployment.yaml @@ -1,5 +1,5 @@ {{- $secretEnabled := false }} -{{- if or .Values.acr.refreshToken .Values.acr.username .Values.acr.password .Values.docker.token .Values.docker.username .Values.docker.password .Values.ecr.accessKeyID .Values.ecr.secretAccessKey .Values.ecr.sessionToken .Values.gcr.token .Values.quay.token (not (eq (len .Values.selfhosted) 0)) }} +{{- if or .Values.acr.refreshToken .Values.acr.username .Values.acr.password .Values.docker.token .Values.docker.username .Values.docker.password .Values.gcr.token .Values.quay.token (not (eq (len .Values.selfhosted) 0)) }} {{- $secretEnabled = true }} {{- end }} {{ $chartname := include "version-checker.name" . }} @@ -87,33 +87,6 @@ spec: key: acr.password {{- end }} - # ECR - {{- if .Values.ecr.iamRoleArn }} - - name: VERSION_CHECKER_ECR_IAM_ROLE_ARN - value: {{ .Values.ecr.iamRoleArn }} - {{- end }} - {{- if .Values.ecr.accessKeyID }} - - name: VERSION_CHECKER_ECR_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - name: {{ $chartname }} - key: ecr.accessKeyID - {{- end }} - {{- if .Values.ecr.secretAccessKey }} - - name: VERSION_CHECKER_ECR_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - name: {{ $chartname }} - key: ecr.secretAccessKey - {{- end }} - {{- if .Values.ecr.sessionToken }} - - name: VERSION_CHECKER_ECR_SESSION_TOKEN - valueFrom: - secretKeyRef: - name: {{ $chartname }} - key: ecr.sessionToken - {{- end }} - # Docker {{- if .Values.docker.token }} - name: VERSION_CHECKER_DOCKER_TOKEN diff --git a/deploy/charts/version-checker/templates/secret.yaml b/deploy/charts/version-checker/templates/secret.yaml index 948af622..3e4372bf 100644 --- a/deploy/charts/version-checker/templates/secret.yaml +++ b/deploy/charts/version-checker/templates/secret.yaml @@ -1,4 +1,4 @@ -{{- if or .Values.acr.refreshToken .Values.acr.username .Values.acr.password .Values.docker.token .Values.ecr.accessKeyID .Values.ecr.secretAccessKey .Values.ecr.sessionToken .Values.docker.username .Values.docker.password .Values.gcr.token .Values.ghcr.token .Values.quay.token (not (eq (len .Values.selfhosted) 0)) }} +{{- if or .Values.acr.refreshToken .Values.acr.username .Values.acr.password .Values.docker.token .Values.docker.username .Values.docker.password .Values.gcr.token .Values.ghcr.token .Values.quay.token (not (eq (len .Values.selfhosted) 0)) }} apiVersion: v1 data: # ACR @@ -23,17 +23,6 @@ data: docker.password: {{.Values.docker.password | b64enc }} {{- end}} - # ECR - {{- if .Values.ecr.accessKeyID }} - ecr.accessKeyID: {{ .Values.ecr.accessKeyID | b64enc }} - {{- end}} - {{- if .Values.ecr.secretAccessKey }} - ecr.secretAccessKey: {{ .Values.ecr.secretAccessKey | b64enc }} - {{- end}} - {{- if .Values.ecr.sessionToken }} - ecr.sessionToken: {{ .Values.ecr.sessionToken | b64enc }} - {{- end}} - # GCR {{- if .Values.gcr.token }} gcr.token: {{ .Values.gcr.token | b64enc }} diff --git a/deploy/charts/version-checker/templates/serviceaccount.yaml b/deploy/charts/version-checker/templates/serviceaccount.yaml index d44240d0..3838370d 100644 --- a/deploy/charts/version-checker/templates/serviceaccount.yaml +++ b/deploy/charts/version-checker/templates/serviceaccount.yaml @@ -1,10 +1,10 @@ apiVersion: v1 kind: ServiceAccount metadata: - {{- if .Values.ecr.iamRoleArn }} - annotations: - eks.amazonaws.com/role-arn: {{ .Values.ecr.iamRoleArn }} - {{- end }} + name: {{ include "version-checker.name" . }} labels: {{ include "version-checker.labels" . | indent 4 }} - name: {{ include "version-checker.name" . }} +{{- with .Values.serviceAccount.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} diff --git a/deploy/charts/version-checker/tests/deployment_test.yaml b/deploy/charts/version-checker/tests/deployment_test.yaml index 418bbd01..2e142b47 100644 --- a/deploy/charts/version-checker/tests/deployment_test.yaml +++ b/deploy/charts/version-checker/tests/deployment_test.yaml @@ -131,48 +131,6 @@ tests: key: acr.password name: version-checker - # ECR - - it: ECR should work - set: - ecr.iamRoleArn: ajbhvdsbjvh - ecr.accessKeyID: jsgbjkas - ecr.secretAccessKey: sgkjnabskjga - ecr.sessionToken: asgjasg - asserts: - - contains: - path: spec.template.spec.containers[0].env - count: 1 - content: - name: VERSION_CHECKER_ECR_IAM_ROLE_ARN - value: ajbhvdsbjvh - - contains: - path: spec.template.spec.containers[0].env - count: 1 - content: - name: VERSION_CHECKER_ECR_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - key: ecr.accessKeyID - name: version-checker - - contains: - path: spec.template.spec.containers[0].env - count: 1 - content: - name: VERSION_CHECKER_ECR_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - key: ecr.secretAccessKey - name: version-checker - - contains: - path: spec.template.spec.containers[0].env - count: 1 - content: - name: VERSION_CHECKER_ECR_SESSION_TOKEN - valueFrom: - secretKeyRef: - key: ecr.sessionToken - name: version-checker - # Docker - it: Docker should work set: diff --git a/deploy/charts/version-checker/tests/serviceaccount_test.yaml b/deploy/charts/version-checker/tests/serviceaccount_test.yaml index 9ee79fe1..239d9856 100644 --- a/deploy/charts/version-checker/tests/serviceaccount_test.yaml +++ b/deploy/charts/version-checker/tests/serviceaccount_test.yaml @@ -13,10 +13,10 @@ tests: apiVersion: v1 name: version-checker - - it: with ecr ARN Set + - it: with annotations set set: - ecr.iamRoleArn: dsjgabjgsg + serviceAccount.annotations: { "abc": "123" } asserts: - equal: - path: metadata.annotations["eks.amazonaws.com/role-arn"] - value: dsjgabjgsg + path: metadata.annotations["abc"] + value: "123" diff --git a/deploy/charts/version-checker/values.yaml b/deploy/charts/version-checker/values.yaml index bdd0b9ee..ec488c53 100644 --- a/deploy/charts/version-checker/values.yaml +++ b/deploy/charts/version-checker/values.yaml @@ -27,6 +27,9 @@ service: # -- Port to expose within the service port: 8080 +serviceAccount: + annotations: {} + # -- Configure version-checkers behaviour versionChecker: # versionChecker.imageCacheTimeout -- How long to hold on to image tags and their versions @@ -56,18 +59,6 @@ docker: # docker.token -- (string) token: -# Amazon Elastic Container Registry Credentials Configuration -ecr: - # -- (string) Provide AWS EKS Iam Role ARN following: [Specify A ServiceAccount Role](https://docs.aws.amazon.com/eks/latest/userguide/specify-service-account-role.html) - iamRoleArn: - - # -- (string) - accessKeyID: - # -- (string) - secretAccessKey: - # -- (string) - sessionToken: - # Google Container Registry Credentials Configuration gcr: # gcr.token -- (string) @@ -100,7 +91,6 @@ selfhosted: # password: bar # token: - # -- Setup version-checkers resource requests/limits resources: {} diff --git a/pkg/client/client.go b/pkg/client/client.go index c8a10d21..f34798d5 100644 --- a/pkg/client/client.go +++ b/pkg/client/client.go @@ -46,7 +46,6 @@ type Client struct { // Options used to configure client authentication. type Options struct { ACR acr.Options - ECR ecr.Options GCR gcr.Options GHCR ghcr.Options Docker docker.Options @@ -84,7 +83,7 @@ func New(ctx context.Context, log *logrus.Entry, opts Options) (*Client, error) clients: append( selfhostedClients, acrClient, - ecr.New(opts.ECR), + ecr.New(), dockerClient, gcr.New(opts.GCR), ghcr.New(opts.GHCR), diff --git a/pkg/client/ecr/ecr.go b/pkg/client/ecr/ecr.go index 935ee179..cf574150 100644 --- a/pkg/client/ecr/ecr.go +++ b/pkg/client/ecr/ecr.go @@ -7,7 +7,6 @@ import ( "sync" "github.com/aws/aws-sdk-go/aws" - "github.com/aws/aws-sdk-go/aws/credentials" "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/service/ecr" @@ -18,20 +17,10 @@ import ( type Client struct { cacheMu sync.Mutex cachedRegionClients map[string]*ecr.ECR - - Options -} - -type Options struct { - IamRoleArn string - AccessKeyID string - SecretAccessKey string - SessionToken string } -func New(opts Options) *Client { +func New() *Client { return &Client{ - Options: opts, cachedRegionClients: make(map[string]*ecr.ECR), } } @@ -111,16 +100,9 @@ func (c *Client) getClient(region string) (*ecr.ECR, error) { } func (c *Client) createRegionClient(region string) (*ecr.ECR, error) { - var sess *session.Session - var err error - if c.IamRoleArn != "" { - sess, err = session.NewSession() - } else { - sess, err = session.NewSession(&aws.Config{ - Credentials: credentials.NewStaticCredentials(c.AccessKeyID, c.SecretAccessKey, c.SessionToken), - Region: ®ion, - }) - } + sess, err := session.NewSession(&aws.Config{ + Region: ®ion, + }) if err != nil { return nil, fmt.Errorf("failed to construct aws credentials: %s", err) }