【问题标题】:How to deploy helm charts which are stored in AWS ECR using argoCD如何使用 argoCD 部署存储在 AWS ECR 中的 helm 图表
【发布时间】:2023-04-05 23:16:01
【问题描述】:

我想使用 ArgoCD 在 kubernetes 集群中部署 helm 图表,这些图表存储在 AWS ECR 的存储库中。但我收到了 401 未经授权的问题。我已将整个问题粘贴在下面

Unable to create application: application spec is invalid: InvalidSpecError: Unable to get app details: rpc error: code = Unknown desc = `helm chart pull <aws account id>.dkr.ecr.<region>.amazonaws.com/testrepo:1.1.0` failed exit status 1: Error: unexpected status code [manifests 1.1.0]: 401 Unauthorized

【问题讨论】:

标签: kubernetes kubernetes-helm amazon-ecr argocd


【解决方案1】:

是的,您可以使用 ECR 存储舵图 (https://docs.aws.amazon.com/AmazonECR/latest/userguide/push-oci-artifact.html)

我已设法将 repo 添加到 ArgoCD,但令牌已过期,因此它不是一个完整的解决方案。

argocd repo add XXXXXXXXXX.dkr.ecr.us-east-1.amazonaws.com --type helm --name some-helmreponame --enable-oci --username AWS --password $(aws ecr get-login-password --region us-east-1)

【讨论】:

    【解决方案2】:

    我正在尝试以下(尚未完成)

    为允许您获取 ECR 登录密码的 AWS IAM 角色创建密钥。

    apiVersion: v1
    kind: Secret
    metadata:
      name: aws-ecr-get-login-password-creds
      namespace: argocd
      labels:
        argocd.argoproj.io/secret-type: repository
    stringData:
      AWS_ACCESS_KEY_ID: <Fill In>
      AWS_SECRET_ACCESS_KEY: <Fill In>
    

    现在创建一个每 12 小时运行一次或在 PreSync Hook 上运行的 ArgoCD 工作流程(完全未经测试,将尝试保持更新,任何人都可以为我更新)。

    apiVersion: argoproj.io/v1alpha1
    kind: Workflow
    metadata:
      generateName: aws-ecr-get-login-password-
      annotations:
        argocd.argoproj.io/hook: PreSync
    spec:
      entrypoint: update-ecr-login-password
      templates:
    
        # This is what will run.
        # First the awscli
        # Then the resource creation using the stdout of the previous step
        - name: update-ecr-login-password
          steps:
            - - name: awscli
                template: awscli
            - - name: argocd-ecr-credentials
                template: argocd-ecr-credentials
                arguments:
                  parameters:
                  - name: password
                    value: "{{steps.awscli.outputs.result}}"
    
        # Create a container that has awscli in it
        # and run it to get the password using `aws ecr get-login-password`
        - name: awscli
          script:
            image: amazon/aws-cli:latest
            command: [bash]
            source: |
              aws ecr get-login-password --region us-east-1
            # We need aws secrets that can run `aws ecr get-login-password`
            envFrom:
              - secretRef:
                  name: aws-ecr-get-login-password-creds
    
        # Now we can create the secret that has the password in it
        - name: argocd-ecr-credentials
          inputs:
            parameters:
              - name: password
          resource:
            action: create
            manifest: |
              apiVersion: v1
              kind: Secret
              metadata:
                name: argocd-ecr-credentials
                namespace: argocd
                labels:
                  argocd.argoproj.io/secret-type: repository
              stringData:
                url: 133696059149.dkr.ecr.us-east-1.amazonaws.com
                username: AWS
                password: {{inputs.parameters.password}}
    

    【讨论】:

      猜你喜欢
      • 2022-10-17
      • 2021-04-29
      • 1970-01-01
      • 2022-07-07
      • 2022-08-08
      • 1970-01-01
      • 2021-12-13
      • 2021-01-21
      • 2023-01-25
      相关资源
      最近更新 更多