AWS ECR Integration with Spinnaker

Overview

  • From this blog, user will have the leverage to explore on how to configure AWS ECR with Spinnaker and Guide to create a simple deploy pipeline.

Advantages of AWS ECR

  • Amazon Elastic Container Registry (ECR) is a fully-managed Docker container registry that makes it easy for developers to store, manage, and deploy Docker container images.
  • Amazon ECR is integrated with Amazon Elastic Container Service (ECS), simplifying your development to production workflow. Amazon ECR eliminates the need to operate your own container repositories or worry about scaling the underlying infrastructure. Amazon ECR hosts your images in a highly available and scalable architecture, allowing you to reliably deploy containers for your applications.

Prerequisites

  • An active Kubernetes cluster with Spinnaker installed. If you do not have an active Spinnaker, follow this document
  • Mandatory to have AWS is configured as Cloudprovider.
  • ECR Plugin added to Jenkins or any CI. Create a Job to build and push images into ECR.

Step by Step Instructions to Integrate ECR on Spinnaker

  • If all the prerequisites are met, now without any delay let’s start off with the pipeline creation that will build and deploy applications into kubernetes.
  • Add a GitHub artifact account to Spinnaker.
  • Login to AWS Console and Create an ECR Repo to push Jenkins Images.
  • Execute the below commands to configure ECR on Spinnaker
ACCOUNT_ID=AWS Account_ID
REGION=Your Preferred Region
MANAGED_ROLE=spinnakerManaged
ADDRESS=$ACCOUNT_ID.dkr.ecr.$REGION.amazonaws.com

hal config provider docker-registry account add my-ecr-registry \
 --address $ADDRESS \
 --username AWS \
 --password-command "read -r AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN <<< \`aws sts assume-role --role-arn arn:aws:iam::$ACCOUNT_ID:role/$MANAGED_ROLE --query '[Credentials.AccessKeyId, Credentials.SecretAccessKey, Credentials.SessionToken]'  --output text --role-session-name $ACCOUNT_ID-$REGION-$MANAGED_ROLE\`; export AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN; aws ecr get-authorization-token --region $REGION --output text --query 'authorizationData[].authorizationToken'  --registry-ids $ACCOUNT_ID| base64 -d | sed 's/^AWS://'"
hal deploy apply

Step by Step Instructions to Setup a Pipeline

  • Before we start the pipeline creation, here is glance of basic that makes things easier to understand
    1. Application – An application represents the service you are going to deploy using Spinnaker, all configuration for that service, and all the infrastructure on which it will run. You will typically create a different application for each service, though Spinnaker does not enforce that.
    2. Pipeline – A pipeline is a sequence of stages provided by Spinnaker, ranging from functions that manipulate infrastructure (deploy, resize, disable) to utility scaffolding functions (manual judgment, wait, run Jenkins job). All of these together precisely define the runbook for managing your deployments.
    3. Stage – A Stage in Spinnaker is an atomic building block for a pipeline, describing an action that the pipeline will perform. You can sequence stages in a Pipeline in any order, though some stage sequences are more common than others. Spinnaker provides a number of stages such as Deploy, Resize, Disable, Manual Judgment, and many more.
  • Now, let’s kick start with the pipeline creation process
    1. Firstly, if you would want to create an application, create an application.
    2. Create a pipeline in this application
    3. Setup Configuration with the ECR Repo details. Refer to the screenshot below

  • Now Add Stages to your Pipeline
    1. Build
    2. Deploy
    3. If you prefer to have bake you can add that too

    • Now, create ECR Secrets for Spinnaker to be able to pull the images. Manifest to create secret attached below
#
# RUN me where kubectl is available,& make sure to replace account,region etc
#
ACCOUNT=
REGION=
SECRET_NAME=${REGION}-ecr-registry
EMAIL=
#
# Fetch token (which will expire in 12 hours)
#
 
TOKEN=`aws ecr --region=$REGION get-authorization-token --output text --query authorizationData[].authorizationToken | base64 -d | cut -d: -f2`
 
#
# Create or replace registry secret
#
 
kubectl delete secret --ignore-not-found $SECRET_NAME
kubectl create secret docker-registry $SECRET_NAME \
 --docker-server=https://${ACCOUNT}.dkr.ecr.${REGION}.amazonaws.com \
 --docker-username=AWS \
 --docker-password="${TOKEN}" \
 --docker-email="${EMAIL}"

Note: As the ECR Token is dynamic, this keeps refreshing for every 12hrs. For a continuous successful run ensure to create this secret as a CronJob.

  • Now, execute the pipeline it should build and deploy your desired application.

Hola, your ECR is now setup with Spinnaker…. Enjoy Spinnaker

Leave a Comment

Your email address will not be published.

You may like