Add helm chart to rotate registry creds

arielbeckjit · arielbeckjit · commit e0b505e6bae1 · 2024-10-21T12:33:38.000+03:00
diff --git a/src/kubernetes/jit_ecr/Chart.yaml b/src/kubernetes/jit_ecr/Chart.yaml
@@ -1,4 +1,4 @@
 apiVersion: v2
 name: jit_ecr
 version: 0.1.0
-description: Helm chart to manage ECR credentials for JIT using authentication APIs
+description: Helm chart to manage registry credentials for JIT using authentication APIs
diff --git a/src/kubernetes/jit_ecr/templates/NOTES.txt b/src/kubernetes/jit_ecr/templates/NOTES.txt
@@ -1,17 +1,17 @@
 {{- if .Values.client_id }}
 {{- if .Values.secret }}
-Congratulations! You've installed the JIT ECR credentials manager.
+Congratulations! You've installed the JIT registry credentials manager.
 
 To verify that the initial login was successful, run the following command:
 
 kubectl logs -n {{ .Values.namespace }} $(kubectl get pods -n {{ .Values.namespace }} -l job-name=jit-ecr-initial-login --sort-by=.metadata.creationTimestamp --output=jsonpath='{.items[-1:].metadata.name}')
 
-This command will display the logs of the most recently created pod for the initial login job. Look for the message "ECR credentials updated successfully on <date>" at the end of the logs.
+This command will display the logs of the most recently created pod for the initial login job. Look for the message "registry credentials updated successfully on <date>" at the end of the logs.
 
 If you don't see the success message or encounter any errors, you can describe the job for more information:
 kubectl describe job jit-ecr-initial-login -n {{ .Values.namespace }}
 
-The ECR credentials secret has been created as {{ .Values.jit_ecr_secret_name }} in the {{ .Values.namespace }} namespace.
+The registry credentials secret has been created as {{ .Values.jit_ecr_secret_name }} in the {{ .Values.namespace }} namespace.
 
 To verify the created secret, run:
 kubectl get secret {{ .Values.jit_ecr_secret_name }} --namespace {{ .Values.namespace }}
@@ -25,4 +25,4 @@ Error: "secret" value is mandatory.
 {{- end }}
 {{- else }}
 Error: "client_id" value is mandatory.
-{{- end }}
+{{- end }}
diff --git a/src/kubernetes/jit_ecr/templates/cronjob.yaml b/src/kubernetes/jit_ecr/templates/cronjob.yaml
@@ -40,4 +40,4 @@ spec:
                 name: jit-ecr-script
           restartPolicy: OnFailure
 {{- end }}
-{{- end }}
+{{- end }}
diff --git a/src/kubernetes/jit_ecr/templates/jit_creds_secret.yaml b/src/kubernetes/jit_ecr/templates/jit_creds_secret.yaml
@@ -10,4 +10,4 @@ stringData:
   client_id: "{{ .Values.client_id }}"
   secret: "{{ .Values.secret }}"
 {{- end }}
-{{- end }}
+{{- end }
diff --git a/src/kubernetes/jit_ecr/templates/job.yaml b/src/kubernetes/jit_ecr/templates/job.yaml
@@ -35,4 +35,4 @@ spec:
             name: jit-ecr-script
       restartPolicy: OnFailure
 {{- end }}
-{{- end }}
+{{- end }}
diff --git a/src/kubernetes/jit_ecr/templates/rolebinding.yaml b/src/kubernetes/jit_ecr/templates/rolebinding.yaml
@@ -11,4 +11,4 @@ subjects:
 roleRef:
   kind: Role
   name: role-access-to-jit-ecr-secret
-  apiGroup: ""
+  apiGroup: ""
diff --git a/src/kubernetes/jit_ecr/templates/script-configmap.yaml b/src/kubernetes/jit_ecr/templates/script-configmap.yaml
@@ -45,28 +45,28 @@ data:
 
     echo "Access token obtained successfully"
 
-    # Use access token to get ECR credentials
-    echo "Requesting ECR token..."
-    ECR_RESPONSE=$(curl -s -w "\n%{http_code}" -X POST {{ .Values.jit_base_url }}/authentication/registry/login \
+    # Use access token to get registry credentials
+    echo "Requesting registry token..."
+    REGISTRY_RESPONSE=$(curl -s -w "\n%{http_code}" -X POST {{ .Values.jit_base_url }}/authentication/registry/login \
       -H "Authorization: Bearer $ACCESS_TOKEN")
-    ECR_STATUS=$(echo "$ECR_RESPONSE" | tail -n1)
-    ECR_BODY=$(echo "$ECR_RESPONSE" | sed '$d')
+    REGISTRY_STATUS=$(echo "$REGISTRY_RESPONSE" | tail -n1)
+    REGISTRY_BODY=$(echo "$REGISTRY_RESPONSE" | sed '$d')
 
-    if [ "$ECR_STATUS" -ne 200 ]; then
-      echo "Failed to obtain ECR token. HTTP Status: $ECR_STATUS"
-      echo "Response body: $ECR_BODY"
+    if [ "$REGISTRY_STATUS" -ne 200 ]; then
+      echo "Failed to obtain registry token. HTTP Status: $REGISTRY_STATUS"
+      echo "Response body: $REGISTRY_BODY"
       exit 1
     fi
 
-    ECR_TOKEN="$ECR_BODY"
+    REGISTRY_TOKEN="$REGISTRY_BODY"
 
-    if [ -z "$ECR_TOKEN" ]; then
-      echo "Failed to obtain ECR token"
-      echo "Response body: $ECR_BODY"
+    if [ -z "$REGISTRY_TOKEN" ]; then
+      echo "Failed to obtain registry token"
+      echo "Response body: $REGISTRY_BODY"
       exit 1
     fi
 
-    echo "ECR token obtained successfully"
+    echo "registry token obtained successfully"
 
     # Delete existing Kubernetes Docker registry secret (ignore if not found)
     echo "Deleting existing Kubernetes secret (if any)..."
@@ -77,10 +77,10 @@ data:
     kubectl create secret docker-registry {{ .Values.jit_ecr_secret_name }} \
       --docker-server={{ .Values.registry_name }} \
       --docker-username=AWS \
-      --docker-password="$ECR_TOKEN" \
+      --docker-password="$REGISTRY_TOKEN" \
       --namespace={{ .Values.namespace }}
 
     # Get current date and time
     CURRENT_DATE=$(date "+%Y-%m-%d %H:%M:%S")
 
-    echo "ECR credentials updated successfully on $CURRENT_DATE"
+    echo "Registry credentials updated successfully on $CURRENT_DATE"
diff --git a/src/kubernetes/jit_ecr/templates/serviceaccount.yaml b/src/kubernetes/jit_ecr/templates/serviceaccount.yaml
@@ -2,4 +2,4 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: sa-jit-ecr
-  namespace: {{ .Values.namespace }}
+  namespace: {{ .Values.namespace }}
