The easiest way to create and update a docker-registry secret in Rancher 2.x for an AWS ECR repo is to set up a CRON job that uses the AWS CLI and Kubectl.
- Log into the host machine where the cluster is running
- Install AWS CLI and configure it to use an IAM role that can read the ECR credentials.
- Test the CLI config using this command:
aws ecr --region <your_ecr's_region> get-login-password
- Install kubectl and configure it with the yaml for the cluster in which you want to define the secret
- Create a shell script like this:
# Delete the secret if it already exists (there is no way to update it)
kubectl delete secret <name_of_the_docker_registry_secret>
# Create the secret
kubectl create secret docker-registry <name_of_the_docker_registry_secret> \
--docker-server=<your_ecr_registry_uri> \
--docker-username=AWS \
--docker-password=$(aws ecr --region <your_ecr's_region> get-login-password) \
--docker-email=<your_notification_email>
- Now setup a cron job to run this shell script every 6 hours (AWS resets the password every 12, so just to be on the safe side).
The secret will show up in the default project for the cluster. If you know how to have kubectl create it in a specific project, let me know.