2

我想使用 ArgoCD 在 kubernetes 集群中部署 helm 图表,这些图表存储在 AWS ECR 的存储库中。但我收到了 401 未经授权的问题。我在下面粘贴了整个问题

Unable to create application: application spec is invalid: InvalidSpecError: Unable to get app details: rpc error: code = Unknown desc = `helm chart pull <aws account id>.dkr.ecr.<region>.amazonaws.com/testrepo:1.1.0` failed exit status 1: Error: unexpected status code [manifests 1.1.0]: 401 Unauthorized
4

2 回答 2

2

是的,您可以使用 ECR 来存储掌舵图 ( https://docs.aws.amazon.com/AmazonECR/latest/userguide/push-oci-artifact.html )

我已设法将 repo 添加到 ArgoCD,但令牌已过期,因此它不是一个完整的解决方案。

argocd repo add XXXXXXXXXX.dkr.ecr.us-east-1.amazonaws.com --type helm --name some-helmreponame --enable-oci --username AWS --password $(aws ecr get-login-password --region us-east-1)
于 2021-05-17T09:02:13.903 回答
0

我正在尝试以下(尚未完成)

为允许您获取 ECR 登录密码的 AWS IAM 角色创建一个密钥。

apiVersion: v1
kind: Secret
metadata:
  name: aws-ecr-get-login-password-creds
  namespace: argocd
  labels:
    argocd.argoproj.io/secret-type: repository
stringData:
  AWS_ACCESS_KEY_ID: <Fill In>
  AWS_SECRET_ACCESS_KEY: <Fill In>

现在创建一个每 12 小时运行一次或在 PreSync Hook 上运行的 ArgoCD 工作流程(完全未经测试,将尝试保持更新,任何人都可以为我更新)。

apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
  generateName: aws-ecr-get-login-password-
  annotations:
    argocd.argoproj.io/hook: PreSync
spec:
  entrypoint: update-ecr-login-password
  templates:

    # This is what will run.
    # First the awscli
    # Then the resource creation using the stdout of the previous step
    - name: update-ecr-login-password
      steps:
        - - name: awscli
            template: awscli
        - - name: argocd-ecr-credentials
            template: argocd-ecr-credentials
            arguments:
              parameters:
              - name: password
                value: "{{steps.awscli.outputs.result}}"

    # Create a container that has awscli in it
    # and run it to get the password using `aws ecr get-login-password`
    - name: awscli
      script:
        image: amazon/aws-cli:latest
        command: [bash]
        source: |
          aws ecr get-login-password --region us-east-1
        # We need aws secrets that can run `aws ecr get-login-password`
        envFrom:
          - secretRef:
              name: aws-ecr-get-login-password-creds

    # Now we can create the secret that has the password in it
    - name: argocd-ecr-credentials
      inputs:
        parameters:
          - name: password
      resource:
        action: create
        manifest: |
          apiVersion: v1
          kind: Secret
          metadata:
            name: argocd-ecr-credentials
            namespace: argocd
            labels:
              argocd.argoproj.io/secret-type: repository
          stringData:
            url: 133696059149.dkr.ecr.us-east-1.amazonaws.com
            username: AWS
            password: {{inputs.parameters.password}}
于 2021-09-11T03:40:27.983 回答