Merge pull request #16 from bensonz/master

release v0.1

Makefile

@@ -2,7 +2,7 @@ CA_CERT = ./secrets/ca.pem
 ADMIN_KEY = ./secrets/admin-key.pem
 ADMIN_CERT = ./secrets/admin.pem
 MASTER_HOST = $(shell terraform output | grep -A1 master_ip | awk 'NR>1 {print $1}' | xargs echo)
-NAMESPACE ?= kube-system
+SECRET_NAME ?= aws-ecr-cn-north-1
 
 plan: tf_get
 	terraform plan
@@ -44,36 +44,39 @@ node_clean:
 	kubectl get no | grep NotReady | awk '{print $$1}' | xargs kubectl delete node
 
 kubectl_dockertoken:
-	NAMESPACE=$(NAMESPACE) ./local_setup_secret.sh
+	kubectl apply -f addons/ecr-dockercfg-refresh/
+
+delete_kubectl_dockertoken:
+	kubectl delete -f addons/ecr-dockercfg-refresh/
+	kubectl delete secrets aws-ecr-cn-north-1
+	kubectl delete secrets aws-ecr-cn-north-1 -n kube-system
 
 label_edge_node:
 	$(eval NODE_NAME := $(shell make output | awk '/worker_private_dns/{getline; print}' | sed 's/\,$///g'))
 	until kubectl get no | grep $(NODE_NAME); do printf 'waiting on node...\n'; sleep 5; done
 
 	kubectl label no $(NODE_NAME) role="edge-router" --overwrite
 
-unlabel_edge_node:
-	kubectl label no node-1 role-
-
 delete_traefik:
-	kubectl apply -f addons/traefik/.
+	kubectl delete -f addons/traefik/
 
 create_traefik:
-	kubectl apply -f addons/traefik/.
+	kubectl apply -f addons/traefik/
 
 create_all_addons: label_edge_node create_essential_addons create_traefik
 
 delete_all_addons: delete_essential_addons delete_traefik
 
 delete_essential_addons:
-	kubectl delete -f addons/dashboard/.
-	kubectl delete -f addons/heapster/.
-	kubectl delete -f addons/dns/.
+	kubectl delete -f addons/dashboard/
+	kubectl delete -f addons/heapster/
+	kubectl delete -f addons/dns/
 
 create_essential_addons:
-	kubectl apply -f addons/dns/.
-	kubectl apply -f addons/heapster/.
-	kubectl apply -f addons/dashboard/.
+	until kubectl get secrets -n kube-system | grep $(SECRET_NAME); do printf 'waiting on secret...\n'; sleep 5; done
+	kubectl apply -f addons/dns/
+	kubectl apply -f addons/heapster/
+	kubectl apply -f addons/dashboard/
 
 sync_upload:
 	aws s3 sync --exclude="admin*" --exclude="README.md" ./secrets/ s3://k8s-secrets

README.md

@@ -35,7 +35,7 @@ make
   - [x] DNS + DNS Autoscale
   - [x] heapster (Metrics)
 - [x] Using AWS EC2 Container Registry
-  - [ ] token auto refresh
+  - [x] token auto refresh
 - [x] Traefik Ingress Controller
   - [x] EIP association for edge-router
   - [ ] Let's Encrypt Support

addons/ecr-dockercfg-refresh/ecr-dockercfg-refresh-configmap.yml

@@ -0,0 +1,7 @@
+apiVersion: v1
+data:
+  REFRESH_NAMESPACES: default,kube-system
+kind: ConfigMap
+metadata:
+  name: ecr-dockercfg-refresh
+  namespace: kube-system

addons/ecr-dockercfg-refresh/ecr-dockercfg-refresh-rbac.yaml

@@ -0,0 +1,41 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ecr-dockercfg-refresh
+  namespace: kube-system
+
+---
+
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: ecr-dockercfg-refresh
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: token-refresh
+subjects:
+- kind: ServiceAccount
+  name: ecr-dockercfg-refresh
+  namespace: kube-system
+
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: token-refresh
+  labels:
+    app: token-refresh
+rules:
+- apiGroups:
+  - ""
+  - "extensions"
+  resources:
+  - secrets
+  verbs:
+  - create
+  - get
+  - watch
+  - list
+  - update
+  - patch

addons/ecr-dockercfg-refresh/ecr-dockercfg-refresh.yaml

@@ -13,7 +13,12 @@ spec:
       labels:
         run: ecr-dockercfg-refresh
     spec:
+      dnsPolicy: Default
+      serviceAccountName: ecr-dockercfg-refresh
       containers:
-      - image: daocloud.io/mixslice/ecr-dockercfg-refresh:master-33b53bf
+      - image: daocloud.io/mixslice/ecr-dockercfg-refresh:master-1f8f698
         name: ecr-dockercfg-refresh
+        envFrom:
+        - configMapRef:
+            name: ecr-dockercfg-refresh
       restartPolicy: Always