rh-mobb / ecr-secret-operator Goto Github PK

Hello we have 2 different ECRs one for QA and one for PROD, i successfully configured the operator to work with the QA ECR.
How can I add a second ECR with different credentials?

In mirror install, all images are rewritten with ImageContentSourcePolicy which by default uses digest.
With ecr operator it has no issue rewriting "quay.io/mobb/ecr-secret-operator:v0.4.1" but fails with gcr.io/kubebuilder/kube-rbac-proxy as its tag based.

Please can you add digest support for it. currently I have to patch the operator and delete the deployment to work around it.

Thanks

Hi,

because of hard coded region reference in the ecr folder only us-east-2 is possible.
Could you please fix this so we are able to use it for other regions ?

The operator should be able to automatically add the pull secret to one or more namespaces. Some suggestions:

1. Operator only manages the namespace its in ... therefore requires minimal RBAC
2. Operator creates pull secrets for all namespaces (except for kube-system, openshift-*, etc), requires heightened RBAC
3. Operator watches for namespaces with a certain annotation which tells it to manage an ECR pull secret (for a specific repo ?)

The Operator should be able to use a STS token to create user/key required for the pullsecret rather than the pull secret itself.

ROSA allows for injecting STS credentials using the pod-identity webhook which lets you provide a trustPolicy to tell the IAM Role to trust a specific annotated K8s service-account, which then injects a STS token into a pod without needing user key/secret.

An example of creating IAM role / policy / trust-policy in order to use STS inside a pod - https://mobb.ninja/docs/rosa/aws-secrets-manager-csi/

I'm using the ecr-secret-operator on the pull-secret s our cluster uses AWS ECR for all OCP images. However I also have cloud.openshift.com in this secret. It keeps getting removed. How can both coexist?