Zarf eliminates the complexity of air gap software delivery for Kubernetes clusters and cloud-native workloads using a declarative packaging strategy to support DevSecOps in offline and semi-connected environments.
This repository contains the Zarf init package for AWS that uses ECR as an OCI registry and deploys onto EKS.
-
Zarf CLI (version >=
v0.30.0
) -
Connection to an existing EKS cluster configured with an IAM OIDC identity provider to allow IRSA authentication
-
AWS CLI configured with the necessary permissions to describe and create ECR repositories, and fetch ECR tokens
-
Create IAM role for the Pepr webhook to be able to list and create ECR repositories
-
See an example role for reference. Be sure to replace the
{{AWS_ACCOUNT_ID}}
and{{EKS_CLUSTER_ID}}
placeholders, as well as the AWS region with your values. -
You will need to create an IAM policy with the appropriate permissions and attach it to the role. See an example policy for reference.
Note: If you only need to work with a private ECR registry, the
ecr-public:
prefixed actions can be removed from the policy. Likewise, if you only need to work with a public ECR registry, theecr:
prefixed actions can be removed from the policy. -
-
(Optional) Create IAM role for the
zarf-ecr-credential-helper
to be able to fetch new ECR auth tokens-
The credential helper is an optional component and is NOT required to use ECR as an external Zarf registry. It can be used if you are looking for an automated solution for keeping your image pull secrets updated with valid ECR auth tokens. Frequent rotation of ECR tokens in image pull secrets is required because they expire after 12 hours. https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_GetAuthorizationToken.html
-
See an example role for reference. Be sure to replace the
{{AWS_ACCOUNT_ID}}
and{{EKS_CLUSTER_ID}}
placeholders, as well as the AWS region with your values. -
You will need to create an IAM policy with the appropriate permissions and attach it to the role. See an example policy for reference.
Note: If you only need to work with a private ECR registry, the
ecr-public:
prefixed actions can be removed from the policy. Likewise, if you only need to work with a public ECR registry, theecr:
prefixed actions can be removed from the policy. -
zarf package pull oci://ghcr.io/defenseunicorns/packages/init-aws:$(zarf version)-amd64
-
Create a Zarf config file
zarf-config.yaml
architecture: amd64 package: deploy: components: zarf-ecr-credential-helper set: registry_type: private # Change me to your AWS region if needed aws_region: us-east-1 # Set IAM role ARNs ecr_hook_role_arn: <YOUR_WEBHOOK_ROLE_ARN> ecr_credential_helper_role_arn: <YOUR_CREDENTIAL_HELPER_ROLE_ARN>
-
Zarf init
Note: Be sure to run the
zarf init
command from the same working directory as your Zarf config file or set theZARF_CONFIG
environment variable to point to your config file.AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' --output text) # Note: Be sure the region you specify in the --registry-url matches the one specified in your Zarf config file zarf init \ --registry-url="${AWS_ACCOUNT_ID}.dkr.ecr.<YOUR_AWS_REGION>.amazonaws.com" \ --registry-push-username="AWS" \ --registry-push-password="$(aws ecr get-login-password --region <YOUR_AWS_REGION>)" \ --confirm
-
Create a Zarf config file
zarf-config.yaml
architecture: amd64 package: deploy: components: zarf-ecr-credential-helper set: registry_type: public # Must use us-east-1 region for public ECR registries # https://docs.aws.amazon.com/AmazonECR/latest/public/public-registries.html#public-registry-auth aws_region: us-east-1 # Set IAM role ARNs ecr_hook_role_arn: <YOUR_WEBHOOK_ROLE_ARN> ecr_credential_helper_role_arn: <YOUR_CREDENTIAL_HELPER_ROLE_ARN>
-
Zarf init
Note: Be sure to run the
zarf init
command from the same working directory as your Zarf config file or set theZARF_CONFIG
environment variable to point to your config file.zarf init \ --registry-url="$(aws ecr-public describe-registries --query 'registries[0].registryUri' --output text --region us-east-1)" \ --registry-push-username="AWS" \ --registry-push-password="$(aws ecr-public get-login-password --region us-east-1)" \ --confirm