connaisseur+cosign on eks: add support for aws credentials

k8s version: 1.20 flavor: eks

Goal:

Use connaisseur+cosign on eks to sign/validate images located in private ecr registry.

Problem statement:

At the moment connaisseur provides 2 methods to auth against a private registry: (https://github.com/sse-secure-systems/connaisseur/blob/master/helm/values.yaml#L82-L87)

1. A secret containing the registry’s credentials (i.e. config.json)
2. A username/password

Since docker doesn’t natively support ecr auth, in order to auth to ecr, one needs to use an aws helper: (https://docs.aws.amazon.com/AmazonECR/latest/userguide/registry_auth.html)

$ TOKEN=$(aws ecr get-login-password --region region)

This creates a temporary token valid for 12 hours, which you can then use to authenticate to ecr:

$ echo $TOKEN | docker login --username AWS --password-stdin aws_account_id.dkr.ecr.region.amazonaws.com

Creating a secret with the following information would unfortunately expire within 12h.

{
  "auths": {
    "aws_account_id.dkr.ecr.region.amazonaws.com": {
      "username": "AWS",
      "password": "<TOKEN>"
    }
  }
}

The solution I had to come up with as reported by @diegonicacio in https://github.com/sse-secure-systems/connaisseur/issues/352 was to create a cronjob, whose job is to rotate the ecr credentials inside the secret every x hours.

While this works, it’s a fragile solution, and it would be a more elegant solution if connaisseur was able to natively support AWS credentials:

[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY