[refresh-credential] rotate the AWS ECR credential by schedule

[jenting]

Description

Add a new component refresh-credential to rotate the AWS ECR authorization token by schedule.

The refresh-credential component is installed once the containerRegistry.external.url is an AWS ECR URL.

• The private AWS ECR URL with the format aws_account_id.dkr.ecr.region.amazonaws.com.
• The public AWS ECR URL with the format public.ecr.aws/<registry-alias>.

Remember to configure the

• Create a Kubernetes secret with AWS access/secret key pair.

  aws configure
  
  # default path is ~/.aws/credentials
  kubectl create secret aws-iam-credential -n default --from-file=</path/to/credentialsfile>

• containerRegistry.inCluster = false to indicate to use external container registry.
• containerRegistry.external.certificate indicates the secret name the AWS ECR authorization token write to.
• containerRegistry.external.credentials which points to the AWS secret that with the AWS access/secret key pair.
  Example yaml manifest:

  containerRegistry:
    inCluster: false
    external:
      url: 012345678969.dkr.ecr.us-west-1.amazonaws.com
      certificate:
        kind: secret
        name: aws-ecr-credential
      credentials:
        kind: secret
        name: aws-iam-credential

The refresh-credential run as Kubernetes CronJob. The AWS ECR authorization token expires every 12 hours. The CronJob runs every 6 hours. Therefore, the on-caller have time to mitigate it once the ECR authorization token rotation fails.

We can add an alert rule when the job hits the backoffLimit. The trigger criteria is to query kube_job_status_failed{job_name=~"refresh-credential.*",reason="BackoffLimitExceeded"} > 0.
Reference to kube_job_status_failed.

https://www.loom.com/share/6d4b9dedc2df4a32bea87c12e3533230

Note
Since we haven't migrate/sync all the Gitpod component container image from GCP GCR to AWS ECR. Therefore, the secret with .dockerconfigjson requires to have both GCP GCR and AWS ECR authorization token because the image-builder push to AWS ECR, however the blobserve and registry-facade pull from GCP GCR.

Note
Because we set the Job restartPolicy = OnFailure, the pod will be terminated once the max backoff retry limit reaches. So we need to rely on the logging system to troubleshoot.

Warning
Please aware the service quotas.

• The private AWS ECR service quotas.
• The public AWS ECR service quotas.

Related Issue(s)

Fixes #12104

How to test

Try https://g704b4152c75da6e18a1605.workspace-preview.gitpod-io-dev.com/workspaces

1. Trigger a imagebuild
2. Check the base-image and workspace-image on the AWS ECR (us-west-1)

Release Notes

Support AWS ECR container registry

Documentation

None

Werft options:

• /werft with-local-preview
  If enabled this will build install/preview
• /werft with-preview
• /werft with-large-vm
• /werft with-integration-tests=all
  Valid options are all, workspace, webapp, ide, jetbrains, vscode, ssh

[werft-gitpod-dev-com]

started the job as gitpod-build-jenting-aws-ecr-14914.68 because the annotations in the pull request description changed
(with .werft/ from main)

[mrsimonemms]

Looks broadly ok, but I've put a couple of questions/comments in there. Around on Slack if you want to chat about them.

[Pothulapati]

Small nits, but looks good to me!

/hold just in case. Feel free to remove

[Pothulapati]

nit: Is pull-secret the right name? as we would also use it for pushes here. Could be tackled with https://github.com/gitpod-io/security/issues/89

[jenting]

The name is pull-secret.json now, ref code.
I updated the https://github.com/gitpod-io/security/issues/89 to track it.

[jenting]

@mrsimonemms PTAL 🙏

[mrsimonemms]

Looks good, just one additional question

[kylos101]

Hi @jenting , wow, solid work!

Can you share an updated Loom video showing the test?

Also, I think we'll need follow-on PRs:

1. We should be using IRSA, instead of persisting client_id and client_secret as a Kubernetes secret
2. What do you think of renaming registry-credential to refresh-ecr-credential? Naming things is hard. 😉
3. What is the plan for creating an alert for when this job fails? If it attempts 10 times and still fails, how much time would that leave for us to react, before the cluster is unable to interact with the registry?

[kylos101]

@jenting we should not be persisting an access and secret key to Kubernetes to interface with AWS. Instead, we should be leveraging an IAM role for a service account, aka IRSA.

[kylos101]

In other words, we should avoid persisting long lived secrets to workspace clusters, and negotiate a temporary AWS role credential instead, to do the GetAuthorizationToken work.

After validating the token's signature, IAM exchanges the Kubernetes issued token for a temporary AWS role credential.

[kylos101]

I think you'll need to use awsconfig.WithAssumeRoleCredentialOptions as an alternative to awsconfig.WithCredentialsProvider

[kylos101]

Reference: https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html

[kylos101]

You can see an example from @mrzarquon here via ecr-helper service account.

[jenting]

@kylos101 I saw for S3 object storage, we use the shared config.

@Furisto Could you tell me how did you prepare the credential file you developed for the S3?

[jenting]

@Furisto Looks like you were using the shared config for development.

[jenting]

I update the doc, same as how the S3 load the credentials file.

[Furisto]

@jenting I created a Kubernetes secret that contains the AWS shared config file (which gives access only to a specific bucket) and then mounted the file into the container. Then I reference that file when I am creating the client.. The file contains the credentials for a user that has no permissions except for the ones assigned by a bucket policy.

[kylos101]

I am skeptical we need this Credential field, please see my IRSA feedback for example.

[kylos101]

CredentialSecret should not be needed, I think, if we rely on IRSA.

[kylos101]

This will need to be changed, for example, to configure AWS given the service account associated with this new component.

[kylos101]

I forget, but, nesting the secret within a sub-directory was necessary, so that we can watch it for changes, right?

[jenting]

You're right 💯

[jenting]

FYR https://kubernetes.io/docs/concepts/configuration/secret/#:~:text=A%20container%20using%20a%20Secret%20as%20a%20subPath%20volume%20mount%20does%20not%20receive%20automated%20Secret%20updates

[kylos101]

Should be able to remove, given IRSA feedback

[jenting]

@kylos101

2. What do you think of renaming registry-credential to refresh-ecr-credential? Naming things is hard. 😉

We could rename it to refresh-credential because I don't want this component specific for ECR only.

3. What is the plan for creating an alert for when this job fails? If it attempts 10 times and still fails, how much time would that leave for us to react, before the cluster is unable to interact with the registry?

According to the Kubernetes doc, 10-time retry means the alert triggered after 10s+20s+40s+80s+160s+320s+360s+360s+360s+360s=34.5minutes.
Given the cronjob runs every 6 hours and the authorization token is valid for 12 hours. We have at least 5 hours to react.

[jenting]

1. We should be using IRSA, instead of persisting client_id and client_secret as a Kubernetes secret

I talked with @kylos101, and Kyle said since S3 requires the same secret, don't worry about my feedback for IRSA.
Therefore, I will change this PR following how S3 loads the credential files.

Correct me if I am wrong, but if I remember correctly, the IRSA (the AWs STS assume-role) is workable when the Kubernetes cluster lands on the AWS EC2 because the STS assume-role relies on the AWS EC2 information to grant the temporary credential.
We could change how we get an AWS credential file in the follow-up PR when required.

[jenting]

/unhold

All the comments are addressed. Thanks all the reviewers' comments.

We could have follow up PRs

• if IRSA is required
• if we want to separate the AWS IAM policy for the image-builder and registry-facade/blobserve.