ecr: secret not being generated

[vdice]

When setting up values for using ECR as the off-cluster registry option, a sample snippet of Workflow's global values.yaml would look something like:

...
registry-token-refresher:
...
  ecr:
    # Your AWS access key. Leave it empty if you want to use IAM credentials.
    accesskey: "ACCESS_KEY"
    # Your AWS secret key. Leave it empty if you want to use IAM credentials.
    secretkey: "SECRET_KEY"
    # Any S3 region
    region: "us-west-2"
    registryid: "myregistryid"
    hostname: "myhostname.amazonaws.com"
...

Yet, when the registryid and hostname values are non-empty as above, it seems a bug is hit and the necessary private-registry-ecr secret is not created correctly. When an attempt to build/deploy an example app, the following is hit:

Error running git receive hook [error getting private registry details secrets "private-registry-ecr" not found]`

Meanwhile, counterintuitively, if both registryid and hostname are just kept at "" then the aforementioned secret is created properly and build/deploys work as intended.

[kwent]

I would also update the documentation (https://deis.com/docs/workflow/installing-workflow/configuring-registry/) with one section for ECR and one section for GCR with samples.

[vdice]

deis/workflow#779 represents the docs update

[wearethefoos]

FWIW I ran into the same error all of a sudden

error getting private registry details secrets "private-registry-ecr" not found

So I deleted the token refresher pod to start a new one and everything worked again:

kubectl --namespace deis delete pod deis-registry-token-refresher-xxx-yyy

[mariusmarais]

I'm running into this same problem, but I'm not able to recover.

Originally I setup values with both registryid and hostname, eventually leading me here.

However, after removing them and running kubectl delete namespace deis and re-running helm install deis/workflow -f values.yml, I still have the same problem, even though both registryid and hostname are blank in the registry-secret secret:

Error running git receive hook [error getting private registry details secrets "private-registry-ecr" not found]

Restarting the pod has no effect and it isn't generating any log output, which is making debugging very difficult (quay.io/deis/registry-token-refresher:v1.1.2).

Please help :)

Update: Granting the follow access via IAM resolves the issue, since Deis needs to be able to create a repository for every app:

        {
            "Effect": "Allow",
            "Action": [
                "ecr:*"
            ],
            "Resource": [
                "*"
            ]
        }

Can this be limited further?

[Cryptophobia]

This issue was moved to teamhephy/registry-token-refresher#2