Add ECR Credential Updater template.

templates/ecr/0/docker-compose.yml

@@ -0,0 +1,12 @@
+ecr-updater:
+  environment:
+    AWS_ACCESS_KEY_ID: ${aws_access_key_id}
+    AWS_SECRET_ACCESS_KEY: ${aws_secret_access_key}
+    AWS_REGION: ${aws_region}
+  labels:
+    io.rancher.container.pull_image: always
+    io.rancher.container.create_agent: 'true'
+    io.rancher.container.agent.role: environment
+  tty: true
+  image: objectpartners/rancher-ecr-credentials:1.0.0
+  stdin_open: true

templates/ecr/0/rancher-compose.yml

@@ -0,0 +1,24 @@
+.catalog:
+  name: "ECR Credential Updater"
+  version: "v1.0.0"
+  description: "Updates credentials for ECR in Rancher"
+  uuid: ecr-1
+  questions:
+    - variable: "aws_access_key_id"
+      label: "AWS Access Key ID"
+      description: "AWS API Access Key to use for obtaining ECR credentials"
+      required: true
+      type: "string"
+    - variable: "aws_secret_access_key"
+      label: "AWS Secret Access Key"
+      description: "AWS API Secret Key to use for obtaining ECR credentials"
+      required: true
+      type: "string"
+    - variable: "aws_region"
+      label: "AWS Region"
+      description: "AWS Region that hosts the ECR"
+      default: us-east-1
+      required: true
+      type: "string"
+ecr-updater:
+  scale: 1

templates/ecr/README.md

@@ -0,0 +1,47 @@
+# Rancher ECR Credentials Updater
+
+This is Docker container that when executed will update the Docker registry credentials in Rancher for an Amazon Elastic Container Registry.
+
+## Why is this needed?
+
+Because access to ECR is controlled with AWS IAM.
+An IAM user must request a temporary credential to the registry using the AWS API.
+This temporary credential is then valid for 12 hours.
+
+Rancher only supports registries that authenticate with a username and password.
+
+## How to use
+
+Run this container with the following environment variables:
+* `AWS_REGION` - the AWS region of the ECR registry
+* `AWS_ACCESS_KEY_ID`
+* `AWS_SECRET_ACCESS_KEY`
+
+Add the following labels to the service in Rancher:
+* `io.rancher.container.create_agent: true`
+* `io.rancher.container.agent.role: environment`
+
+These labels will cause Rancher to provision an API key for this service and create the `CATTLE_URL`, `CATTLE_ACCESS_KEY`, and `CATTLE_SECRET_KEY` environment variables.
+
+## Running container outside of Rancher
+
+If you are running this container outside of a Rancher managed environment, then you must provide the following envvars in additional to the ones above.
+* `CATTLE_URL` - the url of the Rancher server to update
+* `CATTLE_ACCESS_KEY`
+* `CATTLE_SECRET_KEY`
+
+```bash
+$ docker run -d -e AWS_REGION=us-east-1 -e AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY -e CATTLE_URL=http://rancher.mydomain.com -e CATTLE_ACCESS_KEY=$CATTLE_ACCESS_KEY -e CATTLE_SECRET_KEY=$CATTLE_SECRET_KEY objectpartners/rancher-ecr-credentials:latest
+```
+
+## Notes
+
+The AWS credentials must correspond to an IAM user that has permissions to call the ECR `GetToken` API.
+The application then parses the resulting response to retrieve the ECR registry URL, username, and password.
+The returned registry URL, is used to discover the corresponding registry in Rancher.
+
+Rancher stores registries by environment.
+If multiple environments exists, one instance of this container must be run per environment.
+Rancher credentials are tied to an environment, so specifying them will indicate which environment to update in Rancher.
+
+__NOTE__: This application runs on a 6 hour loop. It's possible there could be a slight gap where the credentials expire before this program updates them.

templates/ecr/catalogIcon-ecr.svg

@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Generator: Adobe Illustrator 19.1.0, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 100 100" style="enable-background:new 0 0 100 100;" xml:space="preserve">
+<style type="text/css">
+	.st0{fill:#9D5025;}
+	.st1{fill:#F58435;}
+	.st2{fill:#FFFFFF;}
+	.st3{fill:#FFFFFF;stroke:#F58435;stroke-miterlimit:10;}
+	.st4{fill:#FBBF92;}
+	.st5{fill:none;stroke:#FBBF92;stroke-width:2;stroke-miterlimit:10;}
+	.st6{fill:none;}
+</style>
+<circle class="st0" cx="50" cy="50.6" r="30.4"/>
+<rect x="19.6" y="48.1" class="st0" width="60.9" height="2.5"/>
+<circle class="st1" cx="50" cy="48.1" r="30.4"/>
+<g>
+	<polygon class="st2" points="52,44.8 48,44.8 45.9,26.7 54.1,26.7 	"/>
+</g>
+<g>
+	<g>
+		<polygon class="st2" points="67.6,58.1 69.2,56.8 63.5,48.3 51,44 50,50.9 61.2,51.9 		"/>
+	</g>
+</g>
+<g>
+	<g>
+		<polygon class="st2" points="32.4,58.1 30.8,56.8 36.5,48.3 49,44 50,50.9 38.8,51.9 		"/>
+	</g>
+</g>
+<circle class="st3" cx="50" cy="26.7" r="5.6"/>
+<circle class="st1" cx="50" cy="26.7" r="1.9"/>
+<circle class="st3" cx="50" cy="47.4" r="4.1"/>
+<circle class="st1" cx="50" cy="47.4" r="1.3"/>
+<rect x="36.9" y="56.7" class="st2" width="26.3" height="14.5"/>
+<line class="st5" x1="39.2" y1="57.9" x2="39.2" y2="70.1"/>
+<line class="st5" x1="42.8" y1="57.9" x2="42.8" y2="70.1"/>
+<line class="st5" x1="46.4" y1="57.9" x2="46.4" y2="70.1"/>
+<line class="st5" x1="50" y1="57.9" x2="50" y2="70.1"/>
+<line class="st5" x1="53.6" y1="57.9" x2="53.6" y2="70.1"/>
+<line class="st5" x1="57.2" y1="57.9" x2="57.2" y2="70.1"/>
+<line class="st5" x1="60.8" y1="57.9" x2="60.8" y2="70.1"/>
+</svg>

templates/ecr/config.yml

@@ -0,0 +1,6 @@
+name: ECR Credential Updater
+description: |
+  Automatically updates AWS EC2 Container Registry credentials in Rancher.
+version: v1.0.0
+category: Applications
+maintainer: John Engelman <john.engelman@objectpartners.com>