Pull Image from AWS ECR using Helm in Kubernetes [4 steps]

In this article we are going to cover Pull Image From AWS ECR using Helm in Kubernetes, Install Nodejs and npm on Ubuntu 22.04 LTS, Create a Nodejs app,Create a Dockerfile for Nodejs app,Push Nodejs Docker Image in AWS ECR,

Create secret in Kubernetes to access AWS ECR,Create a helm chart for Nodejs app and Add AWS ECR Secret and image repository in helm chart Kubernetes,Install NodeJs Helm Chart in Kubernetes,Run the Nodejs app on browser using kubectl port forward

In this article, we will explore the process of pulling container images from an AWS ECR private registry using Helm in a Kubernetes environment. This step-by-step guide will help you seamlessly integrate Helm with your private registry, ensuring a smooth deployment workflow for your applications.

Prerequisites

• AWS Account with Ubuntu 22.04 LTS EC2 Instance
• A private container registry in AWS ECR
• AWS CLI Installed
• Minikube and kubectl, Helm Installed

Install Minikube and kubectl by following the official documentation for your operating system:

Minikube Installation Guide

Install Minikube on Ubuntu 22.04 LTS

• Helm Installed:

Install Helm by following the official documentation:

Helm Installation Guide

Step #1:Install Nodejs and npm on Ubuntu 22.04 LTS

Create Hello world nodejs app

Create a directory named express_app

mkdir express_app
cd express_app

Install nodejs and npm on Ubuntu 22.04 LTS using below command

sudo apt install nodejs

sudo apt install npm

Now, initialize the node project using the following command

npm init

The npm init command initiates the creation of a package.json file, which serves as a configuration file for Node.js projects. This file contains information such as project name, version, description, scripts, files, dependencies, and versions.

Then install the Express library and add it to the package.json file

npm install --save express

Now install a tool called nodemon. It will automatically restarts the node application when it detects any changes.

npm install --save nodemon

Step #2:Create a Nodejs app

Create a file named package.json which consist all files and dependencies required to describe the app.

Add the following content in it.

{
    "name": "docker-example",
    "version": "1.0.0",
    "description": "",
    "main": "app.js",
    "scripts": {
      "start": "nodemon app.js",
      "test": "echo \"Error: no test specified\" && exit 1"
    },
    "author": "",
    "license": "ISC",
    "dependencies": {
      "express": "^4.17.1",
      "nodemon": "^2.0.12"
    }
  }

Save the file using ctrl+x, shift+y and Enter.

Then, create a app.js file named app.js that defines a web app using the Express.js framework.

nano app.js

add the following content into it.

// import and create an express app
const express = require('express');
const app = express()

// message as response
msg = "Hello world! this is nodejs in a docker container.."
// create an end point of the api
app.get('/', (req, res) => res.send(msg));

// now run the application and start listening
// on port 3000
app.listen(3000, () => {
    console.log("app running on port 3000...");
})

save the modification using ctrl+x, shift+y and Enter.

After this we can run the application.

npm run start

Step #3:Create a Dockerfile for Nodejs app

To containerize our application, we’ll create a Docker image, and to facilitate this process, we’ll construct a Dockerfile. The Dockerfile contains instructions detailing the configuration of the image responsible for running our application.

nano Dockerfile

FROM node:latest
WORKDIR /app
COPY package.json /app
RUN npm install
COPY . /app
CMD ["npm", "start"]
EXPOSE 3000

save the modification using ctrl+x, shift+y and Enter.

Step #4:Push Nodejs Docker Image in AWS ECR

Use the following steps to authenticate and push an image to your repository.

Retrieve an authentication token and authenticate your Docker client to your registry.

aws ecr get-login-password --region ap-south-1 | docker login --username AWS --password-stdin 992382413471.dkr.ecr.ap-south-1.amazonaws.com

Build your Docker image using the following command.

docker build -t nodejs-app .

confirm the image is created by running following command.

docker images

After the build completes, tag your image so you can push the image to this repository.

docker tag nodejs-app:latest 992382413471.dkr.ecr.ap-south-1.amazonaws.com/nodejs-app:latest

Run the following command to push this image to your newly created AWS repository.

docker push 992382413471.dkr.ecr.ap-south-1.amazonaws.com/nodejs-app:latest

now image is pushed to the private registry named nodejs-app.

Step #5:Create secret in Kubernetes to access AWS ECR

Create Secret in Kubernetes to access AWS ECR

kubectl create secret docker-registry nodeapp \
         --docker-server=992382413471.dkr.ecr.ap-south-1.amazonaws.com \
         --docker-username=AWS \
         --docker-password=$(aws ecr get-login-password)

Step #6:Create a helm chart for Nodejs app and Add AWS ECR Secret and image repository in helm chart Kubernetes

Create a helm chart (You can give any name you want)

helm create nodejs

Navigate to the nodejs chart directory.

cd nodejs

then open the values.yaml file and modify repository, aws ecr secret name and nodejs app port details.

nano values.yaml 

# Default values for nodejs.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

replicaCount: 1

image:
  repository: 992382413471.dkr.ecr.ap-south-1.amazonaws.com/nodejs-app
  pullPolicy: IfNotPresent
  # Overrides the image tag whose default is the chart appVersion.
  tag: "latest"

imagePullSecrets:
  - name: nodeapp
nameOverride: ""
fullnameOverride: ""

serviceAccount:
  # Specifies whether a service account should be created
  create: true
  # Automatically mount a ServiceAccount's API credentials?
  automount: true
  # Annotations to add to the service account
  annotations: {}
  # The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name: ""

podAnnotations: {}
podLabels: {}

podSecurityContext: {}
  # fsGroup: 2000

securityContext: {}
  # capabilities:
  #   drop:
  #   - ALL
  # readOnlyRootFilesystem: true
  # runAsNonRoot: true
  # runAsUser: 1000

service:
  type: NodePort
  port: 3000

ingress:
  enabled: false
  className: ""
  annotations: {}
    # kubernetes.io/ingress.class: nginx
    # kubernetes.io/tls-acme: "true"
  hosts:
    - host: chart-example.local
      paths:
        - path: /
          pathType: ImplementationSpecific
  tls: []
  #  - secretName: chart-example-tls
  #    hosts:
  #      - chart-example.local

resources: {}
  # We usually recommend not to specify default resources and to leave this as a conscious
  # choice for the user. This also increases chances charts run on environments with little
  # resources, such as Minikube. If you do want to specify resources, uncomment the following
  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
  # limits:
  #   cpu: 100m
  #   memory: 128Mi
  # requests:
  #   cpu: 100m
  #   memory: 128Mi

livenessProbe:
  httpGet:
    path: /
    port: http
readinessProbe:
  httpGet:
    path: /
    port: http

autoscaling:
  enabled: false
  minReplicas: 1
  maxReplicas: 100
  targetCPUUtilizationPercentage: 80
  # targetMemoryUtilizationPercentage: 80

# Additional volumes on the output Deployment definition.
volumes: []
# - name: foo
#   secret:
#     secretName: mysecret
#     optional: false

# Additional volumeMounts on the output Deployment definition.
volumeMounts: []
# - name: foo
#   mountPath: "/etc/foo"
#   readOnly: true

nodeSelector: {}

tolerations: []

affinity: {}

save the modification using ctrl+x, shift+y and Enter.

exit the directory nodejs

cd ..

Step #7:Install NodeJs Helm Chart in Kubernetes

now install the chart

helm install mynodeapp nodejs

Check the status of the deployed pods.

kubectl get pods

run the following command to check if image is pulled or not.

kubectl pod describe mynodeapp-nodejs-7fb5cf7bc8-gjfnp

Output:

Step #8:Run the Nodejs app on browser using kubectl port forward

For checking services, run following command

kubectl get svc

For accessing the Nodejs application on browser use following command.

kubectl port-forward --address 0.0.0.0 svc/mynodeapp-nodejs 3000:3000

This command facilitates the redirection of traffic from port 3000 on your local machine to port 3000 on the designated service, in this case, mynodeapp-nodejs. This feature proves valuable for interacting with a service operating within your Kubernetes cluster directly from your local environment.

To access the application via a web browser, enter the following in the URL bar: ip address:port number.

The ‘ip address’ corresponds to the public IP address of your Minikube EC2 instance established on AWS, and the ‘port number’ aligns with the port we designated (3000) for forwarding the Node.js pod.

Upon successful execution, you should observe the message: “Hello world! This is Node.js in a Docker container…” displayed in the browser.

Conclusion:

Retrieving images from a private registry with YAML and Helm entails establishing a Kubernetes Secret for authentication and adjusting Helm chart values. This process is crucial, especially when dealing with private repositories like AWS ECR. By creating a Kubernetes Secret specific to your AWS ECR private registry, and subsequently updating the Helm chart with the relevant configuration, you guarantee secure and authenticated access to container images during Kubernetes deployments. This approach ensures a resilient and scalable solution for managing containerized applications, particularly when leveraging AWS ECR as the private registry.

Reference:

AWS ECR official page