Skip to content

Pushing images and charts to AWS ECR

ECR logo AWS ECR is a OCI private registry and requires authentication to push images and charts to its registry. In this example, I will create a app container called demoapp, create a chart for it and push both to my ECR repo called demoapp

Step 1 : Create container

First I will create a simple app and build my container. Dockerfile 

FROM alpine:latest
RUN apk update && apk add curl wget \
    && rm -rf /var/cache/apk/* \
    && date > /date.txt

CMD ["tail", "-f", "/dev/null"]

Build container

I am using podman to build and tag my container 

podman build -t <aws-account-id>.dkr.ecr.eu-west-2.amazonaws.com/demoapp:v0.1.1 .
podman images

REPOSITORY                                            TAG         IMAGE ID      CREATED         SIZE
<aws-account-id>.dkr.ecr.eu-west-2.amazonaws.com/demoapp  v0.1.1      313dcf2cc83e  48 seconds ago  15.3 MB

Step 2 : Push image to ECR registry

Before you can push image to ECR, you must obtain authentication token first. 

aws ecr get-login-password --profile labs --region eu-west-2 | podman login --username AWS --password-stdin <aws-account-id>.dkr.ecr.eu-west-2.amazonaws.com

# Push image to ECR
podman push <aws-account-id>.dkr.ecr.eu-west-2.amazonaws.com/demoapp:v0.1.1

Step 3 : Create Helm chart

helm create demoapp
Update values.yaml to reflect image and your app. My app does not listen, so I will comment out liveness and readiness probe as well 
image:
  repository: <aws-account-id>.dkr.ecr.eu-west-2.amazonaws.com/demoapp
  pullPolicy: IfNotPresent
  # Overrides the image tag whose default is the chart appVersion.
  tag: "0.1.0"

Step 4 : Create Helm package and push to registry

Create package, authenticate with ECR and push your chart 

helm package demoapp  #package name will reflect chart version
Successfully packaged chart and saved it to: ./demoapp-0.1.0.tgz

# Authenticate Helm to ECR
aws ecr get-login-password --profile labs --region eu-west-2 | helm registry login --username AWS --password-stdin  <aws-account-id>.dkr.ecr.eu-west-2.amazonaws.com

# Push helm chart
```bash
helm push demoapp-0.1.0.tgz oci://<aws-account-id>.dkr.ecr.eu-west-2.amazonaws.com

Pushed: <aws-account-id>.dkr.ecr.eu-west-2.amazonaws.com/demoapp:0.1.0
Digest: sha256:8e502d88912aefe73c4c0aec5587f51bed2a9ff3225ba4422eff6230a9e3c551

ECR repo of demo app

[!INFO] URL must begin with OCI:// and path for the chart is derived from the helm package name. Here Helm chart will be pushed to demoapp repo, and it can store Helm as well as images.

Pulling OCI image to local

# Authenticate Helm to ECR
aws ecr get-login-password --profile labs --region eu-west-2 | helm registry login --username AWS --password-stdin  <aws-account-id>.dkr.ecr.eu-west-2.amazonaws.com

helm pull oci://<aws-account-id>.dkr.ecr.eu-west-2.amazonaws.com/demoapp --version 0.1.0