From 378cc07f36e783596174b5dc12dc9d4a33f2f54b Mon Sep 17 00:00:00 2001 From: Alexander Mancevice Date: Sat, 11 Mar 2023 17:22:58 -0500 Subject: [PATCH] feat(ENV): allow the default registry when no match While not "officially" supported, it is possible to alias an ECR registry with DNS (eg ecr.example.io). This change adds support for the AWS_ECR_USE_DEFAULT_REGISTRY environment variable which, when set to a non-empty value, will force this tool to use the default registry when authenticating. --- README.md | 7 ++++--- ecr-login/api/client.go | 15 +++++++++++++-- 2 files changed, 17 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 8ee7f8b0..a3a00a9d 100644 --- a/README.md +++ b/README.md @@ -142,7 +142,7 @@ A community-maintained package is available in the [Alpine Linux aports Reposito ```bash $ apk add docker-credential-ecr-login ``` -> [!NOTE] +> [!NOTE] > Badge only shows edge, check [repository](https://pkgs.alpinelinux.org/packages?name=docker-credential-ecr-login) for stable releases or add `--repository=http://dl-cdn.alpinelinux.org/alpine/edge/community` Once you have installed the credential helper, see the @@ -219,7 +219,7 @@ contents of your `~/.docker/config.json` file to be: This configures the Docker daemon to use the credential helper for all Amazon ECR registries. -The Amazon ECR Docker Credential Helper can be used alongside your existing docker login authentication tokens: +The Amazon ECR Docker Credential Helper can be used alongside your existing docker login authentication tokens: ```json { @@ -293,6 +293,7 @@ The credentials must have a policy applied that | AWS_ECR_DISABLE_CACHE | true | Disables the local file auth cache if set to a non-empty value | | AWS_ECR_CACHE_DIR | ~/.ecr | Specifies the local file auth cache directory location | | AWS_ECR_IGNORE_CREDS_STORAGE | true | Ignore calls to docker login or logout and pretend they succeeded | +| AWS_ECR_USE_DEFAULT_REGISTRY | true | Uses the default registry when the provided one cannot be parsed | ## Usage @@ -335,7 +336,7 @@ If you test any experimental feaures, you can give feedback via the feature's tr * Suggested improvements Experimental features are incomplete in design and implementation. Backwards incompatible -changes may be introduced at any time or support dropped entirely. Therefore experimental +changes may be introduced at any time or support dropped entirely. Therefore experimental features are **not recommended** for use in production environments. ## Security disclosures diff --git a/ecr-login/api/client.go b/ecr-login/api/client.go index ae452396..b0941616 100644 --- a/ecr-login/api/client.go +++ b/ecr-login/api/client.go @@ -18,6 +18,7 @@ import ( "encoding/base64" "fmt" "net/url" + "os" "regexp" "strings" "time" @@ -37,7 +38,10 @@ const ( ecrPublicEndpoint = proxyEndpointScheme + ecrPublicName ) -var ecrPattern = regexp.MustCompile(`^(\d{12})\.dkr\.ecr(\-fips)?\.([a-zA-Z0-9][a-zA-Z0-9-_]*)\.(amazonaws\.com(\.cn)?|sc2s\.sgov\.gov|c2s\.ic\.gov|cloud\.adc-e\.uk|csp\.hci\.ic\.gov)$`) +var ( + ecrPattern = regexp.MustCompile(`^(\d{12})\.dkr\.ecr(\-fips)?\.([a-zA-Z0-9][a-zA-Z0-9-_]*)\.(amazonaws\.com(\.cn)?|sc2s\.sgov\.gov|c2s\.ic\.gov|cloud\.adc-e\.uk|csp\.hci\.ic\.gov)$`) + ecrUseDefaultRegistry = os.Getenv("AWS_ECR_USE_DEFAULT_REGISTRY") +) type Service string @@ -69,7 +73,14 @@ func ExtractRegistry(input string) (*Registry, error) { }, nil } matches := ecrPattern.FindStringSubmatch(serverURL.Hostname()) - if len(matches) == 0 { + if len(matches) == 0 && ecrUseDefaultRegistry != "" { + return &Registry{ + Service: ServiceECR, + ID: "", + FIPS: false, + Region: "", + }, nil + } else if len(matches) == 0 { return nil, fmt.Errorf(programName + " can only be used with Amazon Elastic Container Registry.") } else if len(matches) < 3 { return nil, fmt.Errorf("%q is not a valid repository URI for Amazon Elastic Container Registry.", input)