[feat] ecr-credential-provider support to authenticate public registries

[mmerkes]

What type of PR is this?
/kind feature

What this PR does / why we need it:
ecr-credential-provider can now authenticate public registries, which allows users to access larger ECR data transfer limits. See #602 for more details. This will not work outside of the aws partition as the ECR public endpoint is only in us-east-1 and it requires IAM authentication.

To enable this, you may need a couple of changes in your nodes:

1. Add public.ecr.aws to matchImages in your CredentialProviderConfig. See below for an example.
2. The node IAM policy needs ecr-public:GetAuthorizationToken and sts:GetServiceBearerToken permissions. See below for an example policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr-public:GetAuthorizationToken",
                "sts:GetServiceBearerToken"
            ],
            "Resource": "*"
        }
    ]
}

Which issue(s) this PR fixes:

Fixes #602

Special notes for your reviewer:

For testing, I created a 1.26 EKS cluster with an AL2 nodegroup in us-west-2, built the ecr-credential-provider, uploaded to the nodes and used the below image credential provider config:

{
  "apiVersion": "kubelet.config.k8s.io/v1",
  "kind": "CredentialProviderConfig",
  "providers": [
    {
      "name": "ecr-credential-provider",
      "matchImages": [
        "public.ecr.aws",
        "*.dkr.ecr.*.amazonaws.com",
        "*.dkr.ecr.*.amazonaws.cn",
        "*.dkr.ecr-fips.*.amazonaws.com",
        "*.dkr.ecr.us-iso-east-1.c2s.ic.gov",
        "*.dkr.ecr.us-isob-east-1.sc2s.sgov.gov"
      ],
      "defaultCacheDuration": "12h",
      "apiVersion": "credentialprovider.kubelet.k8s.io/v1"
    }
  ]
}

I deployed the EKS sample app and verified the following:

1. pods came up
2. GetAuthorizationToken to private ECR registry endpoint showed up in us-west-2
3. GetAuthorizationToken to public ECR registry endpoint showed up in us-east-1
4. Images were successfully downloaded

Does this PR introduce a user-facing change?:

`ecr-credential-provider` supports authenticating for ECR public registries.

[k8s-ci-robot]

This issue is currently awaiting triage.

If cloud-provider-aws contributors determine this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-ci-robot]

Hi @mmerkes. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[olemarkus]

/ok-to-test

[dims]

cc @jlbutler

[dims]

Could we switch to the following signature to return nil instead of empty data structure? credsData{}

func (e *ecrPlugin) getPublicCredsData() (*credsData, error)

[mmerkes]

Ya. I'll update that everywhere.

[dims]

thanks!

[dims]

Same as above. Could we switch to the following signature to return nil instead of empty data structure? credsData{}

func (e *ecrPlugin) getPublicCredsData() (*credsData, error)

[dims]

@jlbutler any comments about reachability of ECR public?

[mmerkes]

AFAIK, this is the only region that has an ECR public endpoint. While the endpoint would be reachable from any non-isolated partitions, it won't be able to make authenticated calls from other partitions because you'd need a partition-specific endpoint so that the IAM creds work correctly. If there are endpoints in any other partitions, I can add support for those here.

[jlbutler]

Correct, for the purposes here (using the SDK to make API calls for auth) us-east-1 is the region

[dims]

thanks @jlbutler

[dims]

HasPrefix?

[mmerkes]

Ya, I had considered that. However, this logic made me this that it could have https:// in the image string:

func parseRepoURL(image string) (string, string, string, error) {
	if !strings.Contains(image, "https://") {
		image = "https://" + image
	}

It could be that the if statement is overly defensive, but I took the same approach here.

[dims]

👍🏾

[dims]

/approve

[nckturner]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dims, nckturner

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [dims,nckturner]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment