Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle private ECR image references containing public.ecr.aws #667

Merged
merged 1 commit into from
Sep 26, 2023
Merged

Handle private ECR image references containing public.ecr.aws #667

merged 1 commit into from
Sep 26, 2023

Conversation

cartermckinnon
Copy link
Contributor

@cartermckinnon cartermckinnon commented Sep 19, 2023
edited
Loading

What type of PR is this?

/kind bug

What this PR does / why we need it:

When support was added for public.ecr.aws images, a simple string.Contains was used to determine whether a requested image reference was a private or public ECR repository. If you use public.ecr.aws anywhere in your image reference, such as:

123456789123.dkr.ecr.us-west-2.amazonaws.com/public.ecr.aws/foo:latest

Then public ECR creds will be retrieved, and image pulls will fail (or you'll fail to call ecr-public::GetAuthorizationToken if your IAM creds don't have permissions for it).

Which issue(s) this PR fixes:

Fixes #651

Special notes for your reviewer:

I did some cleanup while I was at it:

  • I removed the RegistryIds parameter to GetAuthorizationTokenInput. This field is deprecated and has no effect on the token returned.

Does this PR introduce a user-facing change?:

Fixes an issue with private ECR image references that contain `public.ecr.aws` being misidentified as public ECR repositories.

@k8s-ci-robot k8s-ci-robot added kind/bug Categorizes issue or PR as related to a bug. release-note Denotes a PR that will be considered when it comes time to generate release notes. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Sep 19, 2023
@k8s-ci-robot
Copy link
Contributor

This issue is currently awaiting triage.

If cloud-provider-aws contributors determine this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@cartermckinnon
Copy link
Contributor Author

/assign mmerkes

@k8s-ci-robot
Copy link
Contributor

@cartermckinnon: GitHub didn't allow me to assign the following users: mmerkes.

Note that only kubernetes members with read permissions, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time.
For more information please see the contributor guide

In response to this:

/assign mmerkes

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Sep 19, 2023
@cartermckinnon
Copy link
Contributor Author

@mmerkes please review?

@cartermckinnon
Copy link
Contributor Author

/assign tzneal

cartermckinnon
cartermckinnon commented Sep 19, 2023
View reviewed changes
cmd/ecr-credential-provider/main.go
@@ -162,10 +153,15 @@ func (e *ecrPlugin) GetCredentials(ctx context.Context, image string, args []str
var creds *credsData
var err error

if strings.Contains(image, ecrPublicURL) {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the bug.

mmerkes
mmerkes reviewed Sep 19, 2023
View reviewed changes
Copy link
Contributor

@mmerkes mmerkes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall, the change LGTM. What testing did you do on this? At a minimum, we should verify that this can pull a public and private image.

@cartermckinnon
Copy link
Contributor Author

I sanity checked this with the log output:

> echo '{
  "kind":"CredentialProviderRequest",
  "apiVersion":"credentialprovider.kubelet.k8s.io/v1",
  "image":"123456789123.dkr.ecr.us-west-2.amazonaws.com/public.ecr.aws/foo"
}' | ./ecr-credential-provider

I0919 09:33:41.036509   63515 main.go:125] Getting creds for private image 123456789123.dkr.ecr.us-west-2.amazonaws.com/public.ecr.aws/foo
{"kind":"CredentialProviderResponse","apiVersion":"credentialprovider.kubelet.k8s.io/v1","cacheKeyType":"Registry","cacheDuration":"6h0m0s","auth":{"123456789123.dkr.ecr.us-west-2.amazonaws.com":{"username":"AWS","password":"<secret>"}}}

> echo '{
  "kind":"CredentialProviderRequest",
  "apiVersion":"credentialprovider.kubelet.k8s.io/v1",
  "image":"public.ecr.aws/foo"
}' | ./ecr-credential-provider

I0919 09:34:36.638610   63660 main.go:94] Getting creds for public registry
{"kind":"CredentialProviderResponse","apiVersion":"credentialprovider.kubelet.k8s.io/v1","cacheKeyType":"Registry","cacheDuration":"6h0m0s","auth":{"public.ecr.aws":{"username":"AWS","password":"<secret>"}}}

mmerkes
mmerkes approved these changes Sep 19, 2023
View reviewed changes
Copy link
Contributor

@mmerkes mmerkes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@k8s-ci-robot
Copy link
Contributor

@mmerkes: changing LGTM is restricted to collaborators

In response to this:

LGTM

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@cartermckinnon
Copy link
Contributor Author

/assign @nckturner

can you give this a look Nick?

@jBouyoud jBouyoud mentioned this pull request Sep 25, 2023
Closed
tzneal
tzneal approved these changes Sep 25, 2023
View reviewed changes
Copy link
Contributor

@tzneal tzneal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 25, 2023
@cartermckinnon
Copy link
Contributor Author

@dims PTAL?

@dims
Copy link
Member

dims commented Sep 26, 2023

/approve
/lgtm

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dims, mmerkes, tzneal

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 26, 2023
@k8s-ci-robot k8s-ci-robot merged commit 43b808d into kubernetes:master Sep 26, 2023
@cartermckinnon cartermckinnon deleted the public-ecr-host branch September 26, 2023 22:15
@matty-rose
Copy link

matty-rose commented Sep 26, 2023
edited
Loading

hey @cartermckinnon we ran into this issue quite recently, super nice to see the fix merged in already 🎉 - do you have an idea on the cadence/ETA that the ecr-credential-provider binary with this fix will be incorporated into the EKS AMIs?

This was referenced Oct 23, 2023
Merged
Closed
Closed
k8s-ci-robot added a commit that referenced this pull request Oct 23, 2023
@k8s-ci-robot
Merge pull request #681 from cartermckinnon/automated-cherry-pick-of-…
3613a3d 
…#667-upstream-release-1.28

Automated cherry pick of #667: Handle private ECR image references containing public.ecr.aws
@cartermckinnon cartermckinnon mentioned this pull request Nov 14, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jBouyoud jBouyoud jBouyoud left review comments

@tzneal tzneal tzneal approved these changes

@mmerkes mmerkes mmerkes approved these changes

@andrewsykim andrewsykim Awaiting requested review from andrewsykim

@nckturner nckturner Awaiting requested review from nckturner

Assignees

@dims dims

@tzneal tzneal

@nckturner nckturner

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Private ECR repository contains "public.ecr.aws" breaks the GetCredentials
8 participants
@cartermckinnon @k8s-ci-robot @dims @matty-rose @tzneal @jBouyoud @mmerkes @nckturner