AWS Provider for OCI Does not account for disconnected AWS partitions

[ngearhart]

oci/auth/aws/auth.go::40

var registryPartRe = regexp.MustCompile(`([0-9+]*).dkr.ecr(?:-fips)?\.([^/.]*)\.(amazonaws\.com[.cn]*)`)

This regular expression is used to determine if flux should try to authenticate to the AWS API when pulling an OCI resource. However, this regex does not support some other AWS regions, notably disconnected AWS partitions.
Thus, flux does not detect that it is in AWS and fails due to missing username/password.

Why is this implemented as such? If the user is already forced to specify provider: aws on helmrepositories for example, why does flux still parse the URL instead of de-facto authenticating?

I recommend removing this check and assuming the OCI endpoint requires AWS authentication if the user specifies provider: aws regardless of the URL. If the user in error specifies provider: aws for a non-AWS-backed OCI repo, then flux should fail.

[ngearhart]

I understand that an alternative path to implementing this would be to expand the regex to include these disconnected partitions, but it seems like there is a bigger discussion that should happen around this.

[ngearhart]

After further investigation, it looks like this happens because the regex tries to pull the region out of the URL.