Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update ECR parsing regex to include non-public AWS partitions #835

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

ngearhart
Copy link

@ngearhart ngearhart commented Dec 6, 2024

Resolves #832 and references https://github.com/awslabs/amazon-ecr-credential-helper/blob/69e8c24e6fc115fd00d7c363cde156570ce73144/ecr-login/api/client.go#L40.

Public AWS Documentation about hidden partitions (non-amazonaws.com or .com.cn) is limited. Read more about AWS partitions here.

Copy link
Member

@stefanprodan stefanprodan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ngearhart ngearhart force-pushed the update-ecr-parsing branch 5 times, most recently from 16ad2a1 to 5a82673 Compare December 20, 2024 14:21
@ngearhart ngearhart changed the title Remove requirement for ECR URL to end in amazonaws.com or amazonaws.com.cn Update ECR parsing regex to include non-public AWS partitions Dec 20, 2024
var registryPartRe = regexp.MustCompile(`([0-9+]*).dkr.ecr(?:-fips)?\.([^/.]*)\.(amazonaws\.com[.cn]*)`)
// This regex is sourced from the AWS ECR Credential Helper (https://github.com/awslabs/amazon-ecr-credential-helper).
// It covers both public AWS partitions like amazonaws.com, China partitions like amazonaws.com.cn, and non-public partitions.
var registryPartRe = regexp.MustCompile(`(\d{12})\.dkr\.ecr(\-fips)?\.([a-zA-Z0-9][a-zA-Z0-9-_]*)\.(amazonaws\.com(\.cn)?|sc2s\.sgov\.gov|c2s\.ic\.gov|cloud\.adc-e\.uk|csp\.hci\.ic\.gov)`)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm afraid of completely replacing the previous expression. It was introduced several years ago in https://github.com/fluxcd/image-reflector-controller/pull/174/files#diff-922fcbfbe2565443329918a2b0d49b2b03588007ec6464a20d3feb824f3f80a2R199 and I see some weirdness with it, compared to the new one. I think it would be safer to only append what's needed here, instead of replacing the whole expression, and also needing to change the registryParts slice index below.

Suggested change
var registryPartRe = regexp.MustCompile(`(\d{12})\.dkr\.ecr(\-fips)?\.([a-zA-Z0-9][a-zA-Z0-9-_]*)\.(amazonaws\.com(\.cn)?|sc2s\.sgov\.gov|c2s\.ic\.gov|cloud\.adc-e\.uk|csp\.hci\.ic\.gov)`)
var registryPartRe = regexp.MustCompile(`([0-9+]*).dkr.ecr(?:-fips)?\.([^/.]*)\.(amazonaws\.com[.cn]*|sc2s\.sgov\.gov|c2s\.ic\.gov|cloud\.adc-e\.uk|csp\.hci\.ic\.gov)`)

Comment on lines +104 to +107
{
registry: ".dkr.ecr.error.amazonaws.com",
wantOK: false,
},
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This test case is unrelated. Please revert it with its comment as before.

@darkowlzz darkowlzz added the area/oci OCI related issues and pull requests label Dec 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/oci OCI related issues and pull requests
Projects
None yet
Development

Successfully merging this pull request may close these issues.

AWS Provider for OCI Does not account for disconnected AWS partitions
3 participants