Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add support for aws ecr tokens (#2650) #58

Closed
wants to merge 1 commit into from
Closed

feat: add support for aws ecr tokens (#2650) #58

wants to merge 1 commit into from

Conversation

tamilhce
Copy link
Owner

@tamilhce tamilhce commented Jan 9, 2025

What type of PR is this?
feature
Which issue does this PR fix:
project-zot/zot#2650

What does this PR do / Why do we need it:
This PR adds support for temporary credentials for upstream registries, specifically focusing on AWS ECR. Since ECR credentials are not permanent and need to be rotated periodically, this enhancement enables Zot to dynamically obtain and refresh valid usernames and passwords when the CredentialHelper is configured for the registry

If an issue # is not available please add repro steps and logs showing the issue:
N/A

Testing done on this change:

During initialization, the logs confirm that ECR credentials have been updated:

{"level":"info","goroutine":1,"caller":"zotregistry.dev/zot/pkg/extensions/sync/service.go:77","time":"2024-10-18T23:15:48.269973286+05:30","message":"Using credentials helper, because CredentialHelper is set to ecr"}
{"level":"info","goroutine":1,"caller":"zotregistry.dev/zot/pkg/extensions/sync/service.go:81","time":"2024-10-18T23:15:48.269998807+05:30","message":"Fetch the credentials using AWS ECR Auth Token."}

During credential expiry, the following log entries are generated:

{"level":"info","url":"accountid.dkr.ecr.us-east-1.amazonaws.com","goroutine":593,"caller":"zotregistry.dev/zot/pkg/extensions/sync/ecr_credential_helper.go:126","time":"2024-10-19T00:43:06.320476296+05:30","message":"The credentials are close to expiring"}
{"level":"info","url":"accountid.dkr.ecr.us-east-1.amazonaws.com","goroutine":593,"caller":"zotregistry.dev/zot/pkg/extensions/sync/ecr_credential_helper.go:135","time":"2024-10-19T00:43:06.320498388+05:30","message":"Refreshing the ECR credentials"}
{"level":"info","url":"accountid.dkr.ecr.us-east-1.amazonaws.com","goroutine":593,"caller":"zotregistry.dev/zot/pkg/extensions/sync/service.go:162","time":"2024-10-19T00:43:07.009198386+05:30","message":"Refreshing the upstream remote registry credentials"}

These logs verify that the credentials are nearing the expiry window of one hour and have been successfully refreshed.
Automation added to e2e:
Added TestECRCredentialsHelper in sync_internal_test

Will this break upgrades or downgrades?
No

Does this PR introduce any user-facing change?:
No

release-note
With this PR, users can configure AWS ECR as an upstream registry for on-demand or periodic sync by setting CredentialHelper: ecr in the extension sync configuration. This change eliminates the need for users to manually add usernames and passwords in the credentialsFile; instead, credentials will be stored in memory and automatically rotated as they approach expiry. An example configuration is available in examples/config-sync-ecr-credential-helper.json.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@tamilhce tamilhce force-pushed the tamilhce/ecr-tmp-cred-helper branch from cd88d03 to 6dc5182 Compare January 9, 2025 14:20
@tamilhce tamilhce closed this Jan 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@tamilhce