feat: aws ecr credential helper (#327)

brivu · web-flow · commit 55f3694f1365 · 2024-01-30T14:18:13.000-08:00
* feat: add support for aws ecr credential helper

* ci: add testing for credential helper

* fix: add standard login for public registries

* fix: address comments
diff --git a/.circleci/test-deploy.yml b/.circleci/test-deploy.yml
@@ -21,6 +21,7 @@ jobs:
       - persist_to_workspace:
           root: .
           paths: [sample/Dockerfile]
+
   tag-ecr-image:
     docker:
       - image: cimg/base:current
@@ -174,6 +175,36 @@ workflows:
           platform: linux/amd64,linux/arm64
           filters: *filters
           requires: [pre-integration]
+      - aws-ecr/build_and_push_image:
+          name: integration-test-aws-ecr-credential-helper
+          auth:
+            - aws-cli/setup:
+                role_arn: arn:aws:iam::122211685980:role/CPE_ECR_OIDC_TEST
+          attach_workspace: true
+          workspace_root: workspace
+          repo: aws-ecr-orb-${CIRCLE_SHA1:0:7}-credential-helper
+          create_repo: true
+          context: [CPE-OIDC]
+          tag: credential-helper
+          dockerfile: sample/Dockerfile
+          path: workspace
+          executor: amd64
+          post-steps:
+            - run:
+                name: Verify ~/.docker/config.json
+                command: |
+                  if [ -f "$HOME/.docker/config.json" ] && grep 122211685980.dkr.ecr.us-west-2.amazonaws.com < ~/.docker/config.json; then
+                    echo "AWS ECR Credential Helper correctly configured."
+                    exit 0
+                  else
+                    echo "AWS ECR Credential Helper not configured."
+                    exit 1
+                  fi
+            - run:
+                name: "Delete repository"
+                command: aws ecr delete-repository --repository-name --region us-west-2 aws-ecr-orb-${CIRCLE_SHA1:0:7}-credential-helper --force
+          filters: *filters
+          requires: [pre-integration]
       - aws-ecr/build_and_push_image:
           name: integration-test-cache-to-flag
           auth:
diff --git a/src/commands/ecr_login.yml b/src/commands/ecr_login.yml
@@ -1,5 +1,5 @@
 description: >
-  Authenticate into the Amazon ECR service.
+  Authenticate into the Amazon ECR service. This command requires jq.
   NOTE: Some commands may not work with AWS CLI Version 1.
 
 parameters:
@@ -42,4 +42,5 @@ steps:
         AWS_ECR_STR_REGION: <<parameters.region>>
         AWS_ECR_BOOL_PUBLIC_REGISTRY: <<parameters.public_registry>>
         AWS_ECR_STR_AWS_DOMAIN: <<parameters.aws_domain>>
+        SCRIPT_UTILS: << include(scripts/utils.sh) >>
       command: <<include(scripts/ecr_login.sh)>>
diff --git a/src/scripts/ecr_login.sh b/src/scripts/ecr_login.sh
@@ -3,26 +3,59 @@ AWS_ECR_EVAL_REGION="$(eval echo "${AWS_ECR_STR_REGION}")"
 AWS_ECR_EVAL_PROFILE_NAME="$(eval echo "${AWS_ECR_STR_PROFILE_NAME}")"
 AWS_ECR_EVAL_ACCOUNT_ID="$(eval echo "${AWS_ECR_STR_ACCOUNT_ID}")"
 AWS_ECR_VAL_ACCOUNT_URL="${AWS_ECR_EVAL_ACCOUNT_ID}.dkr.ecr.${AWS_ECR_EVAL_REGION}.${AWS_ECR_STR_AWS_DOMAIN}"
+AWS_ECR_EVAL_PUBLIC_REGISTRY_ALIAS="$(eval echo "${AWS_ECR_STR_PUBLIC_REGISTRY_ALIAS}")"
 ECR_COMMAND="ecr"
 
+eval "$SCRIPT_UTILS"
+detect_os
+set_sudo
+
 if [ -z "${AWS_ECR_EVAL_ACCOUNT_ID}" ]; then
   echo "The account ID is not found. Please add the account ID before continuing."
   exit 1
 fi
 
 if [ "$AWS_ECR_BOOL_PUBLIC_REGISTRY" == "1" ]; then
     AWS_ECR_EVAL_REGION="us-east-1"
-    AWS_ECR_VAL_ACCOUNT_URL="public.ecr.aws"
+    AWS_ECR_VAL_ACCOUNT_URL="public.ecr.aws/${AWS_ECR_EVAL_PUBLIC_REGISTRY_ALIAS}"
     ECR_COMMAND="ecr-public"
-fi
-
-if [ -n "${AWS_ECR_EVAL_PROFILE_NAME}" ]; then
-    set -- "$@" --profile "${AWS_ECR_EVAL_PROFILE_NAME}"
+    aws "${ECR_COMMAND}" get-login-password --region "${AWS_ECR_EVAL_REGION}" --profile "${AWS_ECR_EVAL_PROFILE_NAME}" \
+     | docker login --username AWS --password-stdin "${AWS_ECR_VAL_ACCOUNT_URL}"
+    exit 0
 fi
 
 if [ -f "$HOME/.docker/config.json" ] && grep "${AWS_ECR_VAL_ACCOUNT_URL}" < ~/.docker/config.json > /dev/null 2>&1 ; then
-    echo "Credential helper is already installed"
-else
-    docker logout "${AWS_ECR_VAL_ACCOUNT_URL}"
-    aws "${ECR_COMMAND}" get-login-password --region "${AWS_ECR_EVAL_REGION}" "$@" | docker login --username AWS --password-stdin "${AWS_ECR_VAL_ACCOUNT_URL}"
+    echo "Credential helper is already installed and configured"
+    exit 0
 fi
+
+configure_config_json(){
+    echo "Configuring config.json..."
+    CONFIG_FILE="$HOME/.docker/config.json"
+    mkdir -p "$(dirname "${CONFIG_FILE}")"
+
+    jq_flag=""
+    if [ ! -s "${CONFIG_FILE}" ]; then
+        jq_flag="-n"
+    fi
+        jq "${jq_flag}" --arg url "${AWS_ECR_VAL_ACCOUNT_URL}" \
+        --arg helper "ecr-login" '.credHelpers[$url] = $helper' \
+        "${CONFIG_FILE}" > temp.json && mv temp.json "${CONFIG_FILE}"
+}
+
+install_aws_ecr_credential_helper(){
+    echo "Installing AWS ECR Credential Helper..."
+    if [[ "$SYS_ENV_PLATFORM" = "linux" ]]; then
+        $SUDO apt update
+        $SUDO apt install amazon-ecr-credential-helper
+        configure_config_json
+    elif [[ "$SYS_ENV_PLATFORM" = "macos" ]]; then
+        brew install docker-credential-helper-ecr
+        configure_config_json
+    else
+        docker logout "${AWS_ECR_VAL_ACCOUNT_URL}"
+        aws "${ECR_COMMAND}" get-login-password --region "${AWS_ECR_EVAL_REGION}" --profile "${AWS_ECR_EVAL_PROFILE_NAME}" | docker login --username AWS --password-stdin "${AWS_ECR_VAL_ACCOUNT_URL}"
+    fi
+}
+
+install_aws_ecr_credential_helper
diff --git a/src/scripts/utils.sh b/src/scripts/utils.sh
@@ -0,0 +1,39 @@
+#!/bin/bash
+
+detect_os() { 
+  detected_platform="$(uname -s | tr '[:upper:]' '[:lower:]')"
+
+  case "$detected_platform" in
+    linux*)
+        if grep "Alpine" /etc/issue >/dev/null 2>&1; then
+            printf '%s\n' "Detected OS: Alpine Linux."
+            SYS_ENV_PLATFORM=linux_alpine
+        else
+            printf '%s\n' "Detected OS: Linux."
+            SYS_ENV_PLATFORM=linux
+        fi  
+      ;;
+    darwin*)
+      printf '%s\n' "Detected OS: macOS."
+      SYS_ENV_PLATFORM=macos
+      ;;
+    msys*|cygwin*)
+      printf '%s\n' "Detected OS: Windows."
+      SYS_ENV_PLATFORM=windows
+      ;;
+    *)
+      printf '%s\n' "Unsupported OS: \"$detected_platform\"."
+      exit 1
+      ;;
+  esac
+
+  export SYS_ENV_PLATFORM
+}
+
+set_sudo(){
+    if [ "$SYS_ENV_PLATFORM" = "linux_alpine" ]; then
+        if [ "$ID" = 0 ]; then export SUDO=""; else export SUDO="sudo"; fi
+    else
+        if [ "$EUID" = 0 ]; then export SUDO=""; else export SUDO="sudo"; fi
+    fi
+}
