ECR controller with error: The specified upstream registry requires authentication #2589
Description
Describe the bug
When you are creating an ECR PullTrhroughCache (PTC) repository using docker registry as an upstream registry an error related to create a secret in Secret Manager for this type of upstream is showed.
Steps to reproduce
Install the latest version of ecr-controller (ecr-controller:1.0.33) and applies this CRD to create a new ECR PTC:
apiVersion: ecr.services.k8s.aws/v1alpha1
kind: PullThroughCacheRule
metadata:
name: docker-ack
namespace: ack-system
spec:
ecrRepositoryPrefix: docker-test
upstreamRegistryURL: registry-1.docker.ioThen you starting to see this error from controller:
{"level":"error","ts":"2025-08-04T10:44:02.113Z","msg":"Reconciler error","controller":"pullthroughcacherule","controllerGroup":"ecr.services.k8s.aws","controllerKind":"PullThroughCacheRule","PullThroughCacheRule":{"name":"docker-ack","namespace":"ack-system"},"namespace":"ack-system","name":"docker-ack","reconcileID":"acdf193b-7499-4e95-9ea0-8cda7348d5e3","error":"operation error ECR: CreatePullThroughCacheRule, https response error StatusCode: 400, RequestID: 28909c3b-3c2f-43d0-8fc9-641411e6203c, UnsupportedUpstreamRegistryException: The specified upstream registry requires authentication. Specify a valid Secrets Manager ARN containing the upstream registry credentials and try again.","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:347\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:294\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func2.2\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:255"}And the same message from CRD status:
$ kubectl describe pullthroughcacherule docker-ack -n ack-system
Name: docker-ack
Namespace: ack-system
Labels: <none>
Annotations: <none>
API Version: ecr.services.k8s.aws/v1alpha1
Kind: PullThroughCacheRule
Metadata:
Creation Timestamp: 2025-08-04T10:22:07Z
Generation: 1
Resource Version: 280625652
UID: fb68d301-3cc9-4d0e-b066-3cea4e7fad85
Spec:
Ecr Repository Prefix: docker-test
Upstream Registry URL: registry-1.docker.io
Status:
Ack Resource Metadata:
Owner Account ID: ******
Region: eu-central-1
Conditions:
Message: UnsupportedUpstreamRegistryException: The specified upstream registry requires authentication. Specify a valid Secrets Manager ARN containing the upstream registry credentials and try again.
Status: True
Type: ACK.Recoverable
Last Transition Time: 2025-08-04T10:22:12Z
Message: Unable to determine if desired resource state matches latest observed state
Reason: operation error ECR: CreatePullThroughCacheRule, https response error StatusCode: 400, RequestID: 953ea5e7-5dce-4d0b-9093-c7fdaeacc43d, UnsupportedUpstreamRegistryException: The specified upstream registry requires authentication. Specify a valid Secrets Manager ARN containing the upstream registry credentials and try again.
Status: Unknown
Type: ACK.ResourceSynced
Events: <none>Expected outcome
A new ECR PTC using docker registry as an upstream registry.
Environment
- Kubernetes version
1.31 - Using EKS (yes/no), if so version?
Platform version: eks.29
from eksctl: 0.210.0 - AWS service targeted (S3, RDS, etc.)
ECR