feat(registry) EE-806 add support for AWS ECR (#6165)

* feat(ecr) EE-806 add support for aws ecr * feat(ecr) EE-806 fix wrong doc for Ecr Region Co-authored-by: Simon Meng <simon.meng@portainer.io>
2025-07-24 07:49:41 +02:00 · 2021-12-01 13:18:57 +13:00 · 2021-12-01 13:18:57 +13:00 · a86c7046df
commit a86c7046df
parent ff6185cc81
29 changed files with 694 additions and 51 deletions
--- a/api/http/handler/registries/registry_configure.go
+++ b/api/http/handler/registries/registry_configure.go
@ -21,7 +21,8 @@ type registryConfigurePayload struct {
 	Username string `example:"registry_user"`
 	// Password used to authenticate against this registry. required when Authentication is true
 	Password string `example:"registry_password"`
-
+	// ECR region
+	Region  string
 	// Use TLS
 	TLS bool `example:"true"`
 	// Skip the verification of the server TLS certificate
@ -47,6 +48,9 @@ func (payload *registryConfigurePayload) Validate(r *http.Request) error {

 		password, _ := request.RetrieveMultiPartFormValue(r, "Password", true)
 		payload.Password = password
+
+		region, _ := request.RetrieveMultiPartFormValue(r, "Region", true)
+		payload.Region = region
 	}

 	useTLS, _ := request.RetrieveBooleanMultiPartFormValue(r, "TLS", true)
@ -134,6 +138,10 @@ func (handler *Handler) registryConfigure(w http.ResponseWriter, r *http.Request
 		} else {
 			registry.ManagementConfiguration.Password = payload.Password
 		}
+
+		if payload.Region != "" {
+			registry.ManagementConfiguration.Ecr.Region = payload.Region
+		}
 	}

 	if payload.TLS {
--- a/api/http/handler/registries/registry_create.go
+++ b/api/http/handler/registries/registry_create.go
@ -17,8 +17,15 @@ import (
 type registryCreatePayload struct {
 	// Name that will be used to identify this registry
 	Name string `example:"my-registry" validate:"required"`
-	// Registry Type. Valid values are: 1 (Quay.io), 2 (Azure container registry), 3 (custom registry), 4 (Gitlab registry), 5 (ProGet registry) or 6 (DockerHub)
-	Type portainer.RegistryType `example:"1" validate:"required" enums:"1,2,3,4,5,6"`
+	// Registry Type. Valid values are:
+	//	1 (Quay.io),
+	//	2 (Azure container registry),
+	//	3 (custom registry),
+	//	4 (Gitlab registry),
+	//	5 (ProGet registry),
+	//	6 (DockerHub)
+	//	7 (ECR)
+	Type portainer.RegistryType `example:"1" validate:"required" enums:"1,2,3,4,5,6,7"`
 	// URL or IP address of the Docker registry
 	URL string `example:"registry.mydomain.tld:2375/feed" validate:"required"`
 	// BaseURL required for ProGet registry
@ -33,6 +40,8 @@ type registryCreatePayload struct {
 	Gitlab portainer.GitlabRegistryData
 	// Quay specific details, required when type = 1
 	Quay portainer.QuayRegistryData
+	// ECR specific details, required when type = 7
+	Ecr portainer.EcrData
 }

 func (payload *registryCreatePayload) Validate(_ *http.Request) error {
@ -42,14 +51,22 @@ func (payload *registryCreatePayload) Validate(_ *http.Request) error {
 	if govalidator.IsNull(payload.URL) {
 		return errors.New("Invalid registry URL")
 	}
-	if payload.Authentication && (govalidator.IsNull(payload.Username) || govalidator.IsNull(payload.Password)) {
-		return errors.New("Invalid credentials. Username and password must be specified when authentication is enabled")
+
+	if payload.Authentication {
+		if govalidator.IsNull(payload.Username) || govalidator.IsNull(payload.Password) {
+			return errors.New("Invalid credentials. Username and password must be specified when authentication is enabled")
+		}
+		if payload.Type == portainer.EcrRegistry {
+			if govalidator.IsNull(payload.Ecr.Region) {
+				return errors.New("invalid credentials: access key ID, secret access key and region must be specified when authentication is enabled")
+			}
+		}
 	}

 	switch payload.Type {
-	case portainer.QuayRegistry, portainer.AzureRegistry, portainer.CustomRegistry, portainer.GitlabRegistry, portainer.ProGetRegistry, portainer.DockerHubRegistry:
+	case portainer.QuayRegistry, portainer.AzureRegistry, portainer.CustomRegistry, portainer.GitlabRegistry, portainer.ProGetRegistry, portainer.DockerHubRegistry, portainer.EcrRegistry:
 	default:
-		return errors.New("invalid registry type. Valid values are: 1 (Quay.io), 2 (Azure container registry), 3 (custom registry), 4 (Gitlab registry), 5 (ProGet registry) or 6 (DockerHub)")
+		return errors.New("invalid registry type. Valid values are: 1 (Quay.io), 2 (Azure container registry), 3 (custom registry), 4 (Gitlab registry), 5 (ProGet registry), 6 (DockerHub), 7 (ECR)")
 	}

 	if payload.Type == portainer.ProGetRegistry && payload.BaseURL == "" {
@ -96,9 +113,10 @@ func (handler *Handler) registryCreate(w http.ResponseWriter, r *http.Request) *
 		Authentication:   payload.Authentication,
 		Username:         payload.Username,
 		Password:         payload.Password,
-		RegistryAccesses: portainer.RegistryAccesses{},
 		Gitlab:           payload.Gitlab,
 		Quay:             payload.Quay,
+		RegistryAccesses: portainer.RegistryAccesses{},
+		Ecr:              payload.Ecr,
 	}

 	registries, err := handler.DataStore.Registry().Registries()
--- a/api/http/handler/registries/registry_create_test.go
+++ b/api/http/handler/registries/registry_create_test.go
@ -33,6 +33,20 @@ func Test_registryCreatePayload_Validate(t *testing.T) {
 		err := payload.Validate(nil)
 		assert.NoError(t, err)
 	})
+	t.Run("Can't create a AWS ECR registry if authentication required, but access key ID, secret access key or region is empty", func(t *testing.T) {
+		payload := basePayload
+		payload.Type = portainer.EcrRegistry
+		payload.Authentication = true
+		err := payload.Validate(nil)
+		assert.Error(t, err)
+	})
+	t.Run("Do not require access key ID, secret access key, region for public AWS ECR registry", func(t *testing.T) {
+		payload := basePayload
+		payload.Type = portainer.EcrRegistry
+		payload.Authentication = false
+		err := payload.Validate(nil)
+		assert.NoError(t, err)
+	})
 }

 type testRegistryService struct {
--- a/api/http/handler/registries/registry_update.go
+++ b/api/http/handler/registries/registry_update.go
@ -2,6 +2,7 @@ package registries

 import (
 	"errors"
+	"github.com/portainer/portainer/api/internal/endpointutils"
 	"net/http"

 	httperror "github.com/portainer/libhttp/error"
@ -26,8 +27,12 @@ type registryUpdatePayload struct {
 	Username *string `example:"registry_user"`
 	// Password used to authenticate against this registry. required when Authentication is true
 	Password         *string `example:"registry_password"`
-	RegistryAccesses *portainer.RegistryAccesses
+	// Quay data
 	Quay             *portainer.QuayRegistryData
+	// Registry access control
+	RegistryAccesses *portainer.RegistryAccesses `json:",omitempty"`
+	// ECR data
+	Ecr              *portainer.EcrData          `json:",omitempty"`
 }

 func (payload *registryUpdatePayload) Validate(r *http.Request) error {
@ -56,6 +61,7 @@ func (handler *Handler) registryUpdate(w http.ResponseWriter, r *http.Request) *
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve info from request context", err}
 	}
+
 	if !securityContext.IsAdmin {
 		return &httperror.HandlerError{http.StatusForbidden, "Permission denied to update registry", httperrors.ErrResourceAccessDenied}
 	}
@ -82,29 +88,41 @@ func (handler *Handler) registryUpdate(w http.ResponseWriter, r *http.Request) *
 		registry.Name = *payload.Name
 	}

-	shouldUpdateSecrets := false
-
 	if registry.Type == portainer.ProGetRegistry && payload.BaseURL != nil {
 		registry.BaseURL = *payload.BaseURL
 	}

+	shouldUpdateSecrets := false
+
 	if payload.Authentication != nil {
+		shouldUpdateSecrets = shouldUpdateSecrets || (registry.Authentication != *payload.Authentication)
+
 		if *payload.Authentication {
 			registry.Authentication = true
-			shouldUpdateSecrets = shouldUpdateSecrets || (payload.Username != nil && *payload.Username != registry.Username) || (payload.Password != nil && *payload.Password != registry.Password)

 			if payload.Username != nil {
+				shouldUpdateSecrets = shouldUpdateSecrets || (registry.Username != *payload.Username)
 				registry.Username = *payload.Username
 			}

 			if payload.Password != nil && *payload.Password != "" {
+				shouldUpdateSecrets = shouldUpdateSecrets || (registry.Password != *payload.Password)
 				registry.Password = *payload.Password
 			}

+			if registry.Type == portainer.EcrRegistry && payload.Ecr != nil && payload.Ecr.Region != "" {
+				shouldUpdateSecrets = shouldUpdateSecrets || (registry.Ecr.Region != payload.Ecr.Region)
+				registry.Ecr.Region = payload.Ecr.Region
+			}
 		} else {
 			registry.Authentication = false
 			registry.Username = ""
 			registry.Password = ""
+
+			registry.Ecr.Region = ""
+
+			registry.AccessToken = ""
+			registry.AccessTokenExpiry = 0
 		}
 	}

@ -116,6 +134,7 @@ func (handler *Handler) registryUpdate(w http.ResponseWriter, r *http.Request) *
 		if err != nil {
 			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve registries from the database", err}
 		}
+
 		for _, r := range registries {
 			if r.ID != registry.ID && handler.registriesHaveSameURLAndCredentials(&r, registry) {
 				return &httperror.HandlerError{http.StatusConflict, "Another registry with the same URL and credentials already exists", errors.New("A registry is already defined for this URL and credentials")}
@ -124,13 +143,16 @@ func (handler *Handler) registryUpdate(w http.ResponseWriter, r *http.Request) *
 	}

 	if shouldUpdateSecrets {
+		registry.AccessToken = ""
+		registry.AccessTokenExpiry = 0
+
 		for endpointID, endpointAccess := range registry.RegistryAccesses {
 			endpoint, err := handler.DataStore.Endpoint().Endpoint(endpointID)
 			if err != nil {
 				return &httperror.HandlerError{http.StatusInternalServerError, "Unable to update access to registry", err}
 			}

-			if endpoint.Type == portainer.KubernetesLocalEnvironment || endpoint.Type == portainer.AgentOnKubernetesEnvironment || endpoint.Type == portainer.EdgeAgentOnKubernetesEnvironment {
+			if endpointutils.IsKubernetesEndpoint(endpoint) {
 				err = handler.updateEndpointRegistryAccess(endpoint, registry, endpointAccess)
 				if err != nil {
 					return &httperror.HandlerError{http.StatusInternalServerError, "Unable to update access to registry", err}
--- a/api/http/proxy/factory/docker/registry.go
+++ b/api/http/proxy/factory/docker/registry.go
@ -3,6 +3,7 @@ package docker
 import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/http/security"
+	"github.com/portainer/portainer/api/internal/registryutils"
 )

 type (
@ -25,13 +26,13 @@ type (
 	}
 )

-func createRegistryAuthenticationHeader(registryId portainer.RegistryID, accessContext *registryAccessContext) *registryAuthenticationHeader {
-	var authenticationHeader *registryAuthenticationHeader
-
+func createRegistryAuthenticationHeader(
+	dataStore portainer.DataStore,
+	registryId portainer.RegistryID,
+	accessContext *registryAccessContext,
+) (authenticationHeader registryAuthenticationHeader, err error) {
 	if registryId == 0 { // dockerhub (anonymous)
-		authenticationHeader = &registryAuthenticationHeader{
-			Serveraddress: "docker.io",
-		}
+		authenticationHeader.Serveraddress = "docker.io"
 	} else { // any "custom" registry
 		var matchingRegistry *portainer.Registry
 		for _, registry := range accessContext.registries {
@ -44,13 +45,14 @@ func createRegistryAuthenticationHeader(registryId portainer.RegistryID, accessC
 		}

 		if matchingRegistry != nil {
-			authenticationHeader = &registryAuthenticationHeader{
-				Username:      matchingRegistry.Username,
-				Password:      matchingRegistry.Password,
-				Serveraddress: matchingRegistry.URL,
+			err = registryutils.EnsureRegTokenValid(dataStore, matchingRegistry)
+			if (err != nil) {
+				return
 			}
+			authenticationHeader.Serveraddress = matchingRegistry.URL
+			authenticationHeader.Username, authenticationHeader.Password, err = registryutils.GetRegEffectiveCredential(matchingRegistry)
 		}
 	}

-	return authenticationHeader
+	return
 }
--- a/api/http/proxy/factory/docker/transport.go
+++ b/api/http/proxy/factory/docker/transport.go
@ -414,7 +414,10 @@ func (transport *Transport) replaceRegistryAuthenticationHeader(request *http.Re
 			return nil, err
 		}

-		authenticationHeader := createRegistryAuthenticationHeader(originalHeaderData.RegistryId, accessContext)
+		authenticationHeader, err := createRegistryAuthenticationHeader(transport.dataStore, originalHeaderData.RegistryId, accessContext)
+		if err != nil {
+			return nil, err
+		}

 		headerData, err := json.Marshal(authenticationHeader)
 		if err != nil {
--- a/api/http/proxy/factory/kubernetes/deployments.go
+++ b/api/http/proxy/factory/kubernetes/deployments.go
@ -0,0 +1,15 @@
+package kubernetes
+
+import (
+	"net/http"
+)
+
+func (transport *baseTransport) proxyDeploymentsRequest(request *http.Request, namespace, requestPath string) (*http.Response, error) {
+	switch request.Method {
+	case http.MethodPost, http.MethodPatch:
+		transport.refreshRegistry(request, namespace)
+		return transport.executeKubernetesRequest(request)
+	default:
+		return transport.executeKubernetesRequest(request)
+	}
+}
--- a/api/http/proxy/factory/kubernetes/pods.go
+++ b/api/http/proxy/factory/kubernetes/pods.go
@ -0,0 +1,15 @@
+package kubernetes
+
+import (
+	"net/http"
+)
+
+func (transport *baseTransport) proxyPodsRequest(request *http.Request, namespace, requestPath string) (*http.Response, error) {
+	switch request.Method {
+	case "DELETE":
+		transport.refreshRegistry(request, namespace)
+		return transport.executeKubernetesRequest(request)
+	default:
+		return transport.executeKubernetesRequest(request)
+	}
+}
--- a/api/http/proxy/factory/kubernetes/refresh_registry.go
+++ b/api/http/proxy/factory/kubernetes/refresh_registry.go
@ -0,0 +1,17 @@
+package kubernetes
+
+import (
+	"github.com/portainer/portainer/api/internal/registryutils"
+	"net/http"
+)
+
+func (transport *baseTransport) refreshRegistry(request *http.Request, namespace string) (err error) {
+	cli, err := transport.k8sClientFactory.GetKubeClient(transport.endpoint)
+	if err != nil {
+		return
+	}
+
+	err = registryutils.RefreshEcrSecret(cli, transport.endpoint, transport.dataStore, namespace)
+
+	return
+}
--- a/api/http/proxy/factory/kubernetes/transport.go
+++ b/api/http/proxy/factory/kubernetes/transport.go
@ -42,7 +42,10 @@ func newBaseTransport(httpTransport *http.Transport, tokenManager *tokenManager,
 // proxyKubernetesRequest intercepts a Kubernetes API request and apply logic based
 // on the requested operation.
 func (transport *baseTransport) proxyKubernetesRequest(request *http.Request) (*http.Response, error) {
-	apiVersionRe := regexp.MustCompile(`^(/kubernetes)?/api/v[0-9](\.[0-9])?`)
+	// URL path examples:
+	// http://localhost:9000/api/endpoints/3/kubernetes/api/v1/namespaces
+	// http://localhost:9000/api/endpoints/3/kubernetes/apis/apps/v1/namespaces/default/deployments
+	apiVersionRe := regexp.MustCompile(`^(/kubernetes)?/(api|apis/apps)/v[0-9](\.[0-9])?`)
 	requestPath := apiVersionRe.ReplaceAllString(request.URL.Path, "")

 	switch {
@ -66,6 +69,10 @@ func (transport *baseTransport) proxyNamespacedRequest(request *http.Request, fu
 	}

 	switch {
+	case strings.HasPrefix(requestPath, "pods"):
+		return transport.proxyPodsRequest(request, namespace, requestPath)
+	case strings.HasPrefix(requestPath, "deployments"):
+		return transport.proxyDeploymentsRequest(request, namespace, requestPath)
 	case requestPath == "" && request.Method == "DELETE":
 		return transport.proxyNamespaceDeleteOperation(request, namespace)
 	default: