feat(registry) EE-806 add support for AWS ECR (#6165)

* feat(ecr) EE-806 add support for aws ecr

* feat(ecr) EE-806 fix wrong doc for Ecr Region

Co-authored-by: Simon Meng <simon.meng@portainer.io>

api/http/handler/registries/registry_configure.go

@@ -21,7 +21,8 @@ type registryConfigurePayload struct {
 	Username string `example:"registry_user"`
 	// Password used to authenticate against this registry. required when Authentication is true
 	Password string `example:"registry_password"`
-
+	// ECR region
+	Region  string
 	// Use TLS
 	TLS bool `example:"true"`
 	// Skip the verification of the server TLS certificate
@@ -47,6 +48,9 @@ func (payload *registryConfigurePayload) Validate(r *http.Request) error {
 
 		password, _ := request.RetrieveMultiPartFormValue(r, "Password", true)
 		payload.Password = password
+
+		region, _ := request.RetrieveMultiPartFormValue(r, "Region", true)
+		payload.Region = region
 	}
 
 	useTLS, _ := request.RetrieveBooleanMultiPartFormValue(r, "TLS", true)
@@ -134,6 +138,10 @@ func (handler *Handler) registryConfigure(w http.ResponseWriter, r *http.Request
 		} else {
 			registry.ManagementConfiguration.Password = payload.Password
 		}
+
+		if payload.Region != "" {
+			registry.ManagementConfiguration.Ecr.Region = payload.Region
+		}
 	}
 
 	if payload.TLS {

api/http/handler/registries/registry_create.go

@@ -17,8 +17,15 @@ import (
 type registryCreatePayload struct {
 	// Name that will be used to identify this registry
 	Name string `example:"my-registry" validate:"required"`
-	// Registry Type. Valid values are: 1 (Quay.io), 2 (Azure container registry), 3 (custom registry), 4 (Gitlab registry), 5 (ProGet registry) or 6 (DockerHub)
-	Type portainer.RegistryType `example:"1" validate:"required" enums:"1,2,3,4,5,6"`
+	// Registry Type. Valid values are:
+	//	1 (Quay.io),
+	//	2 (Azure container registry),
+	//	3 (custom registry),
+	//	4 (Gitlab registry),
+	//	5 (ProGet registry),
+	//	6 (DockerHub)
+	//	7 (ECR)
+	Type portainer.RegistryType `example:"1" validate:"required" enums:"1,2,3,4,5,6,7"`
 	// URL or IP address of the Docker registry
 	URL string `example:"registry.mydomain.tld:2375/feed" validate:"required"`
 	// BaseURL required for ProGet registry
@@ -33,6 +40,8 @@ type registryCreatePayload struct {
 	Gitlab portainer.GitlabRegistryData
 	// Quay specific details, required when type = 1
 	Quay portainer.QuayRegistryData
+	// ECR specific details, required when type = 7
+	Ecr portainer.EcrData
 }
 
 func (payload *registryCreatePayload) Validate(_ *http.Request) error {
@@ -42,14 +51,22 @@ func (payload *registryCreatePayload) Validate(_ *http.Request) error {
 	if govalidator.IsNull(payload.URL) {
 		return errors.New("Invalid registry URL")
 	}
-	if payload.Authentication && (govalidator.IsNull(payload.Username) || govalidator.IsNull(payload.Password)) {
-		return errors.New("Invalid credentials. Username and password must be specified when authentication is enabled")
+
+	if payload.Authentication {
+		if govalidator.IsNull(payload.Username) || govalidator.IsNull(payload.Password) {
+			return errors.New("Invalid credentials. Username and password must be specified when authentication is enabled")
+		}
+		if payload.Type == portainer.EcrRegistry {
+			if govalidator.IsNull(payload.Ecr.Region) {
+				return errors.New("invalid credentials: access key ID, secret access key and region must be specified when authentication is enabled")
+			}
+		}
 	}
 
 	switch payload.Type {
-	case portainer.QuayRegistry, portainer.AzureRegistry, portainer.CustomRegistry, portainer.GitlabRegistry, portainer.ProGetRegistry, portainer.DockerHubRegistry:
+	case portainer.QuayRegistry, portainer.AzureRegistry, portainer.CustomRegistry, portainer.GitlabRegistry, portainer.ProGetRegistry, portainer.DockerHubRegistry, portainer.EcrRegistry:
 	default:
-		return errors.New("invalid registry type. Valid values are: 1 (Quay.io), 2 (Azure container registry), 3 (custom registry), 4 (Gitlab registry), 5 (ProGet registry) or 6 (DockerHub)")
+		return errors.New("invalid registry type. Valid values are: 1 (Quay.io), 2 (Azure container registry), 3 (custom registry), 4 (Gitlab registry), 5 (ProGet registry), 6 (DockerHub), 7 (ECR)")
 	}
 
 	if payload.Type == portainer.ProGetRegistry && payload.BaseURL == "" {
@@ -96,9 +113,10 @@ func (handler *Handler) registryCreate(w http.ResponseWriter, r *http.Request) *
 		Authentication:   payload.Authentication,
 		Username:         payload.Username,
 		Password:         payload.Password,
-		RegistryAccesses: portainer.RegistryAccesses{},
 		Gitlab:           payload.Gitlab,
 		Quay:             payload.Quay,
+		RegistryAccesses: portainer.RegistryAccesses{},
+		Ecr:              payload.Ecr,
 	}
 
 	registries, err := handler.DataStore.Registry().Registries()

api/http/handler/registries/registry_create_test.go

@@ -33,6 +33,20 @@ func Test_registryCreatePayload_Validate(t *testing.T) {
 		err := payload.Validate(nil)
 		assert.NoError(t, err)
 	})
+	t.Run("Can't create a AWS ECR registry if authentication required, but access key ID, secret access key or region is empty", func(t *testing.T) {
+		payload := basePayload
+		payload.Type = portainer.EcrRegistry
+		payload.Authentication = true
+		err := payload.Validate(nil)
+		assert.Error(t, err)
+	})
+	t.Run("Do not require access key ID, secret access key, region for public AWS ECR registry", func(t *testing.T) {
+		payload := basePayload
+		payload.Type = portainer.EcrRegistry
+		payload.Authentication = false
+		err := payload.Validate(nil)
+		assert.NoError(t, err)
+	})
 }
 
 type testRegistryService struct {

api/http/handler/registries/registry_update.go

@@ -2,6 +2,7 @@ package registries
 
 import (
 	"errors"
+	"github.com/portainer/portainer/api/internal/endpointutils"
 	"net/http"
 
 	httperror "github.com/portainer/libhttp/error"
@@ -26,8 +27,12 @@ type registryUpdatePayload struct {
 	Username *string `example:"registry_user"`
 	// Password used to authenticate against this registry. required when Authentication is true
 	Password         *string `example:"registry_password"`
-	RegistryAccesses *portainer.RegistryAccesses
+	// Quay data
 	Quay             *portainer.QuayRegistryData
+	// Registry access control
+	RegistryAccesses *portainer.RegistryAccesses `json:",omitempty"`
+	// ECR data
+	Ecr              *portainer.EcrData          `json:",omitempty"`
 }
 
 func (payload *registryUpdatePayload) Validate(r *http.Request) error {
@@ -56,6 +61,7 @@ func (handler *Handler) registryUpdate(w http.ResponseWriter, r *http.Request) *
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve info from request context", err}
 	}
+
 	if !securityContext.IsAdmin {
 		return &httperror.HandlerError{http.StatusForbidden, "Permission denied to update registry", httperrors.ErrResourceAccessDenied}
 	}
@@ -82,29 +88,41 @@ func (handler *Handler) registryUpdate(w http.ResponseWriter, r *http.Request) *
 		registry.Name = *payload.Name
 	}
 
-	shouldUpdateSecrets := false
-
 	if registry.Type == portainer.ProGetRegistry && payload.BaseURL != nil {
 		registry.BaseURL = *payload.BaseURL
 	}
 
+	shouldUpdateSecrets := false
+
 	if payload.Authentication != nil {
+		shouldUpdateSecrets = shouldUpdateSecrets || (registry.Authentication != *payload.Authentication)
+
 		if *payload.Authentication {
 			registry.Authentication = true
-			shouldUpdateSecrets = shouldUpdateSecrets || (payload.Username != nil && *payload.Username != registry.Username) || (payload.Password != nil && *payload.Password != registry.Password)
 
 			if payload.Username != nil {
+				shouldUpdateSecrets = shouldUpdateSecrets || (registry.Username != *payload.Username)
 				registry.Username = *payload.Username
 			}
 
 			if payload.Password != nil && *payload.Password != "" {
+				shouldUpdateSecrets = shouldUpdateSecrets || (registry.Password != *payload.Password)
 				registry.Password = *payload.Password
 			}
 
+			if registry.Type == portainer.EcrRegistry && payload.Ecr != nil && payload.Ecr.Region != "" {
+				shouldUpdateSecrets = shouldUpdateSecrets || (registry.Ecr.Region != payload.Ecr.Region)
+				registry.Ecr.Region = payload.Ecr.Region
+			}
 		} else {
 			registry.Authentication = false
 			registry.Username = ""
 			registry.Password = ""
+
+			registry.Ecr.Region = ""
+
+			registry.AccessToken = ""
+			registry.AccessTokenExpiry = 0
 		}
 	}
 
@@ -116,6 +134,7 @@ func (handler *Handler) registryUpdate(w http.ResponseWriter, r *http.Request) *
 		if err != nil {
 			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve registries from the database", err}
 		}
+
 		for _, r := range registries {
 			if r.ID != registry.ID && handler.registriesHaveSameURLAndCredentials(&r, registry) {
 				return &httperror.HandlerError{http.StatusConflict, "Another registry with the same URL and credentials already exists", errors.New("A registry is already defined for this URL and credentials")}
@@ -124,13 +143,16 @@ func (handler *Handler) registryUpdate(w http.ResponseWriter, r *http.Request) *
 	}
 
 	if shouldUpdateSecrets {
+		registry.AccessToken = ""
+		registry.AccessTokenExpiry = 0
+
 		for endpointID, endpointAccess := range registry.RegistryAccesses {
 			endpoint, err := handler.DataStore.Endpoint().Endpoint(endpointID)
 			if err != nil {
 				return &httperror.HandlerError{http.StatusInternalServerError, "Unable to update access to registry", err}
 			}
 
-			if endpoint.Type == portainer.KubernetesLocalEnvironment || endpoint.Type == portainer.AgentOnKubernetesEnvironment || endpoint.Type == portainer.EdgeAgentOnKubernetesEnvironment {
+			if endpointutils.IsKubernetesEndpoint(endpoint) {
 				err = handler.updateEndpointRegistryAccess(endpoint, registry, endpointAccess)
 				if err != nil {
 					return &httperror.HandlerError{http.StatusInternalServerError, "Unable to update access to registry", err}