feat(registry) EE-806 add support for AWS ECR (#6165)

* feat(ecr) EE-806 add support for aws ecr * feat(ecr) EE-806 fix wrong doc for Ecr Region Co-authored-by: Simon Meng <simon.meng@portainer.io>
2025-07-24 15:59:41 +02:00 · 2021-12-01 13:18:57 +13:00 · 2021-12-01 13:18:57 +13:00 · a86c7046df
commit a86c7046df
parent ff6185cc81
29 changed files with 694 additions and 51 deletions
--- a/api/internal/registryutils/ecr_kube_secret.go
+++ b/api/internal/registryutils/ecr_kube_secret.go
@ -0,0 +1,49 @@
+package registryutils
+
+import (
+	portainer "github.com/portainer/portainer/api"
+)
+
+func isRegistryAssignedToNamespace(registry portainer.Registry, endpointID portainer.EndpointID, namespace string) (in bool){
+	for _, ns := range registry.RegistryAccesses[endpointID].Namespaces {
+		if ns == namespace {
+			return true
+		}
+	}
+
+	return
+}
+
+func RefreshEcrSecret(cli portainer.KubeClient, endpoint *portainer.Endpoint, dataStore portainer.DataStore, namespace string) (err error) {
+	registries, err := dataStore.Registry().Registries()
+	if err != nil {
+		return
+	}
+
+	for _, registry := range registries {
+		if registry.Type != portainer.EcrRegistry {
+			continue
+		}
+
+		if !isRegistryAssignedToNamespace(registry, endpoint.ID, namespace) {
+			continue
+		}
+
+		err = EnsureRegTokenValid(dataStore, &registry)
+		if err != nil {
+			return
+		}
+
+		err = cli.DeleteRegistrySecret(&registry, namespace)
+		if err != nil {
+			return
+		}
+
+		err = cli.CreateRegistrySecret(&registry, namespace)
+		if err != nil {
+			return
+		}
+	}
+
+	return
+}
--- a/api/internal/registryutils/ecr_reg_token.go
+++ b/api/internal/registryutils/ecr_reg_token.go
@ -0,0 +1,58 @@
+package registryutils
+
+import (
+	"time"
+	log "github.com/sirupsen/logrus"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/aws/ecr"
+)
+
+func isRegTokenValid(registry *portainer.Registry) (valid bool) {
+	return registry.AccessToken != "" && registry.AccessTokenExpiry > time.Now().Unix();
+}
+
+func doGetRegToken(dataStore portainer.DataStore, registry *portainer.Registry) (err error) {
+	ecrClient := ecr.NewService(registry.Username, registry.Password, registry.Ecr.Region)
+	accessToken, expiryAt, err := ecrClient.GetAuthorizationToken()
+	if err != nil {
+		return
+	}
+
+	registry.AccessToken = *accessToken
+	registry.AccessTokenExpiry = expiryAt.Unix()
+
+	err = dataStore.Registry().UpdateRegistry(registry.ID, registry)
+
+	return
+}
+
+func parseRegToken(registry *portainer.Registry) (username, password string, err error) {
+	ecrClient := ecr.NewService(registry.Username, registry.Password, registry.Ecr.Region)
+	return ecrClient.ParseAuthorizationToken(registry.AccessToken)
+}
+
+func EnsureRegTokenValid(dataStore portainer.DataStore, registry *portainer.Registry) (err error) {
+	if registry.Type == portainer.EcrRegistry {
+		if isRegTokenValid(registry) {
+			log.Println("[DEBUG] [registry, GetEcrAccessToken] [message: curretn ECR token is still valid]")
+		} else {
+			err = doGetRegToken(dataStore, registry)
+			if err != nil {
+				log.Println("[DEBUG] [registry, GetEcrAccessToken] [message: refresh ECR token]")
+			}
+		}
+	}
+
+	return
+}
+
+func GetRegEffectiveCredential(registry *portainer.Registry) (username, password string, err error) {
+	if registry.Type == portainer.EcrRegistry {
+		username, password, err = parseRegToken(registry)
+	} else {
+		username = registry.Username
+		password = registry.Password
+	}
+	return
+}