Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: if project-scoped ECR auth fails, fallback to default #2285

Merged
merged 11 commits into from
Jul 11, 2024
Merged

feat: if project-scoped ECR auth fails, fallback to default #2285

Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
9d8dbbd
feat: if project-scoped ECR auth fails, fallback to default
rbreeze Jul 11, 2024
0fab671
lint
rbreeze Jul 11, 2024
e10f2ee
go mod
rbreeze Jul 11, 2024
bceca94
fix: use http status code
rbreeze Jul 11, 2024
e304ca7
revert go.mod
rbreeze Jul 11, 2024
f2ee19e
fix: move error msg
rbreeze Jul 11, 2024
5667358
Apply suggestions from code review
rbreeze Jul 11, 2024
f0bc28d
address code review
rbreeze Jul 11, 2024
be2c6b7
missed a comma *facepalm*
rbreeze Jul 11, 2024
e1e89b5
lint
rbreeze Jul 11, 2024
1d7268a
Update internal/credentials/kubernetes/ecr/pod_identity.go
krancour Jul 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 16 additions & 2 deletions internal/credentials/kubernetes/ecr/pod_identity.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,14 @@
import (
"context"
"crypto/sha256"
"errors"
"fmt"
"net/http"
"os"
"time"

"github.com/aws/aws-sdk-go-v2/aws"
awshttp "github.com/aws/aws-sdk-go-v2/aws/transport/http"
"github.com/aws/aws-sdk-go-v2/config"
"github.com/aws/aws-sdk-go-v2/credentials/stscreds"
"github.com/aws/aws-sdk-go-v2/service/ecr"
Expand Down Expand Up @@ -157,8 +160,19 @@
)
output, err := ecrSvc.GetAuthorizationToken(ctx, &ecr.GetAuthorizationTokenInput{})
if err != nil {
logger.Error(err, "error getting ECR authorization token")
return "", nil
var re *awshttp.ResponseError
if !errors.As(err, &re) || re.HTTPStatusCode() != http.StatusForbidden {
return "", err
}
logger.Debug(
"controller IAM role is not authorized to assume project-specific role. falling back to default config",
)
ecrSvc = ecr.NewFromConfig(cfg)
output, err = ecrSvc.GetAuthorizationToken(ctx, &ecr.GetAuthorizationTokenInput{})

Check warning on line 171 in internal/credentials/kubernetes/ecr/pod_identity.go

View check run for this annotation

Codecov / codecov/patch

internal/credentials/kubernetes/ecr/pod_identity.go#L163-L171 

Added lines #L163 - L171 were not covered by tests
if err != nil {
logger.Error(err, "error getting ECR authorization token")
return "", err
}

Check warning on line 175 in internal/credentials/kubernetes/ecr/pod_identity.go

View check run for this annotation

Codecov / codecov/patch

internal/credentials/kubernetes/ecr/pod_identity.go#L173-L175 

Added lines #L173 - L175 were not covered by tests
}
logger.Debug("got ECR authorization token")
return *output.AuthorizationData[0].AuthorizationToken, nil
Expand Down
Loading