Add parameter to use or not the ecr-credentials-helper (#350)

* Test build-test-then-push-with-buildx without context to replicate issue * Readd context * Add a new parameter to avoid using the credentials helper * Fix error in condition syntax * Fix job parameters * Fix requirements in tests jobs * Fix requirements in tests jobs * Add matrix paramater to repository name to avoid concurrency issues * Remove matrix from public registry test * Fix name on requirements * Fix name on requirements * Add extra matrix and conditions * Simplify matrix behavior * Remove requirement * Use just one image * Fix repo name * Fix repo name * Update description of new parameter
CircleCI-Public · Aug 13, 2024 · f2ca76c · f2ca76c
1 parent 1d120cb
commit f2ca76c
Show file tree

Hide file tree

Showing 5 changed files with 36 additions and 9 deletions.
diff --git a/.circleci/test-deploy.yml b/.circleci/test-deploy.yml
@@ -252,17 +252,20 @@ workflows:
             - run:
                 name: "Export NPM_TOKEN"
                 command: echo 'export NPM_TOKEN="00000000-0000-0000-0000-000000000000"' >> "$BASH_ENV"
-          name: integration-test-named-profile
+          name: integration-test-named-profile-<<matrix.use_credentials_helper>>-helper
           auth:
             - aws-cli/setup:
                 role_arn: arn:aws:iam::122211685980:role/CPE_ECR_OIDC_TEST
                 profile_name: "OIDC-User"
           attach_workspace: true
           region: "us-west-2"
           profile_name: "OIDC-User"
+          matrix:
+            parameters:
+              use_credentials_helper: [true, false]
           context: [CPE-OIDC]
           workspace_root: workspace
-          repo: aws-ecr-orb-${CIRCLE_SHA1:0:7}-named-profile
+          repo: aws-ecr-orb-${CIRCLE_SHA1:0:7}-named-profile-<<matrix.use_credentials_helper>>
           create_repo: true
           tag: integration,myECRRepoTag
           dockerfile: sample/Dockerfile
@@ -281,21 +284,21 @@ workflows:
             - aws-cli/setup:
                 role_arn: arn:aws:iam::122211685980:role/CPE_ECR_OIDC_TEST
                 profile_name: "OIDC-User"
-          repo: aws-ecr-orb-${CIRCLE_SHA1:0:7}-named-profile
+          repo: aws-ecr-orb-${CIRCLE_SHA1:0:7}-named-profile-true
           region: "us-west-2"
           profile_name: "OIDC-User"
           context: [CPE-OIDC]
           source_tag: integration
           target_tag: latest
           requires:
-            - integration-test-named-profile
+            - integration-test-named-profile-true-helper
       - tag-ecr-image:
           name: integration-test-tag-image-with-existing-tag
           auth:
             - aws-cli/setup:
                 role_arn: arn:aws:iam::122211685980:role/CPE_ECR_OIDC_TEST
                 profile_name: "OIDC-User"
-          repo: aws-ecr-orb-${CIRCLE_SHA1:0:7}-named-profile
+          repo: aws-ecr-orb-${CIRCLE_SHA1:0:7}-named-profile-true
           region: "us-west-2"
           profile_name: "OIDC-User"
           context: [CPE-OIDC]
@@ -305,7 +308,7 @@ workflows:
           post-steps:
             - run:
                 name: "Delete repository"
-                command: aws ecr delete-repository --repository-name aws-ecr-orb-${CIRCLE_SHA1:0:7}-named-profile --force --profile OIDC-User
+                command: aws ecr delete-repository --repository-name aws-ecr-orb-${CIRCLE_SHA1:0:7}-named-profile-true --force --profile OIDC-User
           filters: *filters
           requires:
             - integration-test-tag-existing-image
@@ -373,7 +376,7 @@ workflows:
           vcs_type: << pipeline.project.type >>
           pub_type: production
           enable_pr_comment: true
-          requires: [ orb-tools/lint, orb-tools/review, orb-tools/pack, integration-test-default-profile, integration-test-pubic-registry, integration-test-skip_when_tags_exist-amd64, integration-test-skip_when_tags_exist-arm64, integration-test-named-profile, integration-test-tag-existing-image, integration-test-tag-image-with-existing-tag ]
+          requires: [ orb-tools/lint, orb-tools/review, orb-tools/pack, integration-test-default-profile, integration-test-pubic-registry, integration-test-skip_when_tags_exist-amd64, integration-test-skip_when_tags_exist-arm64, integration-test-named-profile-true-helper, integration-test-named-profile-false-helper, integration-test-tag-existing-image, integration-test-tag-image-with-existing-tag ]
           github_token: GHI_TOKEN
           context: orb-publisher
           filters: *release-filters

diff --git a/src/commands/build_and_push_image.yml b/src/commands/build_and_push_image.yml
@@ -201,6 +201,12 @@ parameters:
       The alias, key ID, or full ARN of the KMS key can be specified.
     default: ""
 
+  use_credentials_helper:
+    type: boolean
+    default: true
+    description: >
+      When true the authentication to docker registry will be done using the ecr-credential-helper. This avoids having
+      the password saved in plain text. Otherwise it will use the classic docker login command which is more compatible.
 steps:
   - when:
       condition: <<parameters.checkout>>
@@ -230,6 +236,7 @@ steps:
       region: <<parameters.region>>
       account_id: <<parameters.account_id>>
       public_registry: <<parameters.public_registry>>
+      use_credentials_helper: <<parameters.use_credentials_helper>>
   - when:
       condition: <<parameters.create_repo>>
       steps:

diff --git a/src/commands/ecr_login.yml b/src/commands/ecr_login.yml
@@ -33,6 +33,14 @@ parameters:
     description: >
       AWS domain, China regions will require override.
 
+  use_credentials_helper:
+    type: boolean
+    default: true
+    description: >
+      When true the authentication to docker registry will be done using the ecr-credential-helper. This avoids having
+      the password saved in plain text. Otherwise it will use the classic docker login command which is more compatible.
+      If you are having issues with credentials helper login, set this to false.
+
 steps:
   - run:
       name: Log into Amazon ECR with profile <<parameters.profile_name>>
@@ -42,5 +50,6 @@ steps:
         AWS_ECR_STR_REGION: <<parameters.region>>
         AWS_ECR_BOOL_PUBLIC_REGISTRY: <<parameters.public_registry>>
         AWS_ECR_STR_AWS_DOMAIN: <<parameters.aws_domain>>
+        AWS_ECR_BOOL_HELPER: <<parameters.use_credentials_helper>>
         SCRIPT_UTILS: << include(scripts/utils.sh) >>
       command: <<include(scripts/ecr_login.sh)>>
diff --git a/src/jobs/build_and_push_image.yml b/src/jobs/build_and_push_image.yml
@@ -206,6 +206,12 @@ parameters:
       The AWS domain for your region, e.g in China, the AWS domain is amazonaws.com.cn
       The default value is amazonaws.com
 
+  use_credentials_helper:
+    type: boolean
+    default: true
+    description: >
+      When true the authentication to docker registry will be done using the ecr-credential-helper. This avoids having
+      the password saved in plain text. Otherwise it will use the classic docker login command which is more compatible.
 
 steps:
   - build_and_push_image:
@@ -240,4 +246,5 @@ steps:
       auth: <<parameters.auth>>
       repo_encryption_type: <<parameters.repo_encryption_type>>
       repo_encryption_kms_key: <<parameters.repo_encryption_kms_key>>
+      use_credentials_helper: <<parameters.use_credentials_helper>>
       aws_domain: <<parameters.aws_domain>>
diff --git a/src/scripts/ecr_login.sh b/src/scripts/ecr_login.sh
@@ -4,6 +4,7 @@ AWS_ECR_EVAL_PROFILE_NAME="$(eval echo "${AWS_ECR_STR_PROFILE_NAME}")"
 AWS_ECR_EVAL_ACCOUNT_ID="$(eval echo "${AWS_ECR_STR_ACCOUNT_ID}")"
 AWS_ECR_VAL_ACCOUNT_URL="${AWS_ECR_EVAL_ACCOUNT_ID}.dkr.ecr.${AWS_ECR_EVAL_REGION}.${AWS_ECR_STR_AWS_DOMAIN}"
 AWS_ECR_EVAL_PUBLIC_REGISTRY_ALIAS="$(eval echo "${AWS_ECR_STR_PUBLIC_REGISTRY_ALIAS}")"
+AWS_ECR_BOOL_HELPER="$(eval echo "${AWS_ECR_BOOL_HELPER}")"
 ECR_COMMAND="ecr"
 
 eval "$SCRIPT_UTILS"
@@ -46,14 +47,14 @@ configure_config_json(){
 
 install_aws_ecr_credential_helper(){
     echo "Installing AWS ECR Credential Helper..."
-    if [[ "$SYS_ENV_PLATFORM" = "linux" ]]; then
+    if [[ "$SYS_ENV_PLATFORM" = "linux" && "$AWS_ECR_BOOL_HELPER" = "1" ]]; then
         HELPER_INSTALLED=$(dpkg --get-selections | (grep amazon-ecr-credential-helper || test $?) | awk '{print $2}')
         if [[ "$HELPER_INSTALLED" != "install" ]]; then
             $SUDO apt update
             $SUDO apt install amazon-ecr-credential-helper
         fi
         configure_config_json
-    elif [[ "$SYS_ENV_PLATFORM" = "macos" ]]; then
+    elif [[ "$SYS_ENV_PLATFORM" = "macos" && "$AWS_ECR_BOOL_HELPER" = "1" ]]; then
         HELPER_INSTALLED=$(brew list -q | grep -q docker-credential-helper-ecr || test $?)
         if [[ "$HELPER_INSTALLED" -ne 0 ]]; then
             brew install docker-credential-helper-ecr