Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: renovatebot/renovate
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 37.424.4
Choose a base ref
...
head repository: renovatebot/renovate
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 37.425.0
Choose a head ref
  • 1 commit
  • 3 files changed
  • 1 contributor

Commits on Jul 7, 2024

  1. feat(datasource/docker): Enable additional authentication mechansim f… 

    …or private ECR repositories (#30053)
    @super-mcgin
    super-mcgin authored Jul 7, 2024
    Loading
    Loading status checks…
    Copy the full SHA
    06349b9 View commit details
Showing with 59 additions and 1 deletion.
  1. +23 −0 docs/usage/docker.md
  2. +9 −1 lib/modules/datasource/docker/ecr.ts
  3. +27 −0 lib/modules/datasource/docker/index.spec.ts
23 changes: 23 additions & 0 deletions docs/usage/docker.md
View file
Original file line number Diff line number Diff line change
@@ -237,6 +237,8 @@ module.exports = {

#### AWS ECR (Amazon Web Services Elastic Container Registry)

#### Using access key id & secret

Renovate can authenticate with AWS ECR using AWS access key id & secret as the username & password, for example:

```json
@@ -254,6 +256,27 @@ Renovate can authenticate with AWS ECR using AWS access key id & secret as the u
}
```

##### Using `get-login-password`

Renovate can also authenticate with AWS ECR using the output from the `aws ecr get-login-password` command as outlined in
the [AWS documentation](https://docs.aws.amazon.com/AmazonECR/latest/userguide/registry_auth.html#registry-auth-token).
To make use of this authentication mechanism, specify the username as `AWS`:

```json
{
"hostRules": [
{
"hostType": "docker",
"matchHost": "12345612312.dkr.ecr.us-east-1.amazonaws.com",
"username": "AWS",
"encrypted": {
"password": "w...A"
}
}
]
}
```

#### Google Container Registry / Google Artifact Registry

##### Using Application Default Credentials / Workload Identity (Self-Hosted only)
10 changes: 9 additions & 1 deletion lib/modules/datasource/docker/ecr.ts
View file
Original file line number Diff line number Diff line change
@@ -16,7 +16,15 @@ export async function getECRAuthToken(
opts: HostRule,
): Promise<string | null> {
const config: ECRClientConfig = { region };
if (opts.username && opts.password) {
if (opts.username === `AWS` && opts.password) {
logger.trace(
`AWS user specified, encoding basic auth credentials for ECR registry`,
);
return Buffer.from(`AWS:${opts.password}`).toString('base64');
} else if (opts.username && opts.password) {
logger.trace(
`Using AWS accessKey to get Authorization token for ECR registry`,
);
config.credentials = {
accessKeyId: opts.username,
secretAccessKey: opts.password,
27 changes: 27 additions & 0 deletions lib/modules/datasource/docker/index.spec.ts
View file
Original file line number Diff line number Diff line change
@@ -358,6 +358,33 @@ describe('modules/datasource/docker/index', () => {
expect(res).toBeNull();
});

it('supports ECR authentication for private repositories', async () => {
httpMock
.scope(amazonUrl)
.get('/')
.reply(401, '', {
'www-authenticate': 'Basic realm="My Private Docker Registry Server"',
})
.head('/node/manifests/some-tag')
.matchHeader('authorization', 'Basic QVdTOnNvbWUtcGFzc3dvcmQ=')
.reply(200, '', { 'docker-content-digest': 'some-digest' });

hostRules.find.mockReturnValue({
username: 'AWS',
password: 'some-password',
});

const res = await getDigest(
{
datasource: 'docker',
packageName: '123456789.dkr.ecr.us-east-1.amazonaws.com/node',
},
'some-tag',
);

expect(res).toBe('some-digest');
});

it('supports Google ADC authentication for gcr', async () => {
httpMock
.scope(gcrUrl)