Merge pull request #1344 from mselim00/automated-cherry-pick-of-#1332-upstream-release-1.35

k8s-ci-robot · web-flow · commit 295a85a9bd51 · 2026-03-04T07:46:20.000+05:30
Automated cherry pick of #1332: feat(ecr-cred-provider): support public dualstack endpoints
diff --git a/cmd/ecr-credential-provider/main.go b/cmd/ecr-credential-provider/main.go
@@ -24,6 +24,7 @@ import (
 	"net/url"
 	"os"
 	"regexp"
+	"slices"
 	"strings"
 	"time"
 
@@ -41,7 +42,8 @@ import (
 )
 
 const ecrPublicRegion string = "us-east-1"
-const ecrPublicHost string = "public.ecr.aws"
+
+var ecrPublicHosts []string = []string{"public.ecr.aws", "ecr-public.aws.com"}
 
 var ecrPrivateHostPattern = regexp.MustCompile(`^(\d{12})\.dkr[\.\-]ecr(\-fips)?\.([a-zA-Z0-9][a-zA-Z0-9-_]*)\.(amazonaws\.(?:com(?:\.cn)?|eu)|on\.(?:aws|amazonwebservices\.com\.cn)|sc2s\.sgov\.gov|c2s\.ic\.gov|cloud\.adc-e\.uk|csp\.hci\.ic\.gov)$`)
 
@@ -195,7 +197,7 @@ func (e *ecrPlugin) buildCredentialsProvider(ctx context.Context, request *v1.Cr
 
 	if e.sts == nil {
 		region := ""
-		if imageHost != ecrPublicHost {
+		if !slices.Contains(ecrPublicHosts, imageHost) {
 			region = parseRegionFromECRPrivateHost(imageHost)
 		}
 		sts, err := stsProvider(ctx, region)
@@ -237,7 +239,7 @@ func (e *ecrPlugin) GetCredentials(ctx context.Context, request *v1.CredentialPr
 	}
 
 	credentialsProvider := e.buildCredentialsProvider(ctx, request, imageHost)
-	if imageHost == ecrPublicHost {
+	if slices.Contains(ecrPublicHosts, imageHost) {
 		var optFns = []func(*ecrpublic.Options){}
 		if credentialsProvider != nil {
 			optFns = append(optFns, func(o *ecrpublic.Options) {
diff --git a/cmd/ecr-credential-provider/main_test.go b/cmd/ecr-credential-provider/main_test.go
@@ -341,6 +341,12 @@ func Test_GetCredentials_Public(t *testing.T) {
 			getAuthorizationTokenOutput: generatePublicGetAuthorizationTokenOutput("user", "pass", nil),
 			response:                    generateResponse("public.ecr.aws", "user", "pass"),
 		},
+		{
+			name:                        "dualstack success",
+			image:                       "ecr-public.aws.com",
+			getAuthorizationTokenOutput: generatePublicGetAuthorizationTokenOutput("user", "pass", nil),
+			response:                    generateResponse("ecr-public.aws.com", "user", "pass"),
+		},
 		{
 			name:                        "empty image",
 			image:                       "",
@@ -387,6 +393,17 @@ func Test_GetCredentials_Public(t *testing.T) {
 			getAuthorizationTokenError: nil,
 			expectedError:              errors.New("error parsing username and password from authorization token"),
 		},
+		{
+			name:  "dualstack invalid authorization token",
+			image: "ecr-public.aws.com",
+			getAuthorizationTokenOutput: &ecrpublic.GetAuthorizationTokenOutput{
+				AuthorizationData: &publictypes.AuthorizationData{
+					AuthorizationToken: aws.String(base64.StdEncoding.EncodeToString([]byte("foo"))),
+				},
+			},
+			getAuthorizationTokenError: nil,
+			expectedError:              errors.New("error parsing username and password from authorization token"),
+		},
 	}
 
 	for _, testcase := range testcases {
