Skip to content

Commit e68a064

Browse files
marcelobartsch-jtmarcelobartsch-jt
committedAug 12, 2024
Add AWS credential provider
1 parent 2ca710c commit e68a064

File tree

4 files changed

+77
-1
lines changed

4 files changed

+77
-1
lines changed
 

‎go.mod

+15
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,8 @@ require (
99
github.com/argoproj/argo-cd/v2 v2.11.7
1010
github.com/argoproj/gitops-engine v0.7.1-0.20240715141605-18ba62e1f1fb
1111
github.com/argoproj/pkg v0.13.7-0.20230627120311-a4dd357b057e
12+
github.com/aws/aws-sdk-go-v2/config v1.25.12
13+
github.com/aws/aws-sdk-go-v2/service/ecr v1.32.0
1214
github.com/bmatcuk/doublestar/v4 v4.6.0
1315
github.com/bradleyfalzon/ghinstallation/v2 v2.6.0
1416
github.com/distribution/distribution/v3 v3.0.0-20230722181636-7b502560cad4
@@ -49,6 +51,18 @@ require (
4951
github.com/MakeNowJust/heredoc v1.0.0 // indirect
5052
github.com/Microsoft/go-winio v0.6.1 // indirect
5153
github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 // indirect
54+
github.com/aws/aws-sdk-go-v2 v1.30.3 // indirect
55+
github.com/aws/aws-sdk-go-v2/credentials v1.16.16 // indirect
56+
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11 // indirect
57+
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.15 // indirect
58+
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.15 // indirect
59+
github.com/aws/aws-sdk-go-v2/internal/ini v1.7.1 // indirect
60+
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4 // indirect
61+
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10 // indirect
62+
github.com/aws/aws-sdk-go-v2/service/sso v1.18.7 // indirect
63+
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7 // indirect
64+
github.com/aws/aws-sdk-go-v2/service/sts v1.26.7 // indirect
65+
github.com/aws/smithy-go v1.20.3 // indirect
5266
github.com/benbjohnson/clock v1.3.0 // indirect
5367
github.com/beorn7/perks v1.0.1 // indirect
5468
github.com/blang/semver/v4 v4.0.0 // indirect
@@ -102,6 +116,7 @@ require (
102116
github.com/imdario/mergo v0.3.16 // indirect
103117
github.com/inconshreveable/mousetrap v1.1.0 // indirect
104118
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
119+
github.com/jmespath/go-jmespath v0.4.0 // indirect
105120
github.com/jonboulle/clockwork v0.2.2 // indirect
106121
github.com/josharian/intern v1.0.0 // indirect
107122
github.com/json-iterator/go v1.1.12 // indirect

‎go.sum

+30
Original file line numberDiff line numberDiff line change
@@ -43,6 +43,34 @@ github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPd
4343
github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
4444
github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
4545
github.com/aws/aws-sdk-go v1.44.290/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=
46+
github.com/aws/aws-sdk-go-v2 v1.30.3 h1:jUeBtG0Ih+ZIFH0F4UkmL9w3cSpaMv9tYYDbzILP8dY=
47+
github.com/aws/aws-sdk-go-v2 v1.30.3/go.mod h1:nIQjQVp5sfpQcTc9mPSr1B0PaWK5ByX9MOoDadSN4lc=
48+
github.com/aws/aws-sdk-go-v2/config v1.25.12 h1:mF4cMuNh/2G+d19nWnm1vJ/ak0qK6SbqF0KtSX9pxu0=
49+
github.com/aws/aws-sdk-go-v2/config v1.25.12/go.mod h1:lOvvqtZP9p29GIjOTuA/76HiVk0c/s8qRcFRq2+E2uc=
50+
github.com/aws/aws-sdk-go-v2/credentials v1.16.16 h1:8q6Rliyv0aUFAVtzaldUEcS+T5gbadPbWdV1WcAddK8=
51+
github.com/aws/aws-sdk-go-v2/credentials v1.16.16/go.mod h1:UHVZrdUsv63hPXFo1H7c5fEneoVo9UXiz36QG1GEPi0=
52+
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11 h1:c5I5iH+DZcH3xOIMlz3/tCKJDaHFwYEmxvlh2fAcFo8=
53+
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11/go.mod h1:cRrYDYAMUohBJUtUnOhydaMHtiK/1NZ0Otc9lIb6O0Y=
54+
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.15 h1:SoNJ4RlFEQEbtDcCEt+QG56MY4fm4W8rYirAmq+/DdU=
55+
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.15/go.mod h1:U9ke74k1n2bf+RIgoX1SXFed1HLs51OgUSs+Ph0KJP8=
56+
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.15 h1:C6WHdGnTDIYETAm5iErQUiVNsclNx9qbJVPIt03B6bI=
57+
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.15/go.mod h1:ZQLZqhcu+JhSrA9/NXRm8SkDvsycE+JkV3WGY41e+IM=
58+
github.com/aws/aws-sdk-go-v2/internal/ini v1.7.1 h1:uR9lXYjdPX0xY+NhvaJ4dD8rpSRz5VY81ccIIoNG+lw=
59+
github.com/aws/aws-sdk-go-v2/internal/ini v1.7.1/go.mod h1:6fQQgfuGmw8Al/3M2IgIllycxV7ZW7WCdVSqfBeUiCY=
60+
github.com/aws/aws-sdk-go-v2/service/ecr v1.32.0 h1:lZoKOTEQUf5Oi9qVaZM/Hb0Z6SHIwwpDjbLFOVgB2t8=
61+
github.com/aws/aws-sdk-go-v2/service/ecr v1.32.0/go.mod h1:RhaP7Wil0+uuuhiE4FzOOEFZwkmFAk1ZflXzK+O3ptU=
62+
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4 h1:/b31bi3YVNlkzkBrm9LfpaKoaYZUxIAj4sHfOTmLfqw=
63+
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4/go.mod h1:2aGXHFmbInwgP9ZfpmdIfOELL79zhdNYNmReK8qDfdQ=
64+
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10 h1:DBYTXwIGQSGs9w4jKm60F5dmCQ3EEruxdc0MFh+3EY4=
65+
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10/go.mod h1:wohMUQiFdzo0NtxbBg0mSRGZ4vL3n0dKjLTINdcIino=
66+
github.com/aws/aws-sdk-go-v2/service/sso v1.18.7 h1:eajuO3nykDPdYicLlP3AGgOyVN3MOlFmZv7WGTuJPow=
67+
github.com/aws/aws-sdk-go-v2/service/sso v1.18.7/go.mod h1:+mJNDdF+qiUlNKNC3fxn74WWNN+sOiGOEImje+3ScPM=
68+
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7 h1:QPMJf+Jw8E1l7zqhZmMlFw6w1NmfkfiSK8mS4zOx3BA=
69+
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7/go.mod h1:ykf3COxYI0UJmxcfcxcVuz7b6uADi1FkiUz6Eb7AgM8=
70+
github.com/aws/aws-sdk-go-v2/service/sts v1.26.7 h1:NzO4Vrau795RkUdSHKEwiR01FaGzGOH1EETJ+5QHnm0=
71+
github.com/aws/aws-sdk-go-v2/service/sts v1.26.7/go.mod h1:6h2YuIoxaMSCFf5fi1EgZAwdfkGMgDY+DVfa61uLe4U=
72+
github.com/aws/smithy-go v1.20.3 h1:ryHwveWzPV5BIof6fyDvor6V3iUL7nTfiTKXHiW05nE=
73+
github.com/aws/smithy-go v1.20.3/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E=
4674
github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
4775
github.com/benbjohnson/clock v1.3.0 h1:ip6w0uFQkncKQ979AypyG0ER7mqUSBdKLOgAle/AT8A=
4876
github.com/benbjohnson/clock v1.3.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
@@ -264,7 +292,9 @@ github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2
264292
github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
265293
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
266294
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
295+
github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
267296
github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
297+
github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
268298
github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
269299
github.com/jonboulle/clockwork v0.2.2 h1:UOGuzwb1PwsrDAObMuhUnj0p5ULPj8V/xJ7Kx9qUBdQ=
270300
github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=

‎pkg/image/credentials.go

+26-1
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
package image
22

33
import (
4+
"context"
45
"encoding/base64"
56
"encoding/json"
67
"fmt"
@@ -13,6 +14,9 @@ import (
1314

1415
"github.com/argoproj-labs/argocd-image-updater/pkg/kube"
1516
"github.com/argoproj-labs/argocd-image-updater/pkg/log"
17+
18+
"github.com/aws/aws-sdk-go-v2/config"
19+
"github.com/aws/aws-sdk-go-v2/service/ecr"
1620
)
1721

1822
type CredentialSourceType int
@@ -23,6 +27,7 @@ const (
2327
CredentialSourceSecret CredentialSourceType = 2
2428
CredentialSourceEnv CredentialSourceType = 3
2529
CredentialSourceExt CredentialSourceType = 4
30+
CredentialSourceAws CredentialSourceType = 5
2631
)
2732

2833
type CredentialSource struct {
@@ -61,7 +66,7 @@ func ParseCredentialSource(credentialSource string, requirePrefix bool) (*Creden
6166
}
6267

6368
tokens = strings.Split(secretDef, ":")
64-
if len(tokens) != 2 || tokens[0] == "" || tokens[1] == "" {
69+
if tokens[0] != "aws" && (len(tokens) != 2 || tokens[1] == "") {
6570
return nil, fmt.Errorf("invalid credential spec: %s", credentialSource)
6671
}
6772

@@ -79,6 +84,8 @@ func ParseCredentialSource(credentialSource string, requirePrefix bool) (*Creden
7984
case "ext":
8085
err = src.parseExtDefinition(tokens[1])
8186
src.Type = CredentialSourceExt
87+
case "aws":
88+
src.Type = CredentialSourceAws
8289
default:
8390
err = fmt.Errorf("unknown credential source: %s", tokens[0])
8491
}
@@ -157,6 +164,24 @@ func (src *CredentialSource) FetchCredentials(registryURL string, kubeclient *ku
157164
creds.Username = tokens[0]
158165
creds.Password = tokens[1]
159166
return &creds, nil
167+
case CredentialSourceAws:
168+
cfg, err := config.LoadDefaultConfig(context.TODO())
169+
if err != nil {
170+
log.Fatalf("failed to load configuration, %v", err)
171+
}
172+
client := ecr.NewFromConfig(cfg)
173+
awsCreds, err := client.GetAuthorizationToken(context.TODO(), &ecr.GetAuthorizationTokenInput{})
174+
if err != nil {
175+
log.Fatalf("failed to get authorization token, %v", err)
176+
}
177+
awsCredsDecoded, err := base64.StdEncoding.DecodeString(*awsCreds.AuthorizationData[0].AuthorizationToken)
178+
if err != nil {
179+
log.Fatalf("failed to decode base64 string, %v", err)
180+
}
181+
password := string(awsCredsDecoded)
182+
creds.Username = strings.Split(password, ":")[0]
183+
creds.Password = strings.Split(password, ":")[1]
184+
return &creds, nil
160185

161186
default:
162187
return nil, fmt.Errorf("unknown credential type")

‎pkg/image/credentials_test.go

+6
Original file line numberDiff line numberDiff line change
@@ -108,6 +108,12 @@ func Test_ParseCredentialAnnotation(t *testing.T) {
108108
assert.Equal(t, CredentialSourceExt, src.Type)
109109
assert.Equal(t, "/tmp/a.sh", src.ScriptPath)
110110
})
111+
112+
t.Run("Parse AWS credentials", func(t *testing.T) {
113+
src, err := ParseCredentialSource("aws", false)
114+
require.NoError(t, err)
115+
assert.Equal(t, CredentialSourceAws, src.Type)
116+
})
111117
}
112118

113119
func Test_ParseCredentialReference(t *testing.T) {

0 commit comments

Comments
 (0)