support ECR Auth to push manifest

README.md

@@ -19,6 +19,7 @@ export GOARCH=amd64
 export CGO_ENABLED=0
 
 go build -v -a -tags netgo -o release/linux/amd64/drone-manifest
+go build -v -a -tags netgo -o release/linux/amd64/manifest-ecr ./cmd/manifest-ecr
 ```
 
 ## Docker
@@ -30,6 +31,11 @@ docker build \
   --label org.label-schema.build-date=$(date -u +"%Y-%m-%dT%H:%M:%SZ") \
   --label org.label-schema.vcs-ref=$(git rev-parse --short HEAD) \
   --file docker/Dockerfile.linux.amd64 --tag plugins/manifest .
+
+docker build \
+  --label org.label-schema.build-date=$(date -u +"%Y-%m-%dT%H:%M:%SZ") \
+  --label org.label-schema.vcs-ref=$(git rev-parse --short HEAD) \
+  --file docker/ecr/Dockerfile.linux.amd64 --tag plugins/manifest-ecr .
 ```
 
 ## Usage

cmd/manifest-ecr/main.go

@@ -0,0 +1,149 @@
+package main
+
+import (
+	"encoding/base64"
+	"log"
+	"os"
+	"os/exec"
+	"strings"
+
+	"github.com/drone-plugins/drone-manifest/util"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
+	"github.com/aws/aws-sdk-go/aws/session"
+	"github.com/aws/aws-sdk-go/service/ecr"
+	"github.com/joho/godotenv"
+	"github.com/sirupsen/logrus"
+)
+
+const defaultRegion = "us-east-1"
+
+func main() {
+	// Load env-file if it exists first
+	if env := os.Getenv("PLUGIN_ENV_FILE"); env != "" {
+		err := godotenv.Load(env)
+		if err != nil {
+			panic(err)
+		}
+	}
+
+	var (
+		registry   = getEnv("PLUGIN_REGISTRY")
+		spec       = getEnv("PLUGIN_SPEC")
+		region     = getEnv("PLUGIN_REGION", "ECR_REGION", "AWS_REGION")
+		key        = getEnv("PLUGIN_ACCESS_KEY", "ECR_ACCESS_KEY", "AWS_ACCESS_KEY_ID")
+		secret     = getEnv("PLUGIN_SECRET_KEY", "ECR_SECRET_KEY", "AWS_SECRET_ACCESS_KEY")
+		assumeRole = getEnv("PLUGIN_ASSUME_ROLE")
+		externalId = getEnv("PLUGIN_EXTERNAL_ID")
+	)
+
+	// set the region
+	if region == "" {
+		region = defaultRegion
+	}
+
+	setEnvOrPanic("AWS_REGION", region)
+
+	if key != "" && secret != "" {
+		setEnvOrPanic("AWS_ACCESS_KEY_ID", key)
+		setEnvOrPanic("AWS_SECRET_ACCESS_KEY", secret)
+	}
+
+	sess, err := session.NewSession(&aws.Config{Region: &region})
+	if err != nil {
+		log.Fatalf("error creating aws session: %v", err)
+	}
+
+	svc := getECRClient(sess, assumeRole, externalId)
+	username, password, defaultRegistry, err := getAuthInfo(svc)
+
+	if registry == "" {
+		registry = defaultRegistry
+	}
+
+	if err != nil {
+		log.Fatalf("error getting ECR auth: %v", err)
+	}
+
+	setEnvOrPanic("PLUGIN_REGISTRY", registry)
+	setEnvOrPanic("DOCKER_USERNAME", username)
+	setEnvOrPanic("DOCKER_PASSWORD", password)
+	setEnvOrPanic("PLUGIN_SPEC", spec)
+
+	// invoke the base docker plugin binary
+	cmd := exec.Command(util.GetDroneManifestExecCmd())
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	err = cmd.Run()
+	if err != nil {
+		logrus.Fatal(err)
+	}
+}
+
+func getAuthInfo(svc *ecr.ECR) (username, password, registry string, err error) {
+	var result *ecr.GetAuthorizationTokenOutput
+	var decoded []byte
+
+	result, err = svc.GetAuthorizationToken(&ecr.GetAuthorizationTokenInput{})
+	if err != nil {
+		return
+	}
+
+	auth := result.AuthorizationData[0]
+	token := *auth.AuthorizationToken
+	decoded, err = base64.StdEncoding.DecodeString(token)
+	if err != nil {
+		return
+	}
+
+	registry = strings.TrimPrefix(*auth.ProxyEndpoint, "https://")
+	creds := strings.Split(string(decoded), ":")
+	username = creds[0]
+	password = creds[1]
+	return
+}
+
+// func parseBoolOrDefault(defaultValue bool, s string) (result bool) {
+// 	var err error
+// 	result, err = strconv.ParseBool(s)
+// 	if err != nil {
+// 		result = false
+// 	}
+//
+// 	return
+// }
+
+func getEnv(key ...string) (s string) {
+	for _, k := range key {
+		s = os.Getenv(k)
+		if s != "" {
+			return
+		}
+	}
+	return
+}
+
+func setEnvOrPanic(key, value string) {
+	err := os.Setenv(key, value)
+	if err != nil {
+		panic(err)
+	}
+}
+
+func getECRClient(sess *session.Session, role string, externalId string) *ecr.ECR {
+	if role == "" {
+		return ecr.New(sess)
+	}
+	if externalId != "" {
+		return ecr.New(sess, &aws.Config{
+			Credentials: stscreds.NewCredentials(sess, role, func(p *stscreds.AssumeRoleProvider) {
+				p.ExternalID = &externalId
+			}),
+		})
+	} else {
+		return ecr.New(sess, &aws.Config{
+			Credentials: stscreds.NewCredentials(sess, role),
+		})
+	}
+}

docker/ecr/Dockerfile.linux.amd64

@@ -0,0 +1,4 @@
+FROM plugins/manifest:linux-amd64
+
+ADD release/linux/amd64/manifest-ecr /bin/
+ENTRYPOINT ["/bin/manifest-ecr"]

docker/ecr/Dockerfile.linux.arm64

@@ -0,0 +1,4 @@
+FROM plugins/manifest:linux-arm64
+
+ADD release/linux/arm64/manifest-ecr /bin/
+ENTRYPOINT ["/bin/manifest-ecr"]

docker/ecr/Dockerfile.windows.amd64.1809

@@ -0,0 +1,5 @@
+# escape=`
+FROM plugins/manifest:windows-1809-amd64
+
+ADD release/windows/amd64/manifest-ecr.exe C:/bin/manifest-ecr.exe
+ENTRYPOINT [ "C:\\bin\\manifest-ecr.exe" ]

docker/ecr/Dockerfile.windows.amd64.ltsc2022

@@ -0,0 +1,5 @@
+# escape=`
+FROM plugins/manifest:windows-ltsc2022-amd64
+
+ADD release/windows/amd64/manifest-ecr.exe C:/bin/manifest-ecr.exe
+ENTRYPOINT [ "C:\\bin\\manifest-ecr.exe" ]

docker/ecr/manifest.tmpl

@@ -0,0 +1,31 @@
+image: plugins/manifest-ecr:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}latest{{/if}}
+{{#if build.tags}}
+tags:
+{{#each build.tags}}
+  - {{this}}
+{{/each}}
+{{/if}}
+manifests:
+  -
+    image: plugins/manifest-ecr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-amd64
+    platform:
+      architecture: amd64
+      os: linux
+  -
+    image: plugins/manifest-ecr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm64
+    platform:
+      architecture: arm64
+      os: linux
+      variant: v8
+  -
+    image: plugins/manifest-ecr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}windows-1809-amd64
+    platform:
+      architecture: amd64
+      os: windows
+      version: 1809
+  -
+    image: plugins/manifest-ecr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}windows-ltsc2022-amd64
+    platform:
+      architecture: amd64
+      os: windows
+      version: ltsc2022

go.mod

@@ -3,10 +3,12 @@ module github.com/drone-plugins/drone-manifest
 go 1.20
 
 require (
+	github.com/aws/aws-sdk-go v1.44.167
 	github.com/coreos/go-semver v0.3.1
 	github.com/drone/drone-go v1.7.1
-	github.com/drone/drone-template-lib v1.0.0
+	github.com/drone/drone-template-lib v1.0.1-0.20201006172840-a58a3f26ebca
 	github.com/estesp/manifest-tool/v2 v2.0.8
+	github.com/joho/godotenv v1.5.1
 	github.com/kelseyhightower/envconfig v1.4.0
 	github.com/opencontainers/image-spec v1.1.0-rc2
 	github.com/sirupsen/logrus v1.9.0
@@ -15,8 +17,8 @@ require (
 
 require (
 	github.com/Masterminds/goutils v1.1.0 // indirect
-	github.com/Masterminds/semver v1.4.2 // indirect
-	github.com/Masterminds/sprig v2.18.0+incompatible // indirect
+	github.com/Masterminds/semver/v3 v3.1.0 // indirect
+	github.com/Masterminds/sprig/v3 v3.1.0 // indirect
 	github.com/aymerick/raymond v2.0.2+incompatible // indirect
 	github.com/containerd/containerd v1.6.18 // indirect
 	github.com/docker/cli v23.0.1+incompatible // indirect
@@ -25,12 +27,16 @@ require (
 	github.com/docker/docker-credential-helpers v0.7.0 // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/google/uuid v1.2.0 // indirect
-	github.com/huandu/xstrings v1.2.0 // indirect
+	github.com/huandu/xstrings v1.3.1 // indirect
 	github.com/imdario/mergo v0.3.12 // indirect
+	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/klauspost/compress v1.13.6 // indirect
+	github.com/mitchellh/copystructure v1.0.0 // indirect
+	github.com/mitchellh/reflectwalk v1.0.0 // indirect
 	github.com/moby/locker v1.0.1 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
+	github.com/spf13/cast v1.3.1 // indirect
 	golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd // indirect
 	golang.org/x/net v0.7.0 // indirect
 	golang.org/x/sync v0.1.0 // indirect