diff --git a/internal/util/EcrService.go b/internal/util/EcrService.go index 1e2487a56e..b2068f33a7 100644 --- a/internal/util/EcrService.go +++ b/internal/util/EcrService.go @@ -21,7 +21,6 @@ import ( "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/awserr" "github.com/aws/aws-sdk-go/aws/credentials" - "github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds" "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/service/ecr" "github.com/juju/errors" @@ -33,26 +32,22 @@ func CreateEcrRepo(repoName string, reg string, accessKey string, secretKey stri region := reg //fmt.Printf("repoName %s, reg %s, accessKey %s, secretKey %s\n", repoName, reg, accessKey, secretKey) - var creds *credentials.Credentials + var sess *session.Session + var err error if len(accessKey) == 0 || len(secretKey) == 0 { - //fmt.Println("empty accessKey or secretKey") - sess, err := session.NewSession(&aws.Config{ + // Case 1: IAM role — use default credential chain (IRSA, instance profile, task role, env vars) + sess, err = session.NewSession(&aws.Config{ Region: ®ion, }) - if err != nil { - log.Println(err) - return err - } - creds = ec2rolecreds.NewCredentials(sess) } else { - creds = credentials.NewStaticCredentials(accessKey, secretKey, "") + // Case 2: Static credentials + creds := credentials.NewStaticCredentials(accessKey, secretKey, "") + sess, err = session.NewSession(&aws.Config{ + Region: ®ion, + Credentials: creds, + }) } - - sess, err := session.NewSession(&aws.Config{ - Region: ®ion, - Credentials: creds, - }) if err != nil { log.Println(err) return err diff --git a/pkg/pipeline/DockerRegistryConfig.go b/pkg/pipeline/DockerRegistryConfig.go index c5fc6fad66..a2f9b5ca41 100644 --- a/pkg/pipeline/DockerRegistryConfig.go +++ b/pkg/pipeline/DockerRegistryConfig.go @@ -19,6 +19,10 @@ package pipeline import ( "context" "fmt" + "net/http" + "strings" + "time" + "github.com/devtron-labs/common-lib/securestore" bean2 "github.com/devtron-labs/devtron/api/helm-app/gRPC" client "github.com/devtron-labs/devtron/api/helm-app/service" @@ -27,9 +31,6 @@ import ( "github.com/devtron-labs/devtron/pkg/sql" "github.com/go-pg/pg" "k8s.io/utils/strings/slices" - "net/http" - "strings" - "time" "github.com/devtron-labs/devtron/internal/constants" "github.com/devtron-labs/devtron/internal/sql/repository/dockerRegistry" @@ -906,6 +907,10 @@ func (impl DockerRegistryConfigImpl) ValidateRegistryCredentials(bean *types.Doc bean.RegistryType == repository.REGISTRYTYPE_OTHER { return nil } + // Verify credentials only for chart OCI registry using helm registry login, as for container OCI registry + if _, ok := bean.OCIRegistryConfig[repository.OCI_REGISRTY_REPO_TYPE_CHART]; !ok { + return nil + } request := &bean2.RegistryCredential{ RegistryUrl: bean.RegistryURL, Username: bean.Username, diff --git a/scripts/sql/35904700_ecr_assume_role.down.sql b/scripts/sql/35904700_ecr_assume_role.down.sql new file mode 100644 index 0000000000..625a15cf87 --- /dev/null +++ b/scripts/sql/35904700_ecr_assume_role.down.sql @@ -0,0 +1,6 @@ +/* + * Copyright (c) 2025. Devtron Inc. + */ + +ALTER TABLE public.docker_artifact_store + DROP COLUMN IF EXISTS assume_role_arn; diff --git a/scripts/sql/35904700_ecr_assume_role.up.sql b/scripts/sql/35904700_ecr_assume_role.up.sql new file mode 100644 index 0000000000..a085ab7257 --- /dev/null +++ b/scripts/sql/35904700_ecr_assume_role.up.sql @@ -0,0 +1,7 @@ +/* + * Copyright (c) 2025. Devtron Inc. + */ + +-- Add assume_role_arn column to docker_artifact_store for cross-account ECR access via STS AssumeRole +ALTER TABLE public.docker_artifact_store + ADD COLUMN IF NOT EXISTS assume_role_arn VARCHAR(300) DEFAULT '';