Add support for public ecr

[fer1592]

Following PR adds support for images hosted in the AWS public registry, aims to solve the following issue. WIP

[davidcollom]

Appreciate the draft PR 👍 - If you're looking for an existing public ECR - we have a deployed version-checker ECR for E2E testing @ public.ecr.aws/c3x5s3k7/public-8456b5e0/alpine which clones alpine:latest

[fer1592]

Quick update about this, using the ecrpublic seems that doesn't work for images on the public.ecr.aws registry. I did a quick test using the http client similarly on how the docker client does, and works well. I'll be updating this PR next week probably (need to clean up all the crap code that I got)

[fer1592]

This should be ready for review. Like mentioned before, I stopped using the public ecr library and just performed http requests for it. I tested it with a couple of images, and seems to be working fine. Eg: for kube-proxy

Let me know what you think!

[davidcollom]

@fer1592 Sorry it's taken so long to get back to this 🙈 - I was curious as to if there was any reasoning around using the OCR Library? or https://github.com/google/go-containerregistry - as a project, we're trying to move away from managing too many client implementations and focusing on the authN/Z portion to the go-containerregistry or native libraries.

This is mainly due to maintenance and testing. We don't have a full E2E testing framework for all of the clients, which can make maintaining them difficult and we rely on the community to report issues and raise PR's to resolve issues.

[fer1592]

Sorry, been some busy weeks and I forgot to reply! Basically the reasoning was to replicate the same thing than the dockerClient, mostly thinking about maintenance really (usually I avoid using different libraries from the ones used unless it's completely necessary). Since public ECR has some small differences than docker, eg. you need to request a token first to an AWS endpoint before being able to reach ECR), paths are different as well as the response from ECR, it felt like the right move to just replicate the same thing as the dockerClient with the required modifications.

[Copilot]

Pull request overview

This PR adds support for AWS Elastic Container Registry (ECR) Public, enabling version-checker to query image tags from the public.ecr.aws registry. This extends the existing ECR private registry support to handle the publicly accessible AWS container registry.

• Introduces a new ecrpublic client package following the existing client implementation pattern
• Adds anonymous token-based authentication for ECR Public API access
• Integrates the new client into the main client registry alongside other providers

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
pkg/client/ecrpublic/types.go	Defines data structures for ECR Public API responses (AuthResponse and TagResponse)
pkg/client/ecrpublic/path.go	Implements host matching (public.ecr.aws) and path parsing for repository/image extraction
pkg/client/ecrpublic/path_test.go	Tests for host detection and path parsing logic
pkg/client/ecrpublic/ecrpublic.go	Main client implementation with tag fetching, request handling, and anonymous authentication
pkg/client/client.go	Registers the ECRPublic client in the main client factory and configuration

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

[nitpick] Remove the inline comment "Add ECRPublic options". Comments that simply describe what the code obviously does add no value and should be removed. The field name ECRPublic is self-documenting.

Suggested change

	ECRPublic ecrpublic.Options // Add ECRPublic options
	ECRPublic ecrpublic.Options

[Copilot]

[nitpick] Remove the inline comment "Add ECR public transporter". The code is self-explanatory and the comment adds no value.

Suggested change

	opts.ECRPublic.Transporter = opts.Transport // Add ECR public transporter
	opts.ECRPublic.Transporter = opts.Transport

[Copilot]

When image is empty (as in the test case "nginx" where repo="nginx" and image=""), the URL will be constructed as https://public.ecr.aws/v2/nginx//tags/list with a double slash. This may not be the correct format for the ECR Public API. Verify that this URL format works correctly, or handle the case where image is empty by constructing the URL differently, e.g., https://public.ecr.aws/v2/nginx/tags/list.

Suggested change

	url := fmt.Sprintf(ecrPublicLookupURL, repo, image)
	var url string
	if image == "" {
	url = fmt.Sprintf("https://public.ecr.aws/v2/%s/tags/list", repo)
	} else {
	url = fmt.Sprintf(ecrPublicLookupURL, repo, image)
	}

[Copilot]

Missing compile-time interface assertion. All other client implementations in the codebase include var _ api.ImageClient = (*Client)(nil) to ensure the Client type implements the api.ImageClient interface at compile time. This should be added at the package level (typically after the Client struct definition).

Suggested change

	var _ api.ImageClient = (*Client)(nil)

[Copilot]

The main client functionality in ecrpublic.go lacks test coverage. While path_test.go tests IsHost() and RepoImageFromPath(), there are no tests for the core functions Tags(), doRequest(), and getAnonymousToken(). Other client implementations like docker and ghcr include comprehensive tests for these core functions. Consider adding tests similar to those in pkg/client/docker/docker_test.go that use httptest to mock API responses.

[Copilot]

The doRequest function doesn't check the HTTP status code before attempting to unmarshal the response body. If the API returns an error status (e.g., 404, 401, 500), the function will try to unmarshal the error response as a TagResponse, which will likely fail with a confusing error message. Consider adding a status code check similar to getAnonymousToken at line 142:

if resp.StatusCode != http.StatusOK {
    return nil, fmt.Errorf("failed to get tags, status code: %d, body: %s", resp.StatusCode, body)
}

[Copilot]

The test name says "single image should return registry and image" but the expected expImage is empty. This is confusing and the test name doesn't match the expectation. Consider renaming to something like "single segment path should return repo with empty image" to better reflect what's being tested.

Suggested change

	"single image should return registry and image": {
	"single segment path should return repo with empty image": {

[Copilot]

The error message formatting is inconsistent with the error returned from getAnonymousToken. The error should use %w instead of %s to properly wrap the error, allowing error unwrapping with errors.Is() and errors.As(). Change to: fmt.Errorf("failed to get anonymous token: %w", err)

Suggested change

	return nil, fmt.Errorf("failed to get anonymous token: %s", err)
	return nil, fmt.Errorf("failed to get anonymous token: %w", err)

[Copilot]

Similarly, this error should use %w instead of %s to properly wrap the error. Change to: fmt.Errorf("failed to get %q image: %w", c.Name(), err)

Suggested change

	return nil, fmt.Errorf("failed to get %q image: %s", c.Name(), err)
	return nil, fmt.Errorf("failed to get %q image: %w", c.Name(), err)