host-ctr: setting img reg credentials for public.ecr.aws does not work

[etungsten]

Image I'm using:
Any bottlerocket image supporting settings.container-registry.mirrors and settings.container-registry.credentials

What I expected to happen:
host-ctr to use the provided registry credentials in settings.container-registry.credentials for public.ecr.aws when going through a configured private registry mirror.

What actually happened:
host-ctr tries to pull the public ECR image from through the prescribed registry mirror but without the specified registry credentials for public.aws.ecr which then causes the image pull to fail.

How to reproduce the problem:
With the following user-data:

[settings.container-registry.mirrors]
"public.ecr.aws" = ["https://198.18.34.118:443"]
[settings.pki.registry-mirror-ca]
data = "<redacted>"
trusted=true
[[settings.container-registry.credentials]]
registry = "public.ecr.aws"
username = "<redacted>"
password = "<redacted>"

Bottlerocket then repeatedly fails to pull bottlerocket-admin host container image from public ECR due to authentication failures.

[etungsten]

The issue here is that we're overriding the registry authorizer with credentials fetched from ECR public to enable authenticated pulls so users won't hit anonymous pull limits.

bottlerocket/sources/host-ctr/cmd/host-ctr/main.go

Lines 1037 to 1039 in d2a0371

	// For Amazon ECR Public registries, we should try and fetch credentials before resolving the image reference
	case strings.HasPrefix(ref, "public.ecr.aws/"):
	// Try to get credentials for authenticated pulls from ECR Public

custome authorizer object created here:

bottlerocket/sources/host-ctr/cmd/host-ctr/main.go

Lines 1063 to 1074 in d2a0371

	// Use the fetched authorization credentials to resolve the image
	authOpt := docker.WithAuthCreds(func(host string) (string, string, error) {
	// Double-check to make sure the we're doing this for an ECR Public registry
	if host != "public.ecr.aws" {
	return "", "", errors.New("ecr-public: expected image to start with public.ecr.aws")
	}
	return tokens[0], tokens[1], nil
	})
	authorizer := docker.NewDockerAuthorizer(authOpt)
	resolverOpt := docker.ResolverOptions{
	Hosts: registryHosts(registryConfig, &authorizer),
	}

Then used here through authorizerOverride:

bottlerocket/sources/host-ctr/cmd/host-ctr/registry.go

Lines 88 to 108 in d2a0371

	var authorizer docker.Authorizer
	if authorizerOverride == nil {
	// Set up auth for pulling from registry
	var authOpts []docker.AuthorizerOpt
	if _, ok := registryConfig.Credentials[defaultHost]; ok {
	// Convert registry credentials config to runtime auth config, so it can be parsed by `ParseAuth`
	authConfig.Username = registryConfig.Credentials[defaultHost].Username
	authConfig.Password = registryConfig.Credentials[defaultHost].Password
	authConfig.Auth = registryConfig.Credentials[defaultHost].Auth
	authConfig.IdentityToken = registryConfig.Credentials[defaultHost].IdentityToken
	authOpts = append(authOpts, docker.WithAuthClient(&http.Client{
	Transport: newTransport(),
	}))
	authOpts = append(authOpts, docker.WithAuthCreds(func(host string) (string, string, error) {
	return server.ParseAuth(&authConfig, host)
	}))
	}
	authorizer = docker.NewDockerAuthorizer(authOpts...)
	} else {
	authorizer = *authorizerOverride
	}

What we want to do is to NOT override the authorizer if there is a settings.container-registry.credentials entry for public.ecr.aws so the user-specified reg creds can be used.

We can add a if to check registryConfig.Credentials before this line:

bottlerocket/sources/host-ctr/cmd/host-ctr/main.go

Line 1039 in d2a0371

// Try to get credentials for authenticated pulls from ECR Public

and just return the defaultResolver if it contains public.ecr.aws.