support public.ecr.aws

[gdamjan]

AWS has introduced public ECR registries, and when configured the url of the registry is public.ecr.aws. The same url is used for both push and pull.

docker-image-resource currently won't supply AWS credentials unless it matches the ECR regex
https://github.com/concourse/docker-image-resource/blob/master/assets/out#L232

https://aws.amazon.com/about-aws/whats-new/2020/12/announcing-amazon-ecr-public-and-amazon-ecr-public-gallery/

[gdamjan]

additionally, the command to get credentials from ECR into docker have changed

aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/<alias>
...
docker push public.ecr.aws/<alias>/<namespace>/<repository>

[vidolch]

Is there any development in this? Seems like pushing public image is not working:

WARN[0000] ECR integration is experimental and untested 
INFO[0002] pushing tag(s) latest
ERRO[0002] pushing image failed: pushing tag(s): POST https://********.dkr.ecr.*******.amazonaws.com/v2/********/blobs/uploads/: NAME_UNKNOWN: The repository with name '********' does not exist in the registry with id '********' 

[eckdanny]

The [simplest/most-common?] use-case for public ECR instead of Docker Hub (subject to rate-limits):

...workloads running in AWS will get unlimited data bandwidth from any region when pulling publicly shared images hosted on AWS.
-AWS

If @gdamjan's sleuthing is correct, that RegEx constraint should definitely be relaxed in order for a simple pipeline (below) to work, rt?

docker-image-resource/assets/out

Line 232 in 273da71

ECR_REGISTRY_PATTERN='/[a-zA-Z0-9][a-zA-Z0-9_-]*\.dkr\.ecr\.[a-zA-Z0-9][a-zA-Z0-9_-]*\.amazonaws\.com(\.cn)?[^ ]*/'

simple pipeline

---
resources:
- name: node-image
  type: registry-image
  source:
    tag: lts-gallium
    repository: public.ecr.aws/docker/library/node
[...]

jobs:
- name: my-job
  plan:
    - task: use-node-image
      image: node-image
      config: [...]