feat: ECR credential integration into Finch (#462)

Issue #, if available: 116

*Description of changes:*
Integrating ECR credential helper into Finch. 

**To Install the Credential Helper**
- The ECR credential helper can be setup with minimal configuration by
setting the `creds_helpers` option in `finch.yaml` with the value `-
ecr-login`.

- Once the option has been set the credential helper will be installed
on either `finch vm init ` or `finch vm start`. The binary will be
downloaded on the host machine and a `config.json` will be created and
populated in the `~/.finch/` folder if it doesn't already exist. If it
already exists, the value of `credsStore` will be overwritten to
`ecr-login` .

**How to stop using the credential helper with Finch**
- `config.json` needs to be either deleted, or the `credsStore`
parameter needs to have the value `ecr-login ` removed. Additionally the
creds_helper option in the finch.yaml needs to be removed.

- To fully remove the credential helper from the host machine, this can
be done by deleting it from the
`~/.finch/cred-helpers` folder.


The credential helper will support credentials from both the aws
credentials file and those that are stored as environment variables.


*Testing done:*
Added Unit Tests
Added Integration Test 


- [ x] I've reviewed the guidance in CONTRIBUTING.md


#### License Acceptance

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

---------

Signed-off-by: kiryl1 <kirylkul@gmail.com>

.github/workflows/ci.yaml

@@ -14,6 +14,9 @@ on:
     paths-ignore:
       - '**.md'
       - 'contrib/**'
+permissions:
+  id-token: write
+  contents: write
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -82,21 +85,33 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: 
+        os:
           [
-            [self-hosted, macos, amd64, 13, test], 
-            [self-hosted, macos, amd64, 12, test], 
-            [self-hosted, macos, arm64, 13, test], 
+            [self-hosted, macos, amd64, 13, test],
+            [self-hosted, macos, amd64, 12, test],
+            [self-hosted, macos, arm64, 13, test],
             [self-hosted, macos, arm64, 12, test]
           ]
-    runs-on: ${{ matrix.os }} 
+    runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v3
         with:
           # We need to get all the git tags to make version injection work. See VERSION in Makefile for more detail.
           fetch-depth: 0
           persist-credentials: false
           submodules: true
+      - name: Set output variables
+        id: vars
+        run: |
+          has_creds=${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name }}
+          echo "has_creds=$has_creds" >> $GITHUB_OUTPUT
+      - name: configure aws credentials
+        uses: aws-actions/configure-aws-credentials@v2.2.0
+        if: steps.vars.outputs.has_creds == true
+        with:
+          role-to-assume: ${{ secrets.ROLE }}
+          role-session-name: credhelper-test
+          aws-region: ${{ secrets.REGION }}
       - name: Clean up previous files
         run: |
           sudo rm -rf /opt/finch
@@ -109,8 +124,8 @@ jobs:
             sudo pkill '^socket_vmnet'
           fi
       - name: Install Rosetta 2
-        run: echo "A" | softwareupdate --install-rosetta || true 
-      - run: brew install go lz4 automake autoconf libtool 
+        run: echo "A" | softwareupdate --install-rosetta || true
+      - run: brew install go lz4 automake autoconf libtool
         shell: zsh {0}
       - name: Build project
         run: |
@@ -120,7 +135,7 @@ jobs:
       - run: |
           git status
           git clean -f -d
-          make test-e2e
+          REGISTRY=${{ steps.vars.outputs.has_creds == true && env.REGISTRY || '' }} make test-e2e
         shell: zsh {0}
   e2e-tests-for-docker-compat:
     strategy:
@@ -139,6 +154,18 @@ jobs:
           fetch-depth: 0
           persist-credentials: false
           submodules: true
+      - name: Set output variables
+        id: vars
+        run: |
+          has_creds=${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name }}
+          echo "has_creds=$has_creds" >> $GITHUB_OUTPUT
+      - name: configure aws credentials
+        uses: aws-actions/configure-aws-credentials@v2.2.0
+        if: steps.vars.outputs.has_creds == true
+        with:
+          role-to-assume: ${{ secrets.ROLE }}
+          role-session-name: credhelper-test-docker-compat
+          aws-region: ${{ secrets.REGION }}
       - name: Clean up previous files
         run: |
           sudo rm -rf /opt/finch
@@ -162,7 +189,7 @@ jobs:
       - run: |
           git status
           git clean -f -d
-          FINCH_DOCKER_COMPAT=1 make test-e2e
+          FINCH_DOCKER_COMPAT=1 REGISTRY=${{ steps.vars.outputs.has_creds == true && env.REGISTRY || '' }} make test-e2e
         shell: zsh {0}
   mdlint:
     runs-on: ubuntu-latest

Makefile

@@ -29,7 +29,7 @@ LDFLAGS := "-X $(PACKAGE)/pkg/version.Version=$(VERSION) -X $(PACKAGE)/pkg/versi
 .DEFAULT_GOAL := all
 
 INSTALLED ?= false
-
+REGISTRY ?= ""
 ifneq (,$(findstring arm64,$(ARCH)))
 	SUPPORTED_ARCH = true
 	LIMA_ARCH = aarch64
@@ -273,7 +273,7 @@ test-e2e-container:
 
 .PHONY: test-e2e-vm
 test-e2e-vm:
-	go test -ldflags $(LDFLAGS) -timeout 45m ./e2e/vm -test.v -ginkgo.v --installed="$(INSTALLED)"
+	go test -ldflags $(LDFLAGS) -timeout 45m ./e2e/vm -test.v -ginkgo.v --installed="$(INSTALLED)" --registry="$(REGISTRY)"
 
 .PHONY: test-benchmark
 test-benchmark:

README.md

@@ -99,6 +99,18 @@ An example `finch.yaml` looks like this:
 cpus: 4
 # Memory: the amount of memory to dedicate to the virtual machine. (required)
 memory: 4GiB
+# CredsHelpers: a list of credential helpers that will be installed and configured automatically. 
+# Supported Credential Helpers List: 
+# - ecr-login https://github.com/awslabs/amazon-ecr-credential-helper
+# Once the option has been set the credential helper will be installed on either finch vm init or finch vm start. 
+# The binary will be downloaded on the host machine and a config.json will be created and populated inside the ~/.finch/ folder 
+# if it doesn't already exist. If it already exists, the value of credsStore will be overwritten. 
+# To opt out of using the credential helper, remove the value from the credsStore parameter of config.json 
+# and remove the creds_helper value from finch.yaml. 
+# To completely remove the credential helper, either remove the binary from ~/.finch/creds-helpers or remove the creds-helpers
+# folder entirely. (optional)
+creds_helpers: 
+  - ecr-login
 # AdditionalDirectories: the work directories that are not supported by default. In macOS, only home directory is supported by default. 
 # For example, if you want to mount a directory into a container, and that directory is not under your home directory, 
 # then you'll need to specify this field to add that directory or any ascendant of it as a work directory. (optional)

cmd/finch/main.go

@@ -15,6 +15,7 @@ import (
 	"github.com/runfinch/finch/pkg/command"
 	"github.com/runfinch/finch/pkg/config"
 	"github.com/runfinch/finch/pkg/dependency"
+	"github.com/runfinch/finch/pkg/dependency/credhelper"
 	"github.com/runfinch/finch/pkg/dependency/vmnet"
 	"github.com/runfinch/finch/pkg/disk"
 	"github.com/runfinch/finch/pkg/flog"
@@ -120,7 +121,11 @@ func virtualMachineCommands(
 	fs afero.Fs,
 	fc *config.Finch,
 ) *cobra.Command {
-	optionalDepGroups := []*dependency.Group{vmnet.NewDependencyGroup(ecc, lcc, fs, fp, logger)}
+	optionalDepGroups := []*dependency.Group{
+		vmnet.NewDependencyGroup(ecc, lcc, fs, fp, logger),
+		credhelper.NewDependencyGroup(ecc, fs, fp, logger, fc, system.NewStdLib().Env("USER"),
+			system.NewStdLib().Arch()),
+	}
 	return newVirtualMachineCommand(
 		lcc,
 		logger,

cmd/finch/nerdctl.go

@@ -170,7 +170,11 @@ func (nc *nerdctlCommand) run(cmdName string, args []string) error {
 		envVars[evar] = eval
 	}
 
-	passedEnvs := []string{"COSIGN_PASSWORD"}
+	passedEnvs := []string{
+		"COSIGN_PASSWORD", "AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY",
+		"AWS_SESSION_TOKEN",
+	}
+
 	var passedEnvArgs []string
 	for _, e := range passedEnvs {
 		v, b := nc.systemDeps.LookupEnv(e)