From af88b57aa28c260802d69e06854d4d6b619e3796 Mon Sep 17 00:00:00 2001
From: Bartlomiej Dworak <bartdwo@amazon.com>
Date: Mon, 9 Dec 2024 20:56:17 -0800
Subject: [PATCH] Add Dual Stack Public ECR endpoint support

---
 cmd/ecr-credential-provider/main.go      | 8 ++++++--
 cmd/ecr-credential-provider/main_test.go | 6 ++++++
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/cmd/ecr-credential-provider/main.go b/cmd/ecr-credential-provider/main.go
index 0d78e046d4..b18addf631 100644
--- a/cmd/ecr-credential-provider/main.go
+++ b/cmd/ecr-credential-provider/main.go
@@ -24,6 +24,7 @@ import (
 	"net/url"
 	"os"
 	"regexp"
+	"slices"
 	"strings"
 	"time"
 
@@ -40,7 +41,10 @@ import (
 )
 
 const ecrPublicRegion string = "us-east-1"
-const ecrPublicHost string = "public.ecr.aws"
+
+func getECRPublicHosts() []string {
+	return []string{"public.ecr.aws", "ecr-public.aws.com"}
+}
 
 var ecrPrivateHostPattern = regexp.MustCompile(`^(\d{12})\.dkr[\.\-]ecr(\-fips)?\.([a-zA-Z0-9][a-zA-Z0-9-_]*)\.(amazonaws\.com(?:\.cn)?|on\.(?:aws|amazonwebservices\.com\.cn)|sc2s\.sgov\.gov|c2s\.ic\.gov|cloud\.adc-e\.uk|csp\.hci\.ic\.gov)$`)
 
@@ -162,7 +166,7 @@ func (e *ecrPlugin) GetCredentials(ctx context.Context, image string, args []str
 		return nil, err
 	}
 
-	if imageHost == ecrPublicHost {
+	if slices.Contains(getECRPublicHosts(), imageHost) {
 		creds, err = e.getPublicCredsData(ctx)
 	} else {
 		creds, err = e.getPrivateCredsData(ctx, imageHost, image)
diff --git a/cmd/ecr-credential-provider/main_test.go b/cmd/ecr-credential-provider/main_test.go
index 296506fb43..aa4f416369 100644
--- a/cmd/ecr-credential-provider/main_test.go
+++ b/cmd/ecr-credential-provider/main_test.go
@@ -210,6 +210,12 @@ func Test_GetCredentials_Public(t *testing.T) {
 			getAuthorizationTokenOutput: generatePublicGetAuthorizationTokenOutput("user", "pass", "", nil),
 			response:                    generateResponse("public.ecr.aws", "user", "pass"),
 		},
+		{
+			name:                        "success dual stack public endpoint",
+			image:                       "ecr-public.aws.com",
+			getAuthorizationTokenOutput: generatePublicGetAuthorizationTokenOutput("user", "pass", "", nil),
+			response:                    generateResponse("ecr-public.aws.com", "user", "pass"),
+		},
 		{
 			name:                        "empty authorization data",
 			image:                       "public.ecr.aws",