[Feat]: Support for AWS ECR Authentication with Temporary Tokens

[tamilhce]

What type of PR is this?
feature
Which issue does this PR fix:
project-zot/zot#2650

What does this PR do / Why do we need it:
This PR adds support for temporary credentials for upstream registries, specifically focusing on AWS ECR. Since ECR credentials are not permanent and need to be rotated periodically, this enhancement enables Zot to dynamically obtain and refresh valid usernames and passwords when the CredentialHelper is configured for the registry

If an issue # is not available please add repro steps and logs showing the issue:
N/A

Testing done on this change:

During initialization, the logs confirm that ECR credentials have been updated:

{"level":"info","goroutine":1,"caller":"zotregistry.dev/zot/pkg/extensions/sync/service.go:77","time":"2024-10-18T23:15:48.269973286+05:30","message":"Using credentials helper, because CredentialHelper is set to ecr"}
{"level":"info","goroutine":1,"caller":"zotregistry.dev/zot/pkg/extensions/sync/service.go:81","time":"2024-10-18T23:15:48.269998807+05:30","message":"Fetch the credentials using AWS ECR Auth Token."}

During credential expiry, the following log entries are generated:

{"level":"info","url":"accountid.dkr.ecr.us-east-1.amazonaws.com","goroutine":593,"caller":"zotregistry.dev/zot/pkg/extensions/sync/ecr_credential_helper.go:126","time":"2024-10-19T00:43:06.320476296+05:30","message":"The credentials are close to expiring"}
{"level":"info","url":"accountid.dkr.ecr.us-east-1.amazonaws.com","goroutine":593,"caller":"zotregistry.dev/zot/pkg/extensions/sync/ecr_credential_helper.go:135","time":"2024-10-19T00:43:06.320498388+05:30","message":"Refreshing the ECR credentials"}
{"level":"info","url":"accountid.dkr.ecr.us-east-1.amazonaws.com","goroutine":593,"caller":"zotregistry.dev/zot/pkg/extensions/sync/service.go:162","time":"2024-10-19T00:43:07.009198386+05:30","message":"Refreshing the upstream remote registry credentials"}

These logs verify that the credentials are nearing the expiry window of one hour and have been successfully refreshed.
Automation added to e2e:
Added TestECRCredentialsHelper in sync_internal_test

Will this break upgrades or downgrades?
No

Does this PR introduce any user-facing change?:
No

release-note
With this PR, users can configure AWS ECR as an upstream registry for on-demand or periodic sync by setting CredentialHelper: ecr in the extension sync configuration. This change eliminates the need for users to manually add usernames and passwords in the credentialsFile; instead, credentials will be stored in memory and automatically rotated as they approach expiry. An example configuration is available in examples/config-sync-ecr-credential-helper.json.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[rchincha]

Is this PR fixing your particular issue?

[tamilhce]

Yes, the PR adds support for AWS ECR.
However, it is implemented in a way that makes it easy to extend support for other providers. For instance, if someone needs
similar functionality for Azure Container Registry (ACR), they would need to implement the CredentialHelper interface:

type CredentialHelper interface {
    // Validates whether the credentials for the specified registry URL have expired.
    isCredentialsValid(url string) bool

    // Retrieves credentials for the provided list of registry URLs.
    getCredentials(urls []string) (syncconf.CredentialsFile, error)

    // Refreshes credentials for the specified registry URL.
    refreshCredentials(url string) (syncconf.Credentials, error)
}

As part of this PR, For AWS ECR, this interface is implemented in ecr_credential_helper.go."

[tamilhce]

I will review the failed checks and address them. Meanwhile, could you please help review this PR?

[rchincha]

@tamilhce What is the state of your PR?

[tamilhce]

@rchincha I have verified that the PR is working as expected in my environment. It has been running fine for the past month without any issues in our dev/uat clusters. However, a few mandatory checks for the PR are failing. I have not been able to work for the last few weeks due to medical reasons. I will fix the failures and update this thread accordingly

[rchincha]

@rchincha I have verified that the PR is working as expected in my environment. It has been running fine for the past month without any issues in our dev/uat clusters. However, a few mandatory checks for the PR are failing. I have not been able to work for the last few weeks due to medical reasons. I will fix the failures and update this thread accordingly

Thanks for the work you are putting into this PR.
Pls let us know if we can help.
Also, pls go ahead and make this an official PR so rest of the community can also take a look.

[tamilhce]

Hi @rchincha

1. Currently, all the PR checks are passing except for golint and the DCO check. I will fix the linting issues, but I’m still unsure why the DCO check is failing, as I have signed the PR.
2. Also, how can I make this PR open for others to review?

[tamilhce]

The lint job now looks clean, except for the DCO/sign-off check, which is failing for other commits. Since I rebased my changes, it seems to be including other commits as well. Any help resolving this issue would be greatly appreciated. This PR has been pending for a while, so let's aim to close it ASAP

[rchincha]

@tamilhce can you git rebase to top of main

[rchincha]

Also, post this PR against zot main and not your own fork's main