Image with `docker` and `docker-credential-helper-ecr`
chopeen opened this issue · comments
I have a CI/CD pipeline that runs on docker:20.10.17. It pulls images from a GitLab registry and pushes them to AWS ECR.
The credential helper gets installed from an untrusted Alpine repository:
apk add docker-credential-ecr-login -X https://dl-cdn.alpinelinux.org/alpine/edge/community/ --allow-untrusted
Is there a better way to install docker-credential-ecr-login in the docker image?
Or - ideally - is there an image available that contains both docker and docker-credential-ecr-login?
I am downloading from the Github source in our internal CI container.
FROM alpine:3.17 AS builder
ARG ECR_HELPER_VERSION=0.6.0
ARG TARGETOS
ARG TARGETARCH
ADD https://amazon-ecr-credential-helper-releases.s3.us-east-2.amazonaws.com/${ECR_HELPER_VERSION}/${TARGETOS}-${TARGETARCH}/docker-credential-ecr-login /tmp/docker-credential-ecr-login-${TARGETOS}-${TARGETARCH}
ADD checksums.sha512 /tmp
COPY docker-config.json /root/.docker/config.json
RUN apk add --no-cache docker-cli \
&& (cd /tmp; grep -Ei "$TARGETOS[-_]($TARGETARCH|`uname -m`)" checksums.sha512 | sha512sum -c -) \
&& mv /tmp/docker-credential-ecr-login-${TARGETOS}-${TARGETARCH} /usr/local/bin/docker-credential-ecr-login \
&& chmod a+x /usr/local/bin/docker-credential-ecr-login
The TARGETOS and TARGETARCH parts are there to facilitate checksum verification which I like to do whenever I am downloading anything external. I add the Compose plugin, Kubectl, and some other things in a similar fashion.
HTH