[ECR] Make prefix optional on pull through caches

[yob]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request When configuring an ECR pull through cache for public.ecr.aws, we're forced to set a namespace prefix. For example public.ecr.aws/datadog/agent:7.46.0 might gain an ecr-public prefix and become <account_id>.dkr.ecr.us-east-1.amazonaws.com/ecr-public/datadog/agent:7.46.0.

This is a hassle because a number of tools in the docker ecosystem (like buildkit) support auto mapping of registry hosts (like public.ecr.aws to <account_id>.dkr.ecr.us-east-1.amazonaws.com), but they don't support automatically adding a prefix to the image reference.

As a result, we must change our Dockerfiles and docker-compose.ymls to use the pull through cache images explicitly. It would be super nice if we could leave them referencing public.ecr.aws/datadog/agent:7.46.0 and the mapping could happen under the hood. This would be possible if the ecr-public prefix was made optional.

This would be particularly helpful because it would leave the Dockerfile and docker-compose.yml in a shape that works for unauthenticated users on local machines.

Which service(s) is this request for? ECR

Are you currently working around this issue? We are changing Dockerfile and docker-compose.ymlto use the private ECR reference, but it requires users to login locally, and it prevents tools like dependabot from being able to update the files (they don't have access to our private ECR).