awslabs
feat(nodeadm): use ecr-credential-provider for public.ecr.aws in 1.27+
Issue #, if available:
Description of changes:
Ports https://github.com/awslabs/amazon-eks-ami/commit/78f54f68e2651243a659f712d3df579f57e32b65 to nodeadm/al2023
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.
Testing Done
Built a 1.30 AMI, checked the config file had public.ecr.aws in the machImages list and that running a pod using an image from public ECR (public.ecr.aws/nginx/nginx:latest) does not fail when using a role without ecr-public permissions.
See this guide for recommended testing for PRs. Some tests may not apply. Completing tests and providing additional validation steps are not required, but it is recommended and may reduce review time and time to merge.
Hi @cartermckinnon, Iām encountering an issue while building an Amazon EKS AMI using the latest version from the following repository: https://github.com/awslabs/amazon-eks-ami/tree/v20250228.
I'm using the following command for the build:
make k8s=1.29 os_distro=al2023
During the build process, I receive the following error:
error="hosts-store error\nnot found\nstat /var/lib/nerdctl/1935db59/etchosts/k8s.io/7451a4dfa45ee2ca955fddc355b7bb609155714ad64a09c6896d6fdcb8b552b5/meta.json: no such file or directory"
@suhailms18 I don't see how that's related to this PR, please open a new issue.
Have we verified:
- does this require new permissions (e.g.
ecr-public:GetAuthorizationToken) that may not be on all nodes? - what happens if that permission doesn't exist, does it fall back to anonymous access, or does the image pull fail
@tzneal yep! @mselim00 tested this in an earlier PR: https://github.com/awslabs/amazon-eks-ami/pull/1949#issuecomment-2646906731
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
@mselim00 the workflow that you requested has completed. š
| AMI variant | Build | Test |
|---|---|---|
| 1.28 / al2023 | failure ā | skipped āļø |
| 1.29 / al2023 | failure ā | skipped āļø |
| 1.30 / al2023 | failure ā | skipped āļø |
| 1.31 / al2023 | failure ā | skipped āļø |
| 1.32 / al2023 | failure ā | skipped āļø |
| 1.33 / al2023 | failure ā | skipped āļø |
| 1.34 / al2023 | failure ā | skipped āļø |
@mselim00 the workflow that you requested has completed. š
| AMI variant | Build | Test |
|---|---|---|
| 1.28 / al2023 | failure ā | skipped āļø |
| 1.29 / al2023 | failure ā | skipped āļø |
| 1.30 / al2023 | failure ā | skipped āļø |
| 1.31 / al2023 | failure ā | skipped āļø |
| 1.32 / al2023 | failure ā | skipped āļø |
| 1.33 / al2023 | failure ā | skipped āļø |
| 1.34 / al2023 | failure ā | skipped āļø |
the 1.25 image in public.ecr.aws/eks-distro-build-tooling/golang is pointing to 1.25.0 but we need go 1.25.1, checking if that'll be updated soon or if we should start setting the full version
/ci +build nodeadm_build_image=public.ecr.aws/eks-distro-build-tooling/golang:1.25.1
@mselim00 the workflow that you requested has completed. š
| AMI variant | Build | Test |
|---|---|---|
| 1.28 / al2023 | success ā | success ā |
| 1.29 / al2023 | success ā | success ā |
| 1.30 / al2023 | success ā | success ā |
| 1.31 / al2023 | success ā | success ā |
| 1.32 / al2023 | success ā | success ā |
| 1.33 / al2023 | success ā | success ā |
| 1.34 / al2023 | success ā | success ā |
just want to validate the build works by default now since a new 1.25 golang image was released
/ci build +workflow:k8s_versions 1.33