cue-lang
cmd/cue: mod publish fails with AWS ECR
What version of CUE are you using (cue version)?
$ cue version v0.8.0-alpha.2
Does this issue reproduce with the latest stable release?
N/A
What did you do?
What version of CUE are you using (cue version)?
$ cue version v0.8.0-alpha.1
Does this issue reproduce with the latest stable release?
N/A (feature didn't exist in latest stable)
What did you do?
- First I created an AWS IAM user with admin access
- Then I created a new ECR repository
- Then something like the below testscript reproducer, except that the
aws ecr get-login-passwordneeds to run interactively.
env CUE_EXPERIMENT=modules
env DOCKER_CONFIG=$WORK
# This is taken from the "View Push Commands" panel in the page
# for the new ECR registry.
env REGISTRY_HOST=my-ecs-hostname.dkr.ecr.us-east-1.amazonaws.com
env REGISTRY_REGION=us-east-1
env REPO=rog-test
exec sh -c 'aws ecr get-login-password --region '$REGISTRY_REGION' | docker login --username AWS --password-stdin '$REGISTRY_HOST
env CUE_REGISTRY=$REGISTRY_HOST/$REPO
exec cue mod publish v1.0.0
-- cue.mod/module.cue --
module: "foo.com@v1"
-- m.cue --
package cuemodtest
x: 2
What did you expect to see?
A passing test
What did you see instead?
cannot put module: cannot make scratch config: cannot do HTTP request: Post "https://my-ecs-hostname.dkr.ecr.us-east-1.amazonaws.com/v2/rog-test/github.com/rogpeppe/cuemodtest/blobs/uploads/": EOF
As far as I can make out in the absence of any clear documentation on the matter, ECR refuses a push to any repository that has not been explicitly created either in the console or with the aws ecr create-repository CLI command.
It does not provide a proper HTTP response when you try to do that, but just drops the connection (hence the EOF error seen above).
Here's a reproducer, where "redacted" is replaced by my basic auth token, as stored in .docker/config.json.
env ECR_HOST='679215184149.dkr.ecr.us-east-1.amazonaws.com'
env ECR_REPO='rog-test'
env ECR_AUTH_TOKEN='redacted'
exec go run main.go
-- main.go --
package main
import (
"log"
"net/http"
"os"
)
func main() {
host := os.Getenv("ECR_HOST")
repo := os.Getenv("ECR_REPO")
req, _ := http.NewRequest("POST", "https://"+host+"/v2/"+repo+"/x/blobs/uploads/", nil)
req.Header.Set("Authorization", "Basic "+os.Getenv("ECR_AUTH_TOKEN"))
resp, err := http.DefaultClient.Do(req)
if err != nil {
log.Printf("error: %v\n", err)
os.Exit(1)
} else {
log.Printf("status %d\n", resp.StatusCode)
}
}
I get this result:
> exec go run main.go
[stderr]
2024/02/21 14:00:08 error: Post "https://679215184149.dkr.ecr.us-east-1.amazonaws.com/v2/rog-test/x/blobs/uploads/": EOF
I have confirmed that it's possible to work around this by using the pathEncoding: "hashAsTag" feature of the registry config file, which causes all modules to be pushed to different tags in the same repository.
For clarity:
ECR refuses a push to any repository that has not been explicitly created either in the console or with the aws ecr create-repository CLI command.
The issue shows up even when the repository already exists. As soon as you add the pathEncoding: "hashAsTag" you are able to push.
The issue shows up even when the repository already exists. As soon as you add the
pathEncoding: "hashAsTag"you are able to push.
To clarify, the issue does not show up when the module repository itself already exists (as opposed to its "parent" repository). For example, when I explicitly create the repository that's going to be used to store the module, the push works OK:
% aws ecr create-repository --region us-east-1 --repository-name rog-test/github.com/rogpeppe/cuemodtest
{
"repository": {
"repositoryArn": "arn:aws:ecr:us-east-1:679215184149:repository/rog-test/github.com/rogpeppe/cuemodtest",
"registryId": "679215184149",
"repositoryName": "rog-test/github.com/rogpeppe/cuemodtest",
"repositoryUri": "679215184149.dkr.ecr.us-east-1.amazonaws.com/rog-test/github.com/rogpeppe/cuemodtest",
"createdAt": "2024-02-21T15:34:42.488000+00:00",
"imageTagMutability": "MUTABLE",
"imageScanningConfiguration": {
"scanOnPush": false
},
"encryptionConfiguration": {
"encryptionType": "AES256"
}
}
}
% CUE_REGISTRY=679215184149.dkr.ecr.us-east-1.amazonaws.com/rog-test
% cue mod push v1.0.0
published github.com/rogpeppe/[email protected]
%