Fix #34700: support repositoryCredentials in ECS

Author: LEDfan

src/main/java/eu/openanalytics/containerproxy/backend/ecs/EcsBackend.java

@@ -64,6 +64,7 @@
 import software.amazon.awssdk.services.ecs.model.NetworkMode;
 import software.amazon.awssdk.services.ecs.model.PropagateTags;
 import software.amazon.awssdk.services.ecs.model.RegisterTaskDefinitionResponse;
+import software.amazon.awssdk.services.ecs.model.RepositoryCredentials;
 import software.amazon.awssdk.services.ecs.model.RunTaskResponse;
 import software.amazon.awssdk.services.ecs.model.RuntimePlatform;
 import software.amazon.awssdk.services.ecs.model.Tag;
@@ -108,6 +109,7 @@ public class EcsBackend extends AbstractContainerBackend {
     private List<String> securityGroups;
     private int totalWaitMs;
     private String cluster;
+    private String defaultRepositoryCredentialsParameter;
 
     @Inject
     private IProxySpecProvider proxySpecProvider;
@@ -134,7 +136,8 @@ public void initialize() {
         enableCloudWatch = environment.getProperty("proxy.ecs.enable-cloudwatch", Boolean.class, false);
         cloudWatchGroupPrefix = environment.getProperty("proxy.ecs.cloud-watch-group-prefix", String.class, "/ecs/");
         cloudWatchRegion = environment.getProperty("proxy.ecs.cloud-watch-region", String.class, getProperty(PROPERTY_REGION));
-        cloudWatchStreamPrefix =  environment.getProperty("proxy.ecs.cloud-watch-stream-prefix", String.class, "ecs");
+        cloudWatchStreamPrefix = environment.getProperty("proxy.ecs.cloud-watch-stream-prefix", String.class, "ecs");
+        defaultRepositoryCredentialsParameter = environment.getProperty("proxy.ecs.default-repository-credentials-parameter", String.class);
 
         if (cluster == null) {
             throw new IllegalStateException("Error in configuration of ECS backend: proxy.ecs.cluster not set to name of cluster");
@@ -242,7 +245,8 @@ public Proxy startContainer(Authentication user, Container initialContainer, Con
                     if (task.lastStatus().equals("RUNNING")) {
                         return Retrying.SUCCESS;
                     } else if (!STARTING_STATES.contains(task.lastStatus()) || !task.desiredStatus().equals("RUNNING")) {
-                        slog.warn(proxy, String.format("ECS container failed: task not running, stopCode: '%s', stoppingAt: '%s', stoppedAt: '%s', stoppedReason: '%s'", task.stopCode(), task.stoppingAt(), task.stoppedAt(), task.stoppedReason()));
+                        slog.warn(proxy, String.format("ECS container failed: task not running, stopCode: '%s', stoppingAt: '%s', stoppedAt: '%s', stoppedReason: '%s'", task.stopCode(), task.stoppingAt(), task.stoppedAt(),
+                            task.stoppedReason()));
                         return new Retrying.Result(false, false);
                     }
                 }
@@ -300,18 +304,24 @@ private String getTaskDefinition(Authentication user, ContainerSpec spec, EcsSpe
         // automatically used in the cloudwatch stream name
         String containerName = StringUtils.left(spec.getResourceName().getValueOrDefault("sp-container-" + proxy.getId() + "-" + initialContainer.getIndex()), 255);
 
-       RegisterTaskDefinitionResponse registerTaskDefinitionResponse = ecsClient.registerTaskDefinition(builder -> builder
+        ContainerDefinition.Builder containerDefinitionBuilder = ContainerDefinition.builder()
+            .name(containerName)
+            .image(spec.getImage().getValue())
+            .command(spec.getCmd().getValueOrNull())
+            .environment(env)
+            .stopTimeout(2)
+            .dockerLabels(dockerLabels)
+            .logConfiguration(getLogConfiguration(proxy.getSpecId()))
+            .mountPoints(volumes.getSecond());
+
+        String credentials = specExtension.getEcsRepositoryCredentialsParameter().getValueOrDefault(defaultRepositoryCredentialsParameter);
+        if (credentials != null && !credentials.isBlank()) {
+            containerDefinitionBuilder.repositoryCredentials(RepositoryCredentials.builder().credentialsParameter(credentials).build());
+        }
+
+        RegisterTaskDefinitionResponse registerTaskDefinitionResponse = ecsClient.registerTaskDefinition(builder -> builder
             .family("sp-task-definition-" + proxy.getId()) // family is a name for the task definition
-            .containerDefinitions(ContainerDefinition.builder()
-                .name(containerName)
-                .image(spec.getImage().getValue())
-                .command(spec.getCmd().getValueOrNull())
-                .environment(env)
-                .stopTimeout(2)
-                .dockerLabels(dockerLabels)
-                .logConfiguration(getLogConfiguration(proxy.getSpecId()))
-                .mountPoints(volumes.getSecond())
-                .build())
+            .containerDefinitions(containerDefinitionBuilder.build())
             .networkMode(NetworkMode.AWSVPC) // only option when using fargate
             .requiresCompatibilities(Compatibility.FARGATE)
             .cpu(spec.getCpuRequest().getValue()) // required by fargate

src/main/java/eu/openanalytics/containerproxy/backend/ecs/EcsSpecExtension.java

@@ -68,6 +68,9 @@ public class EcsSpecExtension extends AbstractSpecExtension {
     @Builder.Default
     SpelField.Boolean ecsEnableExecuteCommand = new SpelField.Boolean();
 
+    @Builder.Default
+    SpelField.String ecsRepositoryCredentialsParameter = new SpelField.String();
+
     @Override
     public ISpecExtension firstResolve(SpecExpressionResolver resolver, SpecExpressionContext context) {
         return toBuilder()
@@ -78,6 +81,7 @@ public ISpecExtension firstResolve(SpecExpressionResolver resolver, SpecExpressi
             .ecsEphemeralStorageSize(ecsEphemeralStorageSize.resolve(resolver, context))
             .ecsEfsVolumes(ecsEfsVolumes.stream().map(p -> p.resolve(resolver, context)).collect(Collectors.toList()))
             .ecsEnableExecuteCommand(ecsEnableExecuteCommand.resolve(resolver, context))
+            .ecsRepositoryCredentialsParameter(ecsRepositoryCredentialsParameter.resolve(resolver, context))
             .build();
     }
 

src/test/java/eu/openanalytics/containerproxy/test/proxy/TestIntegrationOnEcs.java

@@ -155,7 +155,7 @@ public void launchProxyWithRoles() {
                 LogConfiguration logConfiguration = containerDefinition.logConfiguration();
                 Assertions.assertNotNull(logConfiguration);
                 Assertions.assertEquals(LogDriver.AWSLOGS, logConfiguration.logDriver());
-                Assertions.assertEquals("/ecs/sp-" + proxy.getId(), logConfiguration.options().get("awslogs-group"));
+                Assertions.assertEquals("/ecs/sp-" + proxy.getSpecId(), logConfiguration.options().get("awslogs-group"));
                 Assertions.assertEquals(System.getenv("ITEST_ECS_REGION"), logConfiguration.options().get("awslogs-region"));
                 Assertions.assertEquals("true", logConfiguration.options().get("awslogs-create-group"));
                 Assertions.assertEquals("ecs", logConfiguration.options().get("awslogs-stream-prefix"));