in cmd/ecr-credential-provider/main.go [62:131]
func (e *ecrPlugin) GetCredentials(ctx context.Context, image string, args []string) (*v1alpha1.CredentialProviderResponse, error) {
registryID, region, registry, err := parseRepoURL(image)
if err != nil {
return nil, err
}
if e.ecr == nil {
e.ecr, err = defaultECRProvider(region, registryID)
if err != nil {
return nil, err
}
}
output, err := e.ecr.GetAuthorizationToken(&ecr.GetAuthorizationTokenInput{
RegistryIds: []*string{aws.String(registryID)},
})
if err != nil {
return nil, err
}
if output == nil {
return nil, errors.New("response output from ECR was nil")
}
if len(output.AuthorizationData) == 0 {
return nil, errors.New("authorization data was empty")
}
data := output.AuthorizationData[0]
if data.AuthorizationToken == nil {
return nil, errors.New("authorization token in response was nil")
}
decodedToken, err := base64.StdEncoding.DecodeString(aws.StringValue(data.AuthorizationToken))
if err != nil {
return nil, err
}
parts := strings.SplitN(string(decodedToken), ":", 2)
if len(parts) != 2 {
return nil, errors.New("error parsing username and password from authorization token")
}
var cacheDuration *metav1.Duration
expiresAt := data.ExpiresAt
if expiresAt == nil {
// explicitly set cache duration to 0 if expiresAt was nil so that
// kubelet does not cache it in-memory
cacheDuration = &metav1.Duration{Duration: 0}
} else {
// halving duration in order to compensate for the time loss between
// the token creation and passing it all the way to kubelet.
duration := time.Duration((expiresAt.Unix() - time.Now().Unix()) / 2)
if duration > 0 {
cacheDuration = &metav1.Duration{Duration: duration}
}
}
return &v1alpha1.CredentialProviderResponse{
CacheKeyType: v1alpha1.RegistryPluginCacheKeyType,
CacheDuration: cacheDuration,
Auth: map[string]v1alpha1.AuthConfig{
registry: {
Username: parts[0],
Password: parts[1],
},
},
}, nil
}