Drone Docker with ECR

benwilson512 · October 24, 2018, 11:37pm

Hey folks!

I’m trying to use the drone-docker plugin to push to an AWS ECR registry. There used to be a drone-ecr plugin I see, but its readme indicates that it was merged into the normal drone-docker plugin, and if I look in drone-docker I can see that there is a drone-docker-ecr command.

What I’m unclear on is how to direct drone-docker to use this ecr command.

Any tips?

bradrydzewski · October 24, 2018, 11:52pm

We merged the ECR and GCR plugins into the same repository as the Docker plugin, however, we still publish separate images for each. The instructions here are still valid http://plugins.drone.io/drone-plugins/drone-ecr/

benwilson512 · October 25, 2018, 12:05am

Gotcha. When I do:

    repo: <prod-account-id>.dkr.ecr.us-east-1.amazonaws.com/<my-app>
    registry: <prod-account-id>.dkr.ecr.us-east-1.amazonaws.com

I see in the drone output that it’s tagging an image:

<staging-account-id>.dkr.ecr.us-east-1.amazonaws.com/<prod-account-id>.dkr.ecr.us-east-1.amazonaws.com/<my-app>

which seems off.

Notably, I’m running this on our staging AWS account, which does have push access to the production account ECR repositories.

What can I do to prevent it from prepending the staging information to the front of the repo?

bradrydzewski · October 25, 2018, 2:49pm

If the repo name does not include the registry prefix, it is prepended. This would lead me to believe there is a typo or mismatch. You can see the relevant code here: https://github.com/drone-plugins/drone-docker/blob/master/cmd/drone-docker-ecr/main.go#L53:L55

I recommend tracing through the code which should help you work through any additional difficulties with configuration.

benwilson512 · October 25, 2018, 4:11pm

It sort of looks like it’s overriding the provided registry with one it grabs from an ECR API call: https://github.com/drone-plugins/drone-docker/blob/master/cmd/drone-docker-ecr/main.go#L48
This would explain how it gets the staging account registry URL, since that string never appears in my drone yml. In fact it doesn’t look like the registry option from the drone yml is used at all.

benwilson512 · October 25, 2018, 9:15pm

I wonder if I could use the ordinary drone-docker plugin with credentials from secrets, and then have a pipeline phase that runs prior which sets those secrets via an AWS API call. Alternatively I’ll just fork drone-docker-ecr to not clobber the registry.

bradrydzewski · October 25, 2018, 9:58pm

You could alternatively submit a patch to check and see if the registry address contains dkr.ecr.us-east-1.amazonaws.com instead of HasPrefix. I presume this would not break the existing functionality, while handling your use case.