feat(aws): Enable setting custom endpoints for AWS ECR for ECRAuthori…

[mtweten]

…zationToken generator

Problem Statement

The external-secrets AWS provider currently allows setting custom endpoints for the STS, SSM, and SecretsManager services. However, the ECRAuthorizationToken generator does not currently support custom endpoints for the ECR/ECR Public services.

Related Issue

No corresponding issue.

Proposed Changes

Expose environment variables for ECR and ECR public services similar to the existing custom endpoint overrides.

Checklist

• I have read the contribution guidelines
• All commits are signed with git commit --signoff
• My changes have reasonable test coverage
• All tests pass with make test
• I ensured my PR is ready for review with make reviewable

[mtweten]

I noticed on another PR around auth type stuff that this will probably not be accepted due to the aws-go-sdk-v2 upgrade (#4484).

With the upgrade to v2, will the standard AWS_ENDPOINT_URL_* environment variables be supported by default?

[gusfcarvalho]

hi @mtweten !

it's not that it isn't going to be accepted; but we'd like to merge this one after sdk v2 work is finished 😄.

Alternatively, if you can sync and add this contribution to both SDKs (v1 being this one, and another contribution in v2), I see no problem in adding this PR right away.

We just don't want to cause more changes for the volunteers that are pushing sdk v2.

[mtweten]

@gusfcarvalho Thanks for the response! I'm not certain, but I think the v2 upgrade will make it so external-secrets won't need to explicitly provide support for endpoint overrides - I think with v2 AWS_ENDPOINT_URL_* environment variables are supported by default.

I noticed in the v2 PR that both of the existing environment variable overrides, AWS_SSM_ENDPOINT and AWS_SECRETSMANAGER_ENDPOINT, were removed (https://github.com/external-secrets/external-secrets/pull/4484/files#diff-9c6c21b0dfd29225505dd5e59527cc6e2a1cff3bd32c61aa16062df2e6222ae6L24-L26), and I assume that's why. I'll have to test with the v2 changes.

Either way, I'm fine with holding off on this!

[mtweten]

I believe that #4484 is a breaking change since it removed both of the environment variables currently supported to set custom endpoints for the SSM and Secrets Manager services (AWS_SECRETSMANAGER_ENDPOINT and AWS_SSM_ENDPOINT): https://github.com/external-secrets/external-secrets/pull/4484/files#diff-9c6c21b0dfd29225505dd5e59527cc6e2a1cff3bd32c61aa16062df2e6222ae6L24

[Skarlso]

@mtweten isn't it still there in the resolver? https://github.com/external-secrets/external-secrets/pull/4484/files#diff-2cc22752e0b4a69ae5c590a1225325f4f2e17fd34b8bf7223b3a511d1e894779

[mtweten]

@Skarlso My bad! I didn't see that they got moved. Thanks for pointing that out

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[mtweten]

I've updated this PR to use the same pattern for resolving custom endpoints that was used in the aws-go-sdk-v2 update and verified that it works correctly for overriding ECR endpoints.