Address review comment

- Provide AWS doc link
- Check IsAWSECRURL in Object once
- Check credential AWS access/secret key pair exists

Signed-off-by: JenTing Hsiao <[email protected]>

Author: jenting

components/registry-credential/README.md

@@ -15,8 +15,8 @@ kubectx [cluster-name]
 
 ```console
 kubectl create secret generic aws-iam-credential \
-    --from-literal=access_key_id=<AWS_ACCESS_KEY> \
-    --from-literal=secret_access_key=<AWS_SECRET_KEY>
+    --from-literal=accessKeyId=<AWS_ACCESS_KEY> \
+    --from-literal=secretAccessKey=<AWS_SECRET_KEY>
 ```
 
 ### Prepare the configuration

components/registry-credential/pkg/ecr/updater.go

@@ -27,8 +27,8 @@ import (
 )
 
 const (
-	accessKeyIdName     = "access_key_id"
-	secretAccessKeyName = "secret_access_key"
+	accessKeyIdName     = "accessKeyId"
+	secretAccessKeyName = "secretAccessKey"
 )
 
 const (

install/installer/pkg/components/registry-credential/common.go

@@ -32,6 +32,7 @@ func isAWSECRURL(URL string) bool {
 
 // isPrivateAWSECRURL check if it's a private AWS ECR URL.
 // The private AWS ECR URL with the format aws_account_id.dkr.ecr.region.amazonaws.com.
+// Reference to https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html
 func isPrivateAWSECRURL(URL string) bool {
 	u, err := url.Parse(URL)
 	if err != nil {

install/installer/pkg/components/registry-credential/configmap.go

@@ -15,10 +15,6 @@ import (
 )
 
 func configmap(ctx *common.RenderContext) ([]runtime.Object, error) {
-	if !IsAWSECRURL(ctx) {
-		return nil, nil
-	}
-
 	privateRegistry := isPrivateAWSECRURL(ctx.Config.ContainerRegistry.External.URL)
 	region := getAWSRegion(ctx.Config.ContainerRegistry.External.URL)
 

install/installer/pkg/components/registry-credential/cronjob.go

@@ -15,10 +15,6 @@ import (
 )
 
 func cronjob(ctx *common.RenderContext) ([]runtime.Object, error) {
-	if !IsAWSECRURL(ctx) {
-		return nil, nil
-	}
-
 	objectMeta := metav1.ObjectMeta{
 		Name:      Component,
 		Namespace: ctx.Namespace,

install/installer/pkg/components/registry-credential/objects.go

@@ -10,15 +10,15 @@ import (
 	"github.com/gitpod-io/gitpod/installer/pkg/common"
 )
 
-var Objects = common.CompositeRenderFunc(
-	configmap,
-	role,
-	rolebinding,
-	cronjob,
-	func(ctx *common.RenderContext) ([]runtime.Object, error) {
-		if !IsAWSECRURL(ctx) {
-			return nil, nil
-		}
-		return common.DefaultServiceAccount(Component)(ctx)
-	},
-)
+func Objects(ctx *common.RenderContext) ([]runtime.Object, error) {
+	if !IsAWSECRURL(ctx) {
+		return nil, nil
+	}
+	return common.CompositeRenderFunc(
+		configmap,
+		role,
+		rolebinding,
+		cronjob,
+		common.DefaultServiceAccount(Component),
+	)(ctx)
+}

install/installer/pkg/components/registry-credential/role.go

@@ -13,10 +13,6 @@ import (
 )
 
 func role(ctx *common.RenderContext) ([]runtime.Object, error) {
-	if !IsAWSECRURL(ctx) {
-		return nil, nil
-	}
-
 	return []runtime.Object{
 		&rbacv1.Role{
 			TypeMeta: common.TypeMetaRole,

install/installer/pkg/components/registry-credential/rolebinding.go

@@ -13,10 +13,6 @@ import (
 )
 
 func rolebinding(ctx *common.RenderContext) ([]runtime.Object, error) {
-	if !IsAWSECRURL(ctx) {
-		return nil, nil
-	}
-
 	return []runtime.Object{
 		&rbacv1.RoleBinding{
 			TypeMeta: common.TypeMetaRoleBinding,

install/installer/pkg/config/v1/validation.go

@@ -149,6 +149,11 @@ func (v version) ClusterValidation(rcfg interface{}) cluster.ValidationChecks {
 	if cfg.ContainerRegistry.External != nil {
 		secretName := cfg.ContainerRegistry.External.Certificate.Name
 		res = append(res, cluster.CheckSecret(secretName, cluster.CheckSecretRequiredData(".dockerconfigjson")))
+
+		if cfg.ContainerRegistry.External.Credential != nil {
+			credSecretName := cfg.ContainerRegistry.External.Credential.Name
+			res = append(res, cluster.CheckSecret(credSecretName, cluster.CheckSecretRequiredData("accessKeyId", "secretAccessKey")))
+		}
 	}
 
 	if cfg.ContainerRegistry.S3Storage != nil {