From 75f7a9a96a4d4eed2980fe2cd60b17380db88b7e Mon Sep 17 00:00:00 2001
From: Nick Baker <nbakerd@amazon.com>
Date: Fri, 9 Feb 2024 18:48:02 +0000
Subject: [PATCH 1/2] update method to get region and improve shell
 substitutions

---
 files/pull-sandbox-image.sh | 25 +++++++++++++++++--------
 1 file changed, 17 insertions(+), 8 deletions(-)

diff --git a/files/pull-sandbox-image.sh b/files/pull-sandbox-image.sh
index 02b651a9e..736f955d7 100644
--- a/files/pull-sandbox-image.sh
+++ b/files/pull-sandbox-image.sh
@@ -1,16 +1,25 @@
 #!/usr/bin/env bash
-set -euo pipefail
 
 source <(grep "sandbox_image" /etc/containerd/config.toml | tr -d ' ')
 
+### skip if we don't have a sandbox_image set in config.toml
+if [[ -z ${sandbox_image:-} ]]; then
+  echo >&2 "Skipping ... missing sandbox_image from /etc/containerd/config.toml"
+  exit 0
+fi
+
 ### Short-circuit fetching sandbox image if its already present
-if [[ "$(sudo ctr --namespace k8s.io image ls | grep $sandbox_image)" != "" ]]; then
+if [[ -n $(sudo ctr --namespace k8s.io image ls | grep "${sandbox_image}") ]]; then
+  echo >&2 "Skipping ... sandbox_image '${sandbox_image}' is already present"
   exit 0
 fi
 
-# use the region that the sandbox image comes from for the ecr authentication,
-# also mitigating the localzone isse: https://github.com/aws/aws-cli/issues/7043
-region=$(echo "${sandbox_image}" | cut -f4 -d ".")
+# if the sandbox image is provided by the bootstrap script, then the region is
+# guaranteed to come from this data source.
+# see: https://github.com/awslabs/amazon-eks-ami/blob/baef6f0860f60dbec366de30853e47418e3fb430/files/bootstrap.sh#L320-L338
+# if the image is customer provided, then this is just a sane default for the
+# region when attempting to get ecr credentials.
+region=$(imds 'latest/dynamic/instance-identity/document' | jq .region -r)
 
 MAX_RETRIES=3
 
@@ -29,9 +38,9 @@ function retry() {
   done
 }
 
-ecr_password=$(retry aws ecr get-login-password --region $region)
+# for public, non-ecr repositories even if this fails to get ECR credentials the image will pull
+ecr_password=$(retry aws ecr get-login-password --region "${region}")
 if [[ -z ${ecr_password} ]]; then
-  echo >&2 "Unable to retrieve the ECR password."
-  exit 1
+  echo >&2 "Unable to retrieve the ECR password. Image pull may not be properly authenticated."
 fi
 retry sudo crictl pull --creds "AWS:${ecr_password}" "${sandbox_image}"

From 45ca6c7e0e3cfe560dbb1d41ca25bf9029aa126e Mon Sep 17 00:00:00 2001
From: Nick Baker <nbakerd@amazon.com>
Date: Fri, 9 Feb 2024 23:19:59 +0000
Subject: [PATCH 2/2] revert region fetching logic

---
 files/pull-sandbox-image.sh | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/files/pull-sandbox-image.sh b/files/pull-sandbox-image.sh
index 736f955d7..5610c09b1 100644
--- a/files/pull-sandbox-image.sh
+++ b/files/pull-sandbox-image.sh
@@ -14,12 +14,9 @@ if [[ -n $(sudo ctr --namespace k8s.io image ls | grep "${sandbox_image}") ]]; t
   exit 0
 fi
 
-# if the sandbox image is provided by the bootstrap script, then the region is
-# guaranteed to come from this data source.
-# see: https://github.com/awslabs/amazon-eks-ami/blob/baef6f0860f60dbec366de30853e47418e3fb430/files/bootstrap.sh#L320-L338
-# if the image is customer provided, then this is just a sane default for the
-# region when attempting to get ecr credentials.
-region=$(imds 'latest/dynamic/instance-identity/document' | jq .region -r)
+# use the region that the sandbox image comes from for the ecr authentication,
+# also mitigating the localzone isse: https://github.com/aws/aws-cli/issues/7043
+region=$(echo "${sandbox_image}" | cut -f4 -d ".")
 
 MAX_RETRIES=3