Update ecs-agent to 1.101.2

packages/amazon-vpc-cni-plugins/Cargo.toml

@@ -13,8 +13,8 @@ path = "../packages.rs"
 releases-url = "https://github.com/aws/amazon-ecs-agent/commits/master/amazon-vpc-cni-plugins"
 
 [[package.metadata.build-package.external-files]]
-url = "https://github.com/aws/amazon-vpc-cni-plugins/archive/be5214353252f8315a1341f4df9ffbd8cf69000c/amazon-vpc-cni-plugins.tar.gz"
-sha512 = "b1aa61d0000ff732dae67213cea2eac49363c048416716e27f36b2b43f6227db8b15ead27c43c5fd623569a49572cb6b2149c86d69363f75cec4620ddc9ef47b"
+url = "https://github.com/aws/amazon-vpc-cni-plugins/archive/a4e9ac076709c882a904afabc4c24c7700600f6b/amazon-vpc-cni-plugins.tar.gz"
+sha512 = "b2cc6db9462e9fb27eb2599cbc9eba7e9dae18b76af9137c99e69ee0f07dec72e2358740a3e0b873c7fe8ed004a2d47a48b4159769aaebc7641f0ec6aa00d613"
 
 [build-dependencies]
 glibc = { path = "../glibc" }

packages/amazon-vpc-cni-plugins/amazon-vpc-cni-plugins.spec

@@ -1,7 +1,7 @@
 %global vpccni_goproject github.com/aws
 %global vpccni_gorepo amazon-vpc-cni-plugins
 %global vpccni_goimport %{vpccni_goproject}/%{vpccni_gorepo}
-%global vpccni_gitrev be5214353252f8315a1341f4df9ffbd8cf69000c
+%global vpccni_gitrev a4e9ac076709c882a904afabc4c24c7700600f6b
 %global vpccni_gover 1.3
 
 Name: %{_cross_os}amazon-vpc-cni-plugins

packages/ecs-agent/0007-fix-ecr-fips-endpoint-conflict.patch

@@ -0,0 +1,141 @@
+From 10d1fb7585dad5a1f3f1a58a606605572bdf42ea Mon Sep 17 00:00:00 2001
+From: Kyle Sessions <kssessio@amazon.com>
+Date: Wed, 21 Jan 2026 20:13:57 +0000
+Subject: [PATCH] ecr: fix FIPS endpoint conflict with SDK v2
+
+SDK v2 rejects combining UseFIPSEndpoint with a custom endpoint override,
+returning "FIPS and custom endpoint are not supported". This breaks ECR
+auth when AWS_USE_FIPS_ENDPOINT=true and the ECS control plane sends a
+FIPS endpoint override (e.g., ecr-fips.us-west-2.amazonaws.com).
+
+Fix by disabling SDK FIPS resolution when the endpoint override is already
+FIPS-compliant. The endpoint is already FIPS-compliant, so this preserves
+FIPS compliance while avoiding the SDK validation error.
+
+Signed-off-by: Kyle Sessions <kssessio@amazon.com>
+---
+ agent/ecr/factory.go      | 10 ++++-
+ agent/ecr/factory_test.go | 85 +++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 94 insertions(+), 1 deletion(-)
+
+diff --git a/agent/ecr/factory.go b/agent/ecr/factory.go
+index 6d507214f65..09e94ee71a3 100644
+--- a/agent/ecr/factory.go
++++ b/agent/ecr/factory.go
+@@ -18,6 +18,7 @@ import (
+ 	"context"
+ 	"fmt"
+ 	"net/http"
++	"strings"
+ 	"time"
+
+ 	apicontainer "github.com/aws/amazon-ecs-agent/agent/api/container"
+@@ -75,7 +76,14 @@ func getClientConfig(httpClient *http.Client, authData *apicontainer.ECRAuthData
+ 	}
+
+ 	if authData.EndpointOverride != "" {
+-		opts = append(opts, awsconfig.WithBaseEndpoint(utils.AddScheme(authData.EndpointOverride)))
++		endpoint := utils.AddScheme(authData.EndpointOverride)
++		opts = append(opts, awsconfig.WithBaseEndpoint(endpoint))
++		// Disable SDK FIPS resolution if endpoint is already FIPS-compliant to avoid
++		// "FIPS and custom endpoint are not supported" error from SDK v2.
++		if strings.Contains(endpoint, "//ecr-fips.") {
++			logger.Debug("ECR endpoint override is FIPS; disabling SDK FIPS resolution", logger.Fields{"endpoint": endpoint})
++			opts = append(opts, awsconfig.WithUseFIPSEndpoint(aws.FIPSEndpointStateDisabled))
++		}
+ 	} else if useDualStackEndpoint {
+ 		logger.Debug("Configuring ECR Client DualStack endpoint")
+ 		opts = append(opts, awsconfig.WithUseDualStackEndpoint(aws.DualStackEndpointStateEnabled))
+diff --git a/agent/ecr/factory_test.go b/agent/ecr/factory_test.go
+index 511a7a2f59f..69b2f1b6a57 100644
+--- a/agent/ecr/factory_test.go
++++ b/agent/ecr/factory_test.go
+@@ -100,3 +100,88 @@ func TestGetClientConfigEndpointOverride(t *testing.T) {
+ 		})
+ 	}
+ }
++
++func TestGetClientConfigFIPSEndpointOverride(t *testing.T) {
++	cases := []struct {
++		Name                 string
++		Region               string
++		EndpointOverride     string
++		UseDualStackEndpoint bool
++		EnvFIPSEnabled       bool
++		ExpectFIPSState      aws.FIPSEndpointState
++	}{
++		{
++			Name:             "no endpoint override without env FIPS",
++			Region:           "us-west-2",
++			EndpointOverride: "",
++			EnvFIPSEnabled:   false,
++			ExpectFIPSState:  aws.FIPSEndpointStateUnset,
++		},
++		{
++			Name:             "no endpoint override with env FIPS",
++			Region:           "us-west-2",
++			EndpointOverride: "",
++			EnvFIPSEnabled:   true,
++			ExpectFIPSState:  aws.FIPSEndpointStateUnset,
++		},
++		{
++			Name:             "FIPS us-west-2 with env FIPS",
++			Region:           "us-west-2",
++			EndpointOverride: "ecr-fips.us-west-2.amazonaws.com",
++			EnvFIPSEnabled:   true,
++			ExpectFIPSState:  aws.FIPSEndpointStateDisabled,
++		},
++		{
++			Name:             "FIPS us-east-1 with env FIPS",
++			Region:           "us-east-1",
++			EndpointOverride: "ecr-fips.us-east-1.amazonaws.com",
++			EnvFIPSEnabled:   true,
++			ExpectFIPSState:  aws.FIPSEndpointStateDisabled,
++		},
++		{
++			Name:             "FIPS us-gov-west-1 with env FIPS",
++			Region:           "us-gov-west-1",
++			EndpointOverride: "ecr-fips.us-gov-west-1.amazonaws.com",
++			EnvFIPSEnabled:   true,
++			ExpectFIPSState:  aws.FIPSEndpointStateDisabled,
++		},
++		{
++			Name:                 "FIPS dualstack us-east-1 with env FIPS",
++			Region:               "us-east-1",
++			EndpointOverride:     "ecr-fips.us-east-1.api.aws",
++			UseDualStackEndpoint: true,
++			EnvFIPSEnabled:       true,
++			ExpectFIPSState:      aws.FIPSEndpointStateDisabled,
++		},
++		{
++			Name:                 "FIPS dualstack us-gov-west-1 with env FIPS",
++			Region:               "us-gov-west-1",
++			EndpointOverride:     "ecr-fips.us-gov-west-1.api.aws",
++			UseDualStackEndpoint: true,
++			EnvFIPSEnabled:       true,
++			ExpectFIPSState:      aws.FIPSEndpointStateDisabled,
++		},
++	}
++
++	for _, tc := range cases {
++		t.Run(tc.Name, func(t *testing.T) {
++			if tc.EnvFIPSEnabled {
++				t.Setenv("AWS_USE_FIPS_ENDPOINT", "true")
++			}
++
++			authData := &apicontainer.ECRAuthData{
++				Region:           tc.Region,
++				EndpointOverride: tc.EndpointOverride,
++				UseExecutionRole: false,
++			}
++			cfg, err := getClientConfig(nil, authData, tc.UseDualStackEndpoint)
++			assert.NoError(t, err)
++
++			for _, src := range cfg.ConfigSources {
++				if loadOpts, ok := src.(config.LoadOptions); ok {
++					assert.Equal(t, tc.ExpectFIPSState, loadOpts.UseFIPSEndpoint)
++				}
++			}
++		})
++	}
++}

packages/ecs-agent/Cargo.toml

@@ -13,8 +13,9 @@ path = "../packages.rs"
 releases-url = "https://github.com/aws/amazon-ecs-agent/releases"
 
 [[package.metadata.build-package.external-files]]
-url = "https://github.com/aws/amazon-ecs-agent/archive/v1.91.2/amazon-ecs-agent-1.91.2.tar.gz"
-sha512 = "c079dc22ee60ff0701d9a66f59add26fcab02baae36c72f98e8397ea6747a1858c4df2cada9ed3e2af3657d65920d2495b0b94c88dfbd573a6485ce2a4d6a816"
+# Verify the Git submodule commit of amazon-vpc-cni-plugins matches what is shipped in ../amazon-vpc-cni-plugins
+url = "https://github.com/aws/amazon-ecs-agent/archive/v1.101.2/amazon-ecs-agent-1.101.2.tar.gz"
+sha512 = "52e0f247f8647190282d45080fc5d66ae0526a665e9533ef3cf91d5856d50c144ce4443633b1c9d3814bffc48f68e398d9b0d9b7b720a084bb59003b73c21de9"
 
 [build-dependencies]
 glibc = { path = "../glibc" }

packages/ecs-agent/ecs-agent.spec

@@ -2,10 +2,10 @@
 %global agent_gorepo amazon-ecs-agent
 %global agent_goimport %{agent_goproject}/%{agent_gorepo}
 
-%global agent_gover 1.91.2
+%global agent_gover 1.101.2
 
 # git rev-parse --short=8
-%global agent_gitrev b7e96508
+%global agent_gitrev a686342f
 
 # Construct reproducible tar archives
 # See https://reproducible-builds.org/docs/archives/
@@ -58,6 +58,9 @@ Patch0005: 0005-bottlerocket-change-execcmd-directories-for-Bottlero.patch
 # Bottlerocket-specific - fix container metadata path
 Patch0006: 0006-containermetadata-don-t-use-dataDirOnHost-for-metada.patch
 
+# Fix FIPS + custom endpoint conflict in SDK v2
+Patch0007: 0007-fix-ecr-fips-endpoint-conflict.patch
+
 BuildRequires: %{_cross_os}glibc-devel
 
 Requires: %{_cross_os}docker-engine