From 52ec50cb795c664b4c069e06ccec839f79dca049 Mon Sep 17 00:00:00 2001 From: Jason Hall Date: Wed, 26 Jun 2024 11:39:06 -0400 Subject: [PATCH] add docs/example for Artifact Registry pull-through cache (#208) Signed-off-by: Jason Hall --- gcp-artifact-registry/README.md | 55 +++++++++++++++++++++ gcp-artifact-registry/main.tf | 88 +++++++++++++++++++++++++++++++++ 2 files changed, 143 insertions(+) create mode 100644 gcp-artifact-registry/README.md create mode 100644 gcp-artifact-registry/main.tf diff --git a/gcp-artifact-registry/README.md b/gcp-artifact-registry/README.md new file mode 100644 index 0000000..de777f0 --- /dev/null +++ b/gcp-artifact-registry/README.md @@ -0,0 +1,55 @@ +# Configuring Google Artifact Registry Pull-Through Cache for cgr.dev + +This directory contains Terraform resources to configure a [Google Artifact Registry remote repository](https://cloud.google.com/artifact-registry/docs/repositories/remote-repo) for a private `cgr.dev` registry, using a [Pull Token](https://edu.chainguard.dev/chainguard/chainguard-registry/authenticating/#authenticating-with-a-pull-token). + +First, create a pull token for your organization: + +``` +chainctl auth configure-docker --pull-token +``` + +This will print a `docker login` command that you can use to authenticate with the pull token. For example: + +``` +To use this pull token in another environment, run this command: + + docker login "cgr.dev" --username "abcdef11e47a927f78ffa39cd6393f4a83ec6eb7/e3b0123abcdef123" --password "eyJh...krglE" +``` + +We'll use this username and password to configure the pull-through cache in Terraform. + +Next, `terraform init` and `terraform apply` the configuration in this directory: + +``` +terraform apply +``` + +This will prompt for your GCP project, and the Chainguard pull token `username` and `password`. + +When Terraform is done creating resources, it will print the remote repo URLs that were created. + +``` +repos = [ + "us-east4-docker.pkg.dev/my-cool-project/remote", +] +``` + +You can now pull through these URLs to pull images from the `cgr.dev` registry. + +Simply append your Chainguard organization name and repo name to the URL, and use it as a remote repo URL. + +``` +docker pull us-east4-docker.pkg.dev/my-cool-project/remote/customer.biz/image:latest +latest: Pulling from my-cool-project/remote/customer.biz/image +6cdb74e61124: Downloading [====> ] 18.21MB/224.2MB +``` + +You can configure Terraform to set up resources in other regions, or with other names, by updating these variables: + +``` +TF_VAR_regions="['us-central1']" TF_VAR_repo="custom" terraform apply +... +repos = [ + "us-central1-docker.pkg.dev/my-cool-project/custom", +] +``` diff --git a/gcp-artifact-registry/main.tf b/gcp-artifact-registry/main.tf new file mode 100644 index 0000000..4d92d43 --- /dev/null +++ b/gcp-artifact-registry/main.tf @@ -0,0 +1,88 @@ +variable "project" { + type = string + description = "The GCP project ID" +} + +variable "repo" { + type = string + description = "The GCP Artifact Registry repository name" + default = "remote" +} + +variable "regions" { + type = list(string) + description = "The GCP regions to deploy to" + default = ["us-east4"] +} + +variable "username" { + type = string + description = "Username for the cgr.dev pull token" +} + +variable "password" { + sensitive = true + type = string + description = "Password for the cgr.dev pull token" +} + +provider "google" { + project = var.project +} + +resource "google_secret_manager_secret" "pull-token" { + secret_id = "pull-token" + replication { + auto {} + } +} + +resource "google_secret_manager_secret_version" "pull-token" { + secret = google_secret_manager_secret.pull-token.name + secret_data = var.password +} + +resource "google_artifact_registry_repository" "repo" { + for_each = toset(var.regions) + + location = each.key + repository_id = var.repo + description = "Remote Chainguard Images repository" + format = "DOCKER" + mode = "REMOTE_REPOSITORY" + remote_repository_config { + description = "chainguard" + + // The password won't be populated at first, so we need to disable + // validating the token at repo-creation time. + disable_upstream_validation = true + + docker_repository { + custom_repository { + uri = "https://cgr.dev" + } + } + + upstream_credentials { + username_password_credentials { + username = var.username + password_secret_version = google_secret_manager_secret_version.pull-token.name + } + } + } +} + +data "google_project" "project" {} + +locals { project-number = data.google_project.project.number } + +// Give the AR service account the ability to read the secret. +resource "google_secret_manager_secret_iam_member" "reader" { + secret_id = google_secret_manager_secret.pull-token.id + role = "roles/secretmanager.secretAccessor" + member = "serviceAccount:service-${local.project-number}@gcp-sa-artifactregistry.iam.gserviceaccount.com" +} + +output "repos" { + value = [for r in var.regions : "${google_artifact_registry_repository.repo[r].location}-docker.pkg.dev/${var.project}/${google_artifact_registry_repository.repo[r].name}"] +}