From c057d3016b1f99c5fd2f0cd7d1e9d75316b371eb Mon Sep 17 00:00:00 2001 From: Jason Hall Date: Thu, 24 Aug 2023 17:21:35 -0400 Subject: [PATCH] image-copy-X: improve READMEs Signed-off-by: Jason Hall --- image-copy-ecr/README.md | 45 ++++++++++++++++++++-------------------- image-copy-gcr/README.md | 21 +++++++++++++++++-- 2 files changed, 42 insertions(+), 24 deletions(-) diff --git a/image-copy-ecr/README.md b/image-copy-ecr/README.md index bccc23e..43a613b 100644 --- a/image-copy-ecr/README.md +++ b/image-copy-ecr/README.md @@ -2,6 +2,28 @@ This sets up a Lambda function to listen for `registry.push` events to a private Chainguard Registry group, and mirrors those new images to a repository in Elastic Container Registry. +### Usage + +You can use this terraform module to deploy this integration by instantiating +it like this: + +``` +module "image-copy" { + source = "github.com/chainguard-dev/enforce-events//image-copy-ecr/iac" + + # The Chainguard IAM group from which we expect to receive events. + # This is used to authenticate that the Chainguard events are intended + # for you, and not another user. + # Images pushed to repos under this group will be mirrored to Artifact Registry. + group = "" + + # This is the location in ECR where images will be mirrored. + # For example: pushes to cgr.dev//foo:1.2.3 will be mirrored to + # .dkr.ecr..amazonaws.com//foo:1.2.3 + dst_repo = "mirrored/images" +} +``` + The Terraform does everything: - builds the mirroring app into an image using `ko_build` @@ -10,7 +32,7 @@ The Terraform does everything: - allows the Lambda function to assume the puller identity and push to ECR - sets up a subscription to notify the Lambda function when pushes happen to cgr.dev -## Setup +### Setup ```sh aws sso login --profile my-profile @@ -19,8 +41,6 @@ terraform init terraform apply ``` -This will prompt for a group ID and destination repo, and show you the resources it will create. - When the resources are created, any images that are pushed to your group will be mirrored to the ECR repository. The Lambda function has minimal permissions: it's only allowed to push images to the destination repo and its sub-repos. @@ -28,22 +48,3 @@ The Lambda function has minimal permissions: it's only allowed to push images to The Chainguard identity also has minimal permissions: it only has permission to pull from the source repo. To tear down resources, run `terraform destroy`. - -## Demo - -After setting up the infrastructure as described above: - -```sh -crane cp random.kontain.me/random cgr.dev//random:hello-demo -``` - -This pulls a randomly generated image from `kontain.me` and pushes it to your private registry. - -The Lambda function you set up will fire and copy the image to ECR. A few seconds later: - -```sh -crane ls .dkr.ecr..amazonaws.com//random -hello-demo -``` - -It worked! 🎉 diff --git a/image-copy-gcr/README.md b/image-copy-gcr/README.md index e38fc2b..5fc0285 100644 --- a/image-copy-gcr/README.md +++ b/image-copy-gcr/README.md @@ -28,8 +28,8 @@ module "image-copy" { group = "" # This is the location in Artifact Registry where images will be mirrored. - # For example: pushes to cgr.dev//foo will be mirrored to - # -docker.pkg.dev///foo. + # For example: pushes to cgr.dev//foo:1.2.3 will be mirrored to + # -docker.pkg.dev///foo:1.2.3 dst_repo = "mirrored/images" # Location of the Artifact Registry repository, and the Cloud Run subscriber. @@ -46,3 +46,20 @@ The Terraform does everything: - sets up a Chainguard Identity with permissions to pull from the private cgr.dev repo - allows the Cloud Run service's SA to assume the puller identity - sets up a subscription to notify the Cloud Run service when pushes happen to cgr.dev + +### Setup + +```sh +gcloud auth application-default login +chainctl auth login +terraform init +terraform apply +``` + +When the resources are created, any images that are pushed to your group will be mirrored to the GCR repository. + +The Cloud Run app has minimal permissions: it's only allowed to push images. + +The Chainguard identity also has minimal permissions: it only has permission to pull from the source repo. + +To tear down resources, run `terraform destroy`.