containers: add documentation for using external image registries (cloudflare#26364)

Adds documentation to configure ECR registries for use with containers.
After setting up the registry, users will be able to use ECR images in their `wrangler.jsonc` as follows:

```json
"containers": {
  "class_name": "MyECRContainer"
  "image": "123456789012.dkr.ecr.us-east-1.amazonaws.com/image:tag"
}
```

Author: nikitassharma

src/content/docs/containers/platform-details/image-management.mdx

@@ -41,16 +41,11 @@ This is not necessary if you are using a pre-built image, as described below.
 
 ## Using pre-built container images
 
-Currently, all images must use `registry.cloudflare.com`.
+Currently, we support images stored in the Cloudflare managed registry at `registry.cloudflare.com` and in [Amazon ECR](https://aws.amazon.com/ecr/).
+Support for additional external registries is coming soon.
 
-:::note
-We plan to allow other image registries. Cloudflare will download your image, optionally using auth credentials,
-then cache it globally in the Cloudflare Registry.
-
-This is not yet available.
-:::
-
-If you wish to use a pre-built image, first, make sure it exists locally, then push it to the Cloudflare Registry:
+If you wish to use a pre-built image from another registry provider, first, make sure it exists locally, then
+push it to the Cloudflare Registry:
 
 ```
 docker pull <public-image>
@@ -88,6 +83,65 @@ This will output an image registry URI that you can then use in your Wrangler co
 
 </WranglerConfig>
 
+### Using Amazon ECR container images
+
+To use container images stored in [Amazon ECR](https://aws.amazon.com/ecr/), you will need to configure the ECR registry domain with credentials.
+These credentials get stored in [Secrets Store](/secrets-store) under the `containers` scope.
+When we prepare your container, these credentials will be used to generate an ephemeral token that can pull your image.
+We do not currently support public ECR images.
+To generate the necessary credentials for ECR, you will need to create an IAM user with a read-only policy.
+The following example grants access to all image repositories under AWS account `123456789012` in `us-east-1`.
+
+```json
+{
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Action": ["ecr:GetAuthorizationToken"],
+			"Effect": "Allow",
+			"Resource": "*"
+		},
+		{
+			"Effect": "Allow",
+			"Action": [
+				"ecr:BatchCheckLayerAvailability",
+				"ecr:GetDownloadUrlForLayer",
+				"ecr:BatchGetImage"
+			],
+			// arn:${Partition}:ecr:${Region}:${Account}:repository/${Repository-name}
+			"Resource": [
+				"arn:aws:ecr:us-east-1:123456789012:repository/*"
+				// "arn:aws:ecr:us-east-1:123456789012:repository/example-repo"
+			]
+		}
+	]
+}
+```
+
+You can then use the credentials for the IAM User to [configure a registry in Wrangler](/workers/wrangler/commands/#containers-registries).
+Wrangler will prompt you to create a Secrets Store store if one does not already exist, and then create your secret.
+
+<PackageManagers
+	type="exec"
+	pkg="wrangler"
+	args="containers registries configure 123456789012.dkr.ecr.us-east-1.amazonaws.com --aws-access-key-id=AKIAIOSFODNN7EXAMPLE"
+/>
+
+Once this is setup, you will be able to use ECR images in your wrangler config.
+
+<WranglerConfig>
+
+```json
+{
+	"containers": {
+		"image": "123456789012.dkr.ecr.us-east-1.amazonaws.com/example-repo:tag"
+		// ...rest of config...
+	}
+}
+```
+
+</WranglerConfig>
+
 :::note
 Currently, the Cloudflare Vite-plugin does not support registry links in local development, unlike `wrangler dev`.
 As a workaround, you can create a minimal Dockerfile that uses `FROM <registry-link>`. Make sure to `EXPOSE` a port in local dev as well.

src/content/partials/workers/wrangler-commands/containers.mdx

@@ -67,6 +67,67 @@ wrangler containers images delete [IMAGE] [OPTIONS]
 - `IMAGE` <Type text="string" /> <MetaInfo text="required" />
   - Image to delete of the form `IMAGE:TAG`
 
+<AnchorHeading title="`registries`" slug="containers-registries" depth={3} />
+
+Configure and view registries available to your container.
+[Read more](/containers/platform-details/image-management/#using-amazon-ecr-container-images) about our currently supported external registries.
+
+<AnchorHeading
+	title="`registries list`"
+	slug="containers-registries-list"
+	depth={4}
+/>
+
+List registries your containers are able to use.
+
+```txt
+wrangler containers registries list [OPTIONS]
+```
+
+- `--json` <Type text="boolean" /> <MetaInfo text="optional" />
+  - Return output as clean JSON.
+  - Default: false
+
+<AnchorHeading
+	title="`registries configure`"
+	slug="containers-registries-configure"
+	depth={4}
+/>
+
+Configure a new registry for your account.
+
+```txt
+wrangler containers registries configure [DOMAIN] [OPTIONS]
+```
+
+- `DOMAIN` <Type text="string" /> <MetaInfo text="required" />
+  - domain to configre for the registry
+- `--public-credential` <Type text="string" /> <MetaInfo text="required" />
+  - The public part of the registry credentials, e.g. `AWS_ACCESS_KEY_ID` for ECR
+- `--secret-store-id` <Type text="string" /> <MetaInfo text="optional" />
+  - The ID of the secret store to use to store the registry credentials
+- `--secret-name` <Type text="string" /> <MetaInfo text="optional" />
+  - The name Wrangler should store the registry credentials under
+
+When run interactively, wrangler will prompt you for your secret and store it in Secrets Store.
+To run non-interactively, you can send your secret value to wrangler through stdin to have
+the secret created for you.
+
+<AnchorHeading
+	title="`registries delete`"
+	slug="containers-registries-delete"
+	depth={4}
+/>
+
+Remove a registry configuration from your account.
+
+```txt
+wrangler containers registries delete [DOMAIN] [OPTIONS]
+```
+
+- `DOMAIN` <Type text="string" /> <MetaInfo text="required" />
+  - domain of the registry to delete
+
 <AnchorHeading title="`info`" slug="containers-info" depth={3} />
 
 Get information about a specific Container, including top-level details and a list of instances.