Allow users to configure DockerHub for use with containers (#11332)

Author: nikitassharma

.changeset/breezy-groups-warn.md

@@ -0,0 +1,21 @@
+---
+"@cloudflare/containers-shared": patch
+"wrangler": minor
+---
+
+Users are now able to configure DockerHub credentials and have containers reference images stored there.
+
+DockerHub can be configured as follows:
+
+```sh
+echo $PAT_TOKEN | npx wrangler@latest containers registries configure docker.io --dockerhub-username=user --secret-name=DockerHub_PAT_Token
+```
+
+Containers can then specify an image from DockerHub in their `wrangler.jsonc` as follows:
+
+```jsonc
+"containers": {
+  "image": "docker.io/namespace/image:tag",
+  ...
+}
+```

packages/containers-shared/src/client/index.ts

@@ -97,6 +97,7 @@ export type { EnvironmentVariableValue } from "./models/EnvironmentVariableValue
 export { EventName } from "./models/EventName";
 export { EventType } from "./models/EventType";
 export type { ExecFormParam } from "./models/ExecFormParam";
+export { ExternalRegistryKind } from "./models/ExternalRegistryKind";
 export type { GenericErrorDetails } from "./models/GenericErrorDetails";
 export type { GenericErrorResponseWithRequestID } from "./models/GenericErrorResponseWithRequestID";
 export type { GenericMessageResponse } from "./models/GenericMessageResponse";
@@ -105,6 +106,7 @@ export type { GetPlacementError } from "./models/GetPlacementError";
 export { HTTPMethod } from "./models/HTTPMethod";
 export type { Identity } from "./models/Identity";
 export type { Image } from "./models/Image";
+export type { ImageRegistryAuth } from "./models/ImageRegistryAuth";
 export { ImageRegistryAlreadyExistsError } from "./models/ImageRegistryAlreadyExistsError";
 export type { ImageRegistryCredentialsConfiguration } from "./models/ImageRegistryCredentialsConfiguration";
 export { ImageRegistryIsPublic } from "./models/ImageRegistryIsPublic";
@@ -190,6 +192,7 @@ export type { SecretMetadata } from "./models/SecretMetadata";
 export type { SecretName } from "./models/SecretName";
 export { SecretNameAlreadyExists } from "./models/SecretNameAlreadyExists";
 export { SecretNotFound } from "./models/SecretNotFound";
+export type { SecretsStoreRef } from "./models/SecretsStoreRef";
 export type { SSHPublicKey } from "./models/SSHPublicKey";
 export type { SSHPublicKeyID } from "./models/SSHPublicKeyID";
 export type { SSHPublicKeyItem } from "./models/SSHPublicKeyItem";

packages/containers-shared/src/client/models/CustomerImageRegistry.ts

@@ -2,8 +2,11 @@
 /* tslint:disable */
 /* eslint-disable */
 
+import type { DefaultImageRegistryKind } from "./DefaultImageRegistryKind";
 import type { Domain } from "./Domain";
+import type { ExternalRegistryKind } from "./ExternalRegistryKind";
 import type { ISO8601Timestamp } from "./ISO8601Timestamp";
+import type { SecretsStoreRef } from "./SecretsStoreRef";
 
 /**
  * An image registry added in a customer account
@@ -13,6 +16,11 @@ export type CustomerImageRegistry = {
 	 * A base64 representation of the public key that you can set to configure the registry. If null, the registry is public and doesn't have authentication setup with Cloudchamber
 	 */
 	public_key?: string;
+	private_credential?: SecretsStoreRef;
 	domain: Domain;
+	/**
+	 * The type of registry that is being configured.
+	 */
+	kind?: ExternalRegistryKind | DefaultImageRegistryKind;
 	created_at: ISO8601Timestamp;
 };

packages/containers-shared/src/client/models/DefaultImageRegistryKind.ts

@@ -0,0 +1,7 @@
+/* istanbul ignore file */
+/* tslint:disable */
+/* eslint-disable */
+
+export enum DefaultImageRegistryKind {
+	DEFAULT = "default",
+}

packages/containers-shared/src/client/models/ExternalRegistryKind.ts

@@ -7,4 +7,5 @@
  */
 export enum ExternalRegistryKind {
 	ECR = "ECR",
+	DOCKER_HUB = "DockerHub",
 }

packages/containers-shared/src/client/models/ImageRegistryNotAllowedError.ts

@@ -3,11 +3,11 @@
 /* eslint-disable */
 
 /**
- * The registry is not allowed to be added
+ * The registry is not allowed to be modified
  */
 export type ImageRegistryNotAllowedError = {
 	/**
-	 * The domain of the registry is not allowed to be added
+	 * The domain of the registry is not allowed to be modified
 	 */
 	error: ImageRegistryNotAllowedError.error;
 	/**
@@ -18,7 +18,7 @@ export type ImageRegistryNotAllowedError = {
 
 export namespace ImageRegistryNotAllowedError {
 	/**
-	 * The domain of the registry is not allowed to be added
+	 * The domain of the registry is not allowed to be modified
 	 */
 	export enum error {
 		IMAGE_REGISTRY_NOT_ALLOWED = "IMAGE_REGISTRY_NOT_ALLOWED",

packages/containers-shared/src/images.ts

@@ -259,6 +259,12 @@ export const getAndValidateRegistryType = (domain: string): RegistryPattern => {
 			name: "AWS ECR",
 			secretType: "AWS Secret Access Key",
 		},
+		{
+			type: ExternalRegistryKind.DOCKER_HUB,
+			pattern: /^docker\.io$/,
+			name: "DockerHub",
+			secretType: "DockerHub PAT Token",
+		},
 		{
 			type: "cloudflare",
 			// Make a regex based on the env var CLOUDFLARE_CONTAINER_REGISTRY

packages/wrangler/src/__tests__/containers/config.test.ts

@@ -708,7 +708,7 @@ describe("getNormalizedContainerOptions", () => {
 				containers: [
 					{
 						class_name: "TestContainer",
-						image: "docker.io/test:latest",
+						image: "unsupported.domain/test:latest",
 						instance_type: "standard",
 						name: "test-container",
 						max_instances: 3,
@@ -727,7 +727,7 @@ describe("getNormalizedContainerOptions", () => {
 			const result = await getNormalizedContainerOptions(config, {});
 			expect(result).toHaveLength(1);
 			expect(result[0]).toMatchObject({
-				image_uri: "docker.io/test:latest",
+				image_uri: "unsupported.domain/test:latest",
 			});
 		});
 		it("should not try and add an account id to non containers registry uris", async () => {

packages/wrangler/src/__tests__/containers/registries.test.ts

@@ -19,6 +19,33 @@ import { useMockStdin } from "../helpers/mock-stdin";
 import { createFetchResult, msw } from "../helpers/msw";
 import { runWrangler } from "../helpers/run-wrangler";
 
+describe("containers registries --help", () => {
+	const std = mockConsoleMethods();
+
+	it("should help", async () => {
+		await runWrangler("containers registries --help");
+		expect(std.out).toMatchInlineSnapshot(`
+			"wrangler containers registries
+
+			Configure and manage non-Cloudflare registries [open beta]
+
+			COMMANDS
+			  wrangler containers registries configure <DOMAIN>    Configure credentials for a non-Cloudflare container registry [open beta]
+			  wrangler containers registries list                  List all configured container registries [open beta]
+			  wrangler containers registries delete <DOMAIN>       Delete a configured container registry [open beta]
+			  wrangler containers registries credentials [DOMAIN]  Get a temporary password for a specific domain [open beta]
+
+			GLOBAL FLAGS
+			  -c, --config    Path to Wrangler configuration file  [string]
+			      --cwd       Run as if Wrangler was started in the specified directory instead of the current working directory  [string]
+			  -e, --env       Environment to use for operations, and for selecting .env and .dev.vars files  [string]
+			      --env-file  Path to an .env file to load - can be specified multiple times - values from earlier files are overridden by values in later files  [array]
+			  -h, --help      Show help  [boolean]
+			  -v, --version   Show version number  [boolean]"
+		`);
+	});
+});
+
 describe("containers registries configure", () => {
 	const { setIsTTY } = useMockIsTTY();
 	const cliStd = mockCLIOutput();
@@ -31,15 +58,14 @@ describe("containers registries configure", () => {
 	afterEach(() => {
 		clearDialogs();
 	});
-
 	it("should reject unsupported registry domains", async () => {
 		await expect(
 			runWrangler(
-				`containers registries configure docker.io --public-credential=test-id`
+				`containers registries configure unsupported.domain --public-credential=test-id`
 			)
 		).rejects.toThrowErrorMatchingInlineSnapshot(`
-			[Error: docker.io is not a supported image registry.
-			Currently we support the following non-Cloudflare registries: AWS ECR.
+			[Error: unsupported.domain is not a supported image registry.
+			Currently we support the following non-Cloudflare registries: AWS ECR, DockerHub.
 			To use an existing image from another repository, see https://developers.cloudflare.com/containers/platform-details/image-management/#using-pre-built-container-images]
 		`);
 	});
@@ -81,15 +107,37 @@ describe("containers registries configure", () => {
 		);
 	});
 
+	it("should enforce mutual exclusivity for public credential arguments", async () => {
+		await expect(
+			runWrangler(`containers registries configure docker.io`)
+		).rejects.toThrowErrorMatchingInlineSnapshot(
+			`[Error: Missing required argument: dockerhub-username]`
+		);
+
+		await expect(
+			runWrangler(
+				`containers registries configure 123456789012.dkr.ecr.region.amazonaws.com`
+			)
+		).rejects.toThrowErrorMatchingInlineSnapshot(
+			`[Error: Missing required argument: aws-access-key-id]`
+		);
+
+		await expect(
+			runWrangler(
+				`containers registries configure docker.io --public-credential=test-id --dockerhub-username=another-test-id`
+			)
+		).rejects.toThrowErrorMatchingInlineSnapshot(
+			`[Error: Arguments public-credential and dockerhub-username are mutually exclusive]`
+		);
+	});
+
 	it("should no-op on cloudflare registry (default)", async () => {
 		await runWrangler(
-			`containers registries configure registry.cloudflare.com --public-credential=test-id`
+			`containers registries configure registry.cloudflare.com`
 		);
 		expect(cliStd.stdout).toMatchInlineSnapshot(`
 			"╭ Configure a container registry
 			│
-			│ Configuring Cloudflare Containers Managed Registry registry: registry.cloudflare.com
-			│
 			│ You do not need to configure credentials for Cloudflare managed registries.
 			│
 			╰ No configuration required
@@ -406,6 +454,95 @@ describe("containers registries configure", () => {
 			});
 		});
 	});
+
+	describe("DockerHub registry configuration", () => {
+		it("should configure DockerHub registry with interactive prompts", async () => {
+			setIsTTY(true);
+			const dockerHubDomain = "docker.io";
+			const storeId = "test-store-id-123";
+			mockPrompt({
+				text: "Enter DockerHub PAT Token:",
+				options: { isSecret: true },
+				result: "test-pat-token",
+			});
+			mockPrompt({
+				text: "Secret name:",
+				options: { isSecret: false, defaultValue: "DockerHub_PAT_Token" },
+				result: "DockerHub_PAT_Token",
+			});
+
+			mockListSecretStores([
+				{
+					id: storeId,
+					account_id: "some-account-id",
+					name: "Default",
+					created: "2024-01-01T00:00:00Z",
+					modified: "2024-01-01T00:00:00Z",
+				},
+			]);
+			mockListSecrets(storeId, []);
+			mockCreateSecret(storeId);
+			mockPutRegistry({
+				domain: "docker.io",
+				is_public: false,
+				auth: {
+					public_credential: "cloudchambertest",
+					private_credential: {
+						store_id: storeId,
+						secret_name: "DockerHub_PAT_Token",
+					},
+				},
+				kind: "DockerHub",
+			});
+
+			await runWrangler(
+				`containers registries configure ${dockerHubDomain} --dockerhub-username=cloudchambertest`
+			);
+
+			expect(cliStd.stdout).toContain("Using existing Secret Store Default");
+		});
+
+		describe("non-interactive", () => {
+			beforeEach(() => {
+				setIsTTY(false);
+			});
+			const dockerHubDomain = "docker.io";
+			const mockStdIn = useMockStdin({ isTTY: false });
+
+			it("should accept the secret from piped input", async () => {
+				const secret = "example-pat-token";
+				const storeId = "test-store-id-999";
+
+				mockStdIn.send(secret);
+				mockListSecretStores([
+					{
+						id: storeId,
+						account_id: "some-account-id",
+						name: "Default",
+						created: "2024-01-01T00:00:00Z",
+						modified: "2024-01-01T00:00:00Z",
+					},
+				]);
+				mockListSecrets(storeId, []);
+				mockCreateSecret(storeId);
+				mockPutRegistry({
+					domain: dockerHubDomain,
+					is_public: false,
+					auth: {
+						public_credential: "cloudchambertest",
+						private_credential: {
+							store_id: storeId,
+							secret_name: "DockerHub_PAT_Token",
+						},
+					},
+					kind: "DockerHub",
+				});
+				await runWrangler(
+					`containers registries configure ${dockerHubDomain} --public-credential=cloudchambertest --secret-name=DockerHub_PAT_Token`
+				);
+			});
+		});
+	});
 });
 
 describe("containers registries list", () => {