add npx wrangler containers registry commands (#10605)

* add containers registry put command

* changeset

* call api

* add list and delete commands

* PR feedback and fixups

* more review fixups

* pr feedback

* unhide containers command

* pr feedback

* Update packages/wrangler/src/__tests__/containers/registries.test.ts

Co-authored-by: Pete Bacon Darwin <[email protected]>

* wip: secret store rework

* pr feedback and tests

* update api shape

* pr feedback

* mark containers commands as in open beta

---------

Co-authored-by: Pete Bacon Darwin <[email protected]>

Author: emily-shen

.changeset/rare-bushes-prove.md

@@ -0,0 +1,8 @@
+---
+"@cloudflare/containers-shared": patch
+"wrangler": patch
+---
+
+Add command to configure credentials for non-Cloudflare container registries
+
+Note this is a closed/experimental command that will not work without the appropriate account-level capabilities.

packages/containers-shared/src/client/models/CreateImageRegistryRequestBody.ts

@@ -3,17 +3,18 @@
 /* eslint-disable */
 
 import type { Domain } from "./Domain";
+import type { ExternalRegistryKind } from "./ExternalRegistryKind";
+import type { ImageRegistryAuth } from "./ImageRegistryAuth";
 
 /**
  * Request body for creating a new image registry configuration
  */
 export type CreateImageRegistryRequestBody = {
-	/**
-	 * The domain of the registry. It shouldn't contain the proto part of the domain, for example 'domain.com' is allowed, 'https://domain.com' is not
-	 */
 	domain: Domain;
 	/**
 	 * If you own the registry and is private, this should be false or not defined. If it's a public registry like docker.io, you should set this to true
 	 */
 	is_public?: boolean;
+	auth?: ImageRegistryAuth;
+	kind?: ExternalRegistryKind;
 };

packages/containers-shared/src/client/models/ExternalRegistryKind.ts

@@ -0,0 +1,10 @@
+/* istanbul ignore file */
+/* tslint:disable */
+/* eslint-disable */
+
+/**
+ * The type of external registry that is being configured.
+ */
+export enum ExternalRegistryKind {
+	ECR = "ECR",
+}

packages/containers-shared/src/client/models/ImageRegistryAuth.ts

@@ -0,0 +1,14 @@
+/* istanbul ignore file */
+/* tslint:disable */
+/* eslint-disable */
+
+/**
+ * A JSON string that encodes the auth required to authenticate with an external image registry. The format of the JSON object is determined by the registry being configured.
+ */
+export type ImageRegistryAuth = {
+	public_credential: string;
+	private_credential: {
+		store_id: string;
+		secret_name: string;
+	};
+};

packages/containers-shared/src/images.ts

@@ -1,10 +1,8 @@
 import { buildImage } from "./build";
+import { ExternalRegistryKind } from "./client/models/ExternalRegistryKind";
 import { UserError } from "./error";
-import {
-	getCloudflareContainerRegistry,
-	isCloudflareRegistryLink,
-} from "./knobs";
-import { dockerLoginManagedRegistry } from "./login";
+import { getCloudflareContainerRegistry } from "./knobs";
+import { dockerLoginImageRegistry } from "./login";
 import { getCloudflareRegistryWithAccountNamespace } from "./registry";
 import {
 	checkExposedPorts,
@@ -18,7 +16,8 @@ export async function pullImage(
 	dockerPath: string,
 	options: Exclude<ContainerDevOptions, DockerfileConfig>
 ): Promise<{ abort: () => void; ready: Promise<void> }> {
-	await dockerLoginManagedRegistry(dockerPath);
+	const domain = new URL(`http://${options.image_uri}`).hostname;
+	await dockerLoginImageRegistry(dockerPath, domain);
 	const pull = runDockerCmd(dockerPath, [
 		"pull",
 		options.image_uri,
@@ -95,12 +94,6 @@ export async function prepareContainerImagesForDev(args: {
 				containerOptions: options,
 			});
 		} else {
-			if (!isCloudflareRegistryLink(options.image_uri)) {
-				throw new UserError(
-					`Image "${options.image_uri}" is a registry link but does not point to the Cloudflare container registry.\n` +
-						`To use an existing image from another repository, see https://developers.cloudflare.com/containers/platform-details/image-management/#using-pre-built-container-images`
-				);
-			}
 			const pull = await pullImage(dockerPath, options);
 			onContainerImagePreparationStart({
 				containerOptions: options,
@@ -173,3 +166,66 @@ export function resolveImageName(accountId: string, image: string): string {
 	// is managed registry and doesn't have the account id,add it to the path
 	return `${url.hostname}/${accountId}${url.pathname}`;
 }
+
+/**
+ * get type of container registry, and validate
+ * currently we support cloudflare managed registries and AWS ECR
+ * when using cloudflare mananged registries we expect CLOUDFLARE_CONTAINER_REGISTRY to be set
+ */
+export const getAndValidateRegistryType = (domain: string): RegistryPattern => {
+	// TODO: use parseImageName when that gets moved to this package
+	if (domain.includes("://")) {
+		throw new Error(
+			`${domain} is invalid:\nImage reference should not include the protocol part (e.g: registry.cloudflare.com rather than https://registry.cloudflare.com)`
+		);
+	}
+	let url: URL;
+	try {
+		url = new URL(`http://${domain}`);
+	} catch (e) {
+		if (e instanceof Error) {
+			throw new Error(`${domain} is invalid:\n${e.message}`);
+		}
+		throw e;
+	}
+
+	const acceptedRegistries: RegistryPattern[] = [
+		{
+			type: ExternalRegistryKind.ECR,
+			pattern: /^[0-9]{12}\.dkr\.ecr\.[a-z0-9-]+\.amazonaws\.com$/,
+			name: "AWS ECR",
+			secretType: "AWS Secret Access Key",
+		},
+		{
+			type: "cloudflare",
+			// Make a regex based on the env var CLOUDFLARE_CONTAINER_REGISTRY
+			pattern: new RegExp(
+				`^${getCloudflareContainerRegistry().replace(/[\\.]/g, "\\$&")}$`
+			),
+			name: "Cloudflare Containers Managed Registry",
+		},
+	];
+
+	const match = acceptedRegistries.find((registry) =>
+		registry.pattern.test(url.hostname)
+	);
+
+	if (!match) {
+		const supportedRegistries = acceptedRegistries
+			.filter((r) => r.type !== "cloudflare")
+			.map((r) => r.name)
+			.join(", ");
+		throw new UserError(
+			`${url.hostname} is not a supported image registry.\nCurrently we support the following non-Cloudflare registries: ${supportedRegistries}.\nTo use an existing image from another repository, see https://developers.cloudflare.com/containers/platform-details/image-management/#using-pre-built-container-images`
+		);
+	}
+
+	return match;
+};
+
+interface RegistryPattern {
+	type: ExternalRegistryKind | "cloudflare";
+	secretType?: string;
+	pattern: RegExp;
+	name: string;
+}

packages/containers-shared/src/knobs.ts

@@ -13,16 +13,6 @@ export const getCloudflareContainerRegistry = () => {
 	);
 };
 
-/**
- * Given a container image that is a registry link, this function
- * returns true if the link points the Cloudflare container registry
- * (defined as per `getCloudflareContainerRegistry` above)
- */
-export function isCloudflareRegistryLink(image: string) {
-	const cfRegistry = getCloudflareContainerRegistry();
-	return image.includes(cfRegistry);
-}
-
 /** Prefixes with the cloudflare-dev namespace. The name should be the container's DO classname, and the tag a build uuid. */
 export const getDevContainerImageName = (name: string, tag: string) => {
 	return `${MF_DEV_CONTAINER_PREFIX}/${name.toLowerCase()}:${tag}`;

packages/containers-shared/src/login.ts

@@ -1,38 +1,31 @@
 import { spawn } from "node:child_process";
 import { ImageRegistriesService, ImageRegistryPermissions } from "./client";
 import { UserError } from "./error";
-import { getCloudflareContainerRegistry } from "./knobs";
 
 /**
- * Gets push and pull credentials for Cloudflare's managed image registry
+ * Gets push and pull credentials for a configured image registry
  * and runs `docker login`, so subsequent image pushes or pulls are
  * authenticated
  */
-export async function dockerLoginManagedRegistry(pathToDocker: string) {
+export async function dockerLoginImageRegistry(
+	pathToDocker: string,
+	domain: string
+) {
 	// how long the credentials should be valid for
 	const expirationMinutes = 15;
 
 	const credentials =
-		await ImageRegistriesService.generateImageRegistryCredentials(
-			getCloudflareContainerRegistry(),
-			{
-				expiration_minutes: expirationMinutes,
-				permissions: [
-					ImageRegistryPermissions.PUSH,
-					ImageRegistryPermissions.PULL,
-				],
-			}
-		);
+		await ImageRegistriesService.generateImageRegistryCredentials(domain, {
+			expiration_minutes: expirationMinutes,
+			permissions: [
+				ImageRegistryPermissions.PUSH,
+				ImageRegistryPermissions.PULL,
+			],
+		});
 
 	const child = spawn(
 		pathToDocker,
-		[
-			"login",
-			"--password-stdin",
-			"--username",
-			"v1",
-			getCloudflareContainerRegistry(),
-		],
+		["login", "--password-stdin", "--username", credentials.username, domain],
 		{ stdio: ["pipe", "inherit", "inherit"] }
 	).on("error", (err) => {
 		throw err;

packages/containers-shared/src/utils.ts

@@ -138,7 +138,6 @@ export const isDockerfile = (
 				`If this is an image registry path, it needs to include at least a tag ':' (e.g: docker.io/httpd:1)`
 		);
 	}
-
 	// validate URL
 	if (image.includes("://")) {
 		throw new UserError(

packages/containers-shared/tests/utils.test.ts

@@ -46,11 +46,12 @@ describe("isDockerfile", () => {
 	});
 
 	it("should error if image registry reference contains the protocol part", async () => {
-		expect(() => isDockerfile("http://example.com/image:tag", undefined))
-			.toThrowErrorMatchingInlineSnapshot(`
-				[Error: The image "http://example.com/image:tag" does not appear to be a valid path to a Dockerfile, or a valid image registry path:
-				Image reference should not include the protocol part (e.g: docker.io/httpd:1, not https://docker.io/httpd:1)]
-			`);
+		expect(() =>
+			isDockerfile("http://registry.cloudflare.com/image:tag", undefined)
+		).toThrowErrorMatchingInlineSnapshot(`
+			[Error: The image "http://registry.cloudflare.com/image:tag" does not appear to be a valid path to a Dockerfile, or a valid image registry path:
+			Image reference should not include the protocol part (e.g: docker.io/httpd:1, not https://docker.io/httpd:1)]
+		`);
 	});
 
 	it("should error if image registry reference does not contain a tag", async () => {