Add Artifact Registry setup for external container images

dcmcand · dcmcand · commit c4021ac37aa8 · 2025-08-05T13:57:25.000+02:00
- Create one-time setup script for Artifact Registry remote repository
- Document the setup process and usage instructions
- Update dev example to use Artifact Registry URL pattern
- Add app_image_tag variable for flexible image versioning
- Fix script to use correct gcloud syntax with custom upstream URL
- Successfully created quay-remote repository in vor-infra-sz9k project
diff --git a/cloud-run.tf b/cloud-run.tf
@@ -24,7 +24,7 @@ resource "google_cloud_run_service" "main_app" {
       timeout_seconds      = 300
 
       containers {
-        image = var.app_image
+        image = "${var.app_image}:${var.app_image_tag}"
 
         ports {
           container_port = var.app_port
diff --git a/docs/ARTIFACT_REGISTRY_SETUP.md b/docs/ARTIFACT_REGISTRY_SETUP.md
@@ -0,0 +1,114 @@
+# Artifact Registry Setup for External Container Images
+
+## Overview
+
+Google Cloud Run now restricts container image sources to:
+- `gcr.io` (Google Container Registry)
+- `*.docker.pkg.dev` (Artifact Registry)
+- `docker.io` (Docker Hub)
+
+To use images from other registries like `quay.io`, you must set up an Artifact Registry remote repository that acts as a proxy.
+
+## One-Time Setup
+
+This setup only needs to be done once per GCP project.
+
+### Option 1: Using the Setup Script
+
+1. Run the provided setup script:
+   ```bash
+   cd scripts
+   PROJECT_ID=your-project-id ./setup-artifact-registry.sh
+   ```
+
+2. The script will:
+   - Enable the Artifact Registry API
+   - Create a remote repository named `quay-remote`
+   - Configure it to proxy quay.io
+
+### Option 2: Manual Setup
+
+1. Enable the Artifact Registry API:
+   ```bash
+   gcloud services enable artifactregistry.googleapis.com
+   ```
+
+2. Create the remote repository:
+   ```bash
+   gcloud artifacts repositories create quay-remote \
+     --repository-format=docker \
+     --mode=remote-repository \
+     --location=us-central1 \
+     --description="Remote repository for quay.io images" \
+     --remote-docker-repo=https://quay.io
+   ```
+
+## Using the Remote Repository
+
+After setup, you need to update your image URLs:
+
+### Original Image URL
+```
+quay.io/reiemp/hrafnar:latest
+```
+
+### New Image URL
+```
+us-central1-docker.pkg.dev/YOUR_PROJECT_ID/quay-remote/reiemp/hrafnar:latest
+```
+
+### In Terraform
+
+Update your module configuration:
+
+```hcl
+module "hrafnar_deploy" {
+  source = "../.."
+  
+  project_id    = "your-project-id"
+  name_prefix   = "my-app"
+  app_image     = "us-central1-docker.pkg.dev/your-project-id/quay-remote/reiemp/hrafnar"
+  app_image_tag = "latest"
+  
+  # ... other configuration
+}
+```
+
+## Testing
+
+To verify the setup works:
+
+1. Test pulling an image through the remote repository:
+   ```bash
+   docker pull us-central1-docker.pkg.dev/YOUR_PROJECT_ID/quay-remote/reiemp/hrafnar:latest
+   ```
+
+2. Deploy to Cloud Run:
+   ```bash
+   gcloud run deploy test-app \
+     --image=us-central1-docker.pkg.dev/YOUR_PROJECT_ID/quay-remote/reiemp/hrafnar:latest \
+     --region=us-central1
+   ```
+
+## Troubleshooting
+
+### Authentication Issues
+If the quay.io repository requires authentication:
+1. Store credentials in Secret Manager
+2. Configure the remote repository with authentication:
+   ```bash
+   gcloud artifacts repositories update quay-remote \
+     --location=us-central1 \
+     --remote-username=YOUR_USERNAME \
+     --remote-password-secret-version=projects/PROJECT_ID/secrets/quay-password/versions/latest
+   ```
+
+### Image Not Found
+- Verify the original image exists on quay.io
+- Check that the repository path is correct
+- Ensure the Artifact Registry API is enabled
+
+### Performance
+- First pull will be slower as it fetches from quay.io
+- Subsequent pulls use the cached version in Artifact Registry
+- Configure cleanup policies to manage storage costs
diff --git a/examples/dev/main.tf b/examples/dev/main.tf
@@ -31,7 +31,10 @@ module "hrafnar_deploy" {
   # Required variables
   project_id  = var.project_id
   name_prefix = var.name_prefix
-  app_image   = "quay.io/reiemp/hrafnar:latest"
+  # For quay.io images, use Artifact Registry remote repository
+  # See docs/ARTIFACT_REGISTRY_SETUP.md for one-time setup instructions
+  app_image     = "${var.region}-docker.pkg.dev/${var.project_id}/quay-remote/reiemp/hrafnar"
+  app_image_tag = "latest"
 
   # Production configuration
   region     = var.region
diff --git a/scripts/setup-artifact-registry.sh b/scripts/setup-artifact-registry.sh
@@ -0,0 +1,53 @@
+#!/bin/bash
+# One-time setup script for Artifact Registry remote repository
+# This enables Cloud Run to pull images from quay.io
+
+set -e
+
+# Default values
+PROJECT_ID="${PROJECT_ID:-}"
+REGION="${REGION:-us-central1}"
+REPOSITORY_ID="quay-remote"
+
+# Check if PROJECT_ID is set
+if [ -z "$PROJECT_ID" ]; then
+    echo "Error: PROJECT_ID environment variable must be set"
+    echo "Usage: PROJECT_ID=your-project-id ./setup-artifact-registry.sh"
+    exit 1
+fi
+
+echo "Setting up Artifact Registry remote repository for quay.io..."
+echo "Project ID: $PROJECT_ID"
+echo "Region: $REGION"
+echo "Repository ID: $REPOSITORY_ID"
+
+# Enable required APIs
+echo "Enabling Artifact Registry API..."
+gcloud services enable artifactregistry.googleapis.com --project="$PROJECT_ID"
+
+# Check if repository already exists
+if gcloud artifacts repositories describe "$REPOSITORY_ID" --location="$REGION" --project="$PROJECT_ID" &>/dev/null; then
+    echo "Repository $REPOSITORY_ID already exists in $REGION"
+else
+    echo "Creating Artifact Registry remote repository..."
+    gcloud artifacts repositories create "$REPOSITORY_ID" \
+        --repository-format=docker \
+        --mode=remote-repository \
+        --location="$REGION" \
+        --description="Remote repository for quay.io images" \
+        --remote-docker-repo=https://quay.io \
+        --project="$PROJECT_ID"
+    
+    echo "Repository created successfully!"
+fi
+
+echo ""
+echo "Setup complete! You can now use images from quay.io through Artifact Registry."
+echo ""
+echo "To use an image from quay.io, replace the registry URL:"
+echo "  Original: quay.io/reiemp/hrafnar:latest"
+echo "  New:      ${REGION}-docker.pkg.dev/${PROJECT_ID}/${REPOSITORY_ID}/reiemp/hrafnar:latest"
+echo ""
+echo "Example in Terraform:"
+echo "  app_image = \"${REGION}-docker.pkg.dev/${PROJECT_ID}/${REPOSITORY_ID}/reiemp/hrafnar\""
+echo "  app_image_tag = \"latest\""
diff --git a/variables.tf b/variables.tf
@@ -83,10 +83,16 @@ variable "database_log_retention_days" {
 
 # Application Configuration
 variable "app_image" {
-  description = "Container image for the hrafnar application"
+  description = "Container image for the hrafnar application (without tag)"
   type        = string
 }
 
+variable "app_image_tag" {
+  description = "Container image tag"
+  type        = string
+  default     = "latest"
+}
+
 variable "app_port" {
   description = "Port the application listens on"
   type        = number
