Push container to CSP

Prerequisites

• Prerequisites from Introduction
• The AWS CLI is used for provisioning infrastructure as well as providing login credentials for Terraform.
  • Install AWS CLI
  • Login to AWS CLI

Step 1a: Create repository (AWS CLI)

Using the AWS CLI, create an ECR with the following script:

• <repository-name> represents the name of the container image

aws ecr create-repository --repository-name <repository-name>

• Capture the repositoryUri value from the output.
  • This will be the Docker Tag you apply to images you wish to send to AWS ECR.
  • During a container push, your local AWS credentials will be used for authorization.

Step 1b: Create repository (Terraform)

Related terraform resources

• aws_ecr_repository

The following HCL code can be used to deploy an AWS Container Repository.

resource "aws_ecr_repository" "demo" {
  name                 = "<repository-name>"
  image_tag_mutability = "IMMUTABLE"

  image_scanning_configuration {
    scan_on_push = true
  }
}

output “repository_url” {
  Value = aws_ecr_repository.demo.repository_url
}

• Capture the repository_url value from the output
  • This will be the Docker Tag you apply to images you wish to send to AWS ECR.
  • During a container push, your local AWS credentials will be used for authorization.

Step 2: Push container to registry (AWS CLI)

• Locate your HCP service principal credentials you created in the Introduction Prerequisites.
  • Assign the values to the environment variables are the top of the script.
• Replace <region> with the region you deployed your Repository into.
• Replace <aws-account-number> with the account number you deployed your Repository into.
• Replace <repository-name> with the name of the Repository you created.
• Switch to the directory that contains your Packer templates and run the following:

## Add Packer credentials to the session
export HCP_CLIENT_ID=<client-id-from-hcp>
export HCP_CLIENT_SECRET=<client-secret-from-hcp>

## Build the container (replace filename with your template filename)
packer build docker-debian-aws.pkr.hcl

## Login to ECR via AWS CLI
aws ecr get-login-password --region <region> | \
docker login --username AWS --password-stdin <aws-account-number>.dkr.ecr.<region>.amazonaws.com

## Push the container to ECR
docker push <aws-account-number>.dkr.ecr.<region>.amazonaws.com/<repository-name>:latest

The image should be pushed into the AWS Repository, and is now available to be consumed by services with permission to pull it.

Prerequisites

• Prerequisites from Introduction
• The Azure CLI is used for provisioning infrastructure as well as providing login credentials for Terraform (Optional).
  • Azure CLI installation instructions
  • Login to Azure CLI

Step 1a: Create repostiory (AZ CLI)

• Using the Azure CLI, the following script will create a container repository.

## Create an Azure Resource Group to hold the Container Registry
az group create --location <region> \
                --name <repository-name>

## Create an Azure Container Registry
az acr create --name <repository-name> \
              --resource-group packer \
              --sku Basic
## Capture the id and loginServer values from the output of the previous command

## Create a Service Principal
az ad sp create-for-rbac --name docker-repository-spn \
                         --role "AcrPush" \
                         --scope "<id-value-from-previous-command>"
## Capture the appId and password from the output of the previous command. These will 
## be used to login to the container registry.

• Capture the id and loginServer values from the output of the second command.
• Capture the appId and password values from the output from the last command.
• These will be used to login to the repository later.

Step 1b: Create repostiory (Terraform)

Related Terraform resources

• azurerm_resource_group
• azurerm_container_registry
• azuread_service_principal
• azurerm_role_assignment

The following HCL code can be used to deploy an Azure Container repository

data "azuread_client_config" "current" {}

resource "azurerm_resource_group" "demo" {
  name     = "demo-resources"
  location = "West Europe"
}

resource "azurerm_container_registry" "demo" {
  name                = "<repository-name>"
  resource_group_name = azurerm_resource_group.demo.name
  location            = azurerm_resource_group.demo.location
  sku                 = "Premium"
  admin_enabled       = false

  georeplications {
    location                = "East US"
    zone_redundancy_enabled = true
    tags                    = {}
  }

  georeplications {
    location                = "North Europe"
    zone_redundancy_enabled = true
    tags                    = {}
  }
}

resource "azuread_application" "demo" {
  display_name = "packer-push"
  owners       = [data.azuread_client_config.current.object_id]


  password {
    display_name = "client_secret"
    start_date   = time_rotating.example.id
    end_date     = timeadd(time_rotating.example.id, "4320h")
  }
}

resource "azuread_service_principal" "demo" {
  client_id                    = azuread_application.demo.client_id
  app_role_assignment_required = false
  owners                       = [data.azuread_client_config.current.object_id]
}

resource "azurerm_role_assignment" "example" {
  scope                = azurerm_container_registry.demo.id
  role_definition_name = "AcrPush"
  principal_id         = azuread_service_principal.demo.object_id
}

output "app_id" {
  value = azuread_application.demo.client_id
}

output "app_password" {
  value = azuread_application.demo.password[0].value
}

output "login_server" {
  value = azurerm_container_registry.demo.login_server
}

• Capture the app_id, app_password, login_server values from the output.

Step 2: Push container to registry (AZ CLI)

• Locate your HCP Service Principal credentials you created in the Introduction Prerequisites.
  • Assign the values to the environment variables are the top of the script.
• Replace <app_id> with value obtained in Step 1.
• Replace <app_password> with value obtained in Step 1.
• Replace <login_server> with value obtained in Step 1.
• Replace <repository-name> with the name of the repository you chose.
• Switch to the directory that contains your Packer templates and run the following:

## Add Packer credentials to the session
export HCP_CLIENT_ID=<client-id-from-hcp>
export HCP_CLIENT_SECRET=<client-secret-from-hcp>

## Build the container (replace filename with your template filename)
packer build docker-debian-azure.pkr.hcl

## Login to the AZ CLI via Service Principal credentials
az login --service-principal -u <app-id> -p <password> --tenant <tenant>

## Login to the Azure Container Registry via AZ CLI
az acr login --name <repository-name>

## Push the container to ECR
docker push <repository-name>.azurecr.io/packer-demo-image/packer-demo-image:latest

The image should be pushed into the Azure repository, and is now available to be pulled.

Prerequisites

• Prerequisites from Introduction
• gcloud is used for provisioning infrastructure as well as providing login credentials for Terraform.
  • gcloud installation instructions
  • Login to gcloud

Step 1a: Create repository (gcloud CLI)

• Enable the Artifact Registy API if necessary.
• Switch to the directory where you cloned the companion repository.
• Run the following script:

## Create the Container Registry
gcloud artifacts repositories create <repository-name> \
        --repository-format=docker \
        --location=us-west1 \
        --description="Docker repository" \
        --project=<gcp-project-id>

## Create a Service Principal
gcloud iam service-accounts create packer-user \
        --description="Push and Tag Docker images" \
        --display-name="packer-user" \
        --project=<gcp-project-id>

## Attach the Artifact Writer role to the Service Princial to enable pushing images
gcloud projects add-iam-policy-binding <gcp-project-id> \
    --member="serviceAccount:packer-user@<gcp-project-id>.iam.gserviceaccount.com" \
  --role="roles/artifactregistry.writer"

## Create a Service Principal Key file needed for logging into the Container Registry
## The packer-user.key file will contain the credentials of the service principal that 
## will be used when pushing images
gcloud iam service-accounts keys create packer-user.key \
    --iam-account=packer-user@<gcp-project-id>.iam.gserviceaccount.com

• The will place a service principal key file in the current directory.
  • This will be used to login to the Docker repository.
• gcloud/Docker credential helper docs.

Step 1b: Create repository (Terraform)

Related Terraform resources

• google_container_registry
• google_service_account
• google_project_iam_member
• google_service_account_key

The following HCL code can be used to deploy GCP Artifact Repository

resource "google_container_registry" "demo" {
  project  = "<gcp-project-id>"
  location = "EU"
}

resource "google_service_account" "demo" {
  account_id   = "packer-service-account-id"
  display_name = "Packer Service Account"
}

resource "google_project_iam_member" "demo" {
  project = "packer-project"
  role    = "roles/artifactregistry.writer"
  member  = google_service_account.demo.email
}

resource "google_service_account_key" "demo" {
  service_account_id = google_service_account.demo.name
}

output "service_account_keys" {
  value = google_service_account_key.demo.private_key
}

• The service_account_keys output should be written into a file named packer-user.key
  • It will be used to login to the Artifact Repository

Step 2: Setup gcloud/Docker auth helper

This will setup the gcloud authentication helper so you can login to the artifact repository through docker login.

• Ensure you have the packer-user.key file from one of the previous steps.

## Setup the Service Principal as the account Docker will use
gcloud auth activate-service-account \
    packer-user@<gcp-project-id>.iam.gserviceaccount.com \
    --key-file=./packer-user.key

## Enable the gcloud/docker authentication helper
gcloud auth configure-docker us-west1-docker.pkg.dev

## Test the credentials
docker login us-west1-docker.pkg.dev

## You should see "Login Succeeded" as the result if setup correctly

Step 2: Push container to registry (gcloud)

• Locate your HCP Service Principal credentials you created in the Introduction Prerequisites.
  • Assign the values to the environment variables are the top of the script.
• Switch to the directory that contains your Packer templates and run the following:

## Add Packer credentials to the session
export HCP_CLIENT_ID=<client-id-from-hcp>
export HCP_CLIENT_SECRET=<client-secret-from-hcp>

## Build the container (replace filename with your template filename)
packer build docker-debian-gcp.pkr.hcl

## Login to the GCP Container Registry via GCP Docker credential helper
docker login us-west1-docker.pkg.dev

## Push the container to GCP
docker push us-west1-docker.pkg.dev/<gcp-project-id>/packerexampleregistry/packer-demo-image:latest

The image should be pushed into the artifact registry, and is now available to be pulled.