Make docker_registry_image datasource independent of docker host endpoint about terraform-provider-docker HOT 4 CLOSED

Ran into this while attempting to use the Docker provider with Terraform Cloud's remote execution mode.

Until the client.Ping(ctx) call that happens during the provider's configuration gets removed (or made optional), this is the workaround I opted for, and hopefully it helps anyone else stumbling across this issue.

It's essentially doing the same thing docker_registry_image does - it calls the registry API and pulls out the docker-content-digest header.

Note that it's GCR-specific, but can easily be adapted for other registries.

# Provides data.external.docker-image.result.image and
# data.external.docker-image.result.digest
data "external" "docker-image" {
  program = [
    "./digest.sh", "gcr.io/<project>/<image>:<tag>"
  ]
}

#!/usr/bin/env bash
set -eo pipefail

input=$1 # gcr.io/project/image:tag
input=${input/gcr.io\//} # project/image:tag
components=(${input//:/ }) # [project/image, tag]
repository=${components[0]} # project
tag=${components[1]:-latest} # tag

url="https://gcr.io/v2/${repository}/manifests/${tag}"
digest=$(curl -I "${url}" -u "_json_key:${SERVICE_ACCOUNT}" | \
    grep docker-content-digest | cut -c 24-94) # sha256:abcd...
image="gcr.io/${repository}@${digest}" # gcr.io/project/image@sha256:abcd...
jq -n --arg digest "${digest}" --arg image "${image}" '{"digest": $digest, "image": $image}'

from terraform-provider-docker.

@Deiz, thank you for your comment. Based on your approach I have decide to use terraform http provider to achieve a similar result:

data "http" "access_token" {
  url = "https://${var.docker_registry.host}/oauth2/token?service=${var.docker_registry.host}&scope=repository:*:pull"
  request_headers = {
    Authorization = "Basic ${base64encode("${var.docker_registry.user}:${var.docker_registry.password}")}"
  }
}

data "http" "tips" {
  url = "https://${var.docker_registry.host}/v2/tips/manifests/${local.environment}"
  request_headers = {
    Accept = "application/vnd.docker.distribution.manifest.v2+json",
    Authorization = "Bearer ${jsondecode(data.http.access_token.body).access_token}"
  }
}

output "image" {
  value = "${var.docker_registry.host}/tips@${data.http.tips.response_headers.Docker-Content-Digest}"
}

from terraform-provider-docker.

I can't manage to figure this one out. @rafagsiqueira do you mind posting your entire working solution with full format for repository names? I'm assuming you're using ghcr.io as well?

I managed to get a solution with the old docker registry working, but github does not send the Docker-Content-Digest header that you're using. The information is available in the body but since it's not using application/json Content-Type, the http provider won't parse it.

from terraform-provider-docker.

@dvcrn, I am using azure container registry. var.docker_registry.host just has the fqdn of my container registry.
From @Deiz response, it looks like gcr also sends the digest on the body of the response. If http provider won't parse it, perhaps you can use terraform's jsondecode?
@Deiz also did not use the Accept = "application/vnd.docker.distribution.manifest.v2+json" on the headers, perhaps gcr.io does not need that?
Other than that, I am sorry I can't help you, since we are not using gcr.io.

from terraform-provider-docker.