David Comments - Answer Overflow

David

•Created by David on 4/4/2025 in #help

EKS/ECR envbuilder layer cache

I realize I haven't said or made clear in my snippets: the builder_image is in a private repository (b/c I added some files there that we want available during devcontainer builds). Two workarounds come to mind: - Use the public image for builder_image in this resource--we don't actually need our modified image just to check the cache. - Modify the coder deployment to put credentials in an appropriate place to be read by GetRemoteImage--actually, this isn't a good solution because ECR credentials expire every 12 hours; though I suppose I could complicate it further by adding a process to refresh them.

13 replies

CCoder.com

•Created by David on 4/4/2025 in #help

EKS/ECR envbuilder layer cache

Yeah, I think that might be it: docker_config_base64 is passed into envbuilder's config, but it's not used when fetching envbuilder from the builder_image. The helper function GetRemoteImage(), uses authn.DefaultKeychain, which reads from ~/.docker/config.json et al. https://github.com/coder/terraform-provider-envbuilder/blob/main/internal/imgutil/imgutil.go#L27 https://github.com/google/go-containerregistry/blob/main/pkg/authn/keychain.go#L87

13 replies

CCoder.com

•Created by David on 4/4/2025 in #help

EKS/ECR envbuilder layer cache

IAM (in the deployment terraform, not a workspace template)

13 replies

CCoder.com

•Created by David on 4/4/2025 in #help

EKS/ECR envbuilder layer cache

Sort of the same. It is building the credentials the same way. But that example is giving the credentials to envbuilder. I'm trying to give the credentials to resource "envbuilder_cached_image". One guess I had: Maybe the terraform resource isn't using the credentials to "fetch the envbuilder binary from the builder image", but only for accessing the cache repo?

13 replies

CCoder.com

•Created by David on 4/4/2025 in #help

EKS/ECR envbuilder layer cache

This is the relevant portion of the template

# Get the ECR authorization token
data "aws_ecr_authorization_token" "token" {
  count = var.cache_repo == "" ? 0 : data.coder_workspace.me.start_count
}

# Check for the presence of a prebuilt image in the cache repo
# that we can use instead.
resource "envbuilder_cached_image" "cached" {
  count         = var.cache_repo == "" ? 0 : data.coder_workspace.me.start_count
  builder_image = local.devcontainer_builder_image
  git_url       = data.coder_parameter.repo_url.value
  cache_repo    = var.cache_repo
  extra_env     = local.envbuilder_env

  # Create a properly formatted Docker config.json with the ECR token
  docker_config_base64 = base64encode(jsonencode({
    "auths" = {
      # Extract the registry URL from the proxy_endpoint (removes https:// prefix)
      trimsuffix(trimprefix(data.aws_ecr_authorization_token.token[0].proxy_endpoint, "https://"), "/") = {
        "auth" = data.aws_ecr_authorization_token.token[0].authorization_token
      }
    }
  }))
}

# Get the ECR authorization token
data "aws_ecr_authorization_token" "token" {
  count = var.cache_repo == "" ? 0 : data.coder_workspace.me.start_count
}

# Check for the presence of a prebuilt image in the cache repo
# that we can use instead.
resource "envbuilder_cached_image" "cached" {
  count         = var.cache_repo == "" ? 0 : data.coder_workspace.me.start_count
  builder_image = local.devcontainer_builder_image
  git_url       = data.coder_parameter.repo_url.value
  cache_repo    = var.cache_repo
  extra_env     = local.envbuilder_env

  # Create a properly formatted Docker config.json with the ECR token
  docker_config_base64 = base64encode(jsonencode({
    "auths" = {
      # Extract the registry URL from the proxy_endpoint (removes https:// prefix)
      trimsuffix(trimprefix(data.aws_ecr_authorization_token.token[0].proxy_endpoint, "https://"), "/") = {
        "auth" = data.aws_ecr_authorization_token.token[0].authorization_token
      }
    }
  }))
}

13 replies

Gaming

Programming