acr icon indicating copy to clipboard operation
acr copied to clipboard

Published 20 hours ago verified publisher icon Azure

Cache Google Container Registry Repositories

Open JXavierMSFT opened this issue 1 year ago • 21 comments

Caching for ACR will soon allow users to cache repositories from Google Container Registry. This functionality is tentatively scheduled for release in late July 2023.

JXavierMSFT avatar Apr 12 '23 22:04 JXavierMSFT

Wondering if understand that one correct: in Google we have quadrillion images, aka gcr.io/myproject/myapp1, we wish to migrate to Azure, to make things smoother, idea is to configure Azure as a cache first, aka myproject.azurecr.io/myapp1 will be retrieved from Google via Azure and cached, so we can start changing images everywhere to fill up the case, and later, instead of cached versions we will just push new versions directly to Azure instead of Google

mac2000 avatar Jul 08 '23 12:07 mac2000

Yes, but with two caveats.

  1. Caching works at the repo level. You will need an active cache rule for each repo you want to cache. So if you have 50 repos in GCR that you want to cache in ACR, you'll need to create 50 cache rules (this is something you'll probably want to write a script for when the time comes). Note that we currently have a limit of 50 cache rules, although I think we're planning on raising this in the future.

  2. When you have an active cache rule associated with a repo in ACR, you cannot manually push new images and tags to that repo. So you would have to delete the cache rule prior to pushing new images the repo. All images that had been cached prior to the deletion of the cache rule would remain in the repo.

mabenedi avatar Jul 10 '23 22:07 mabenedi

Still better than nothing but I bed 50 rules limit is the one we will face immediately 🤷‍♂️

but because we are going to script things in either case nothing prevents us just to pull push things manually

which seems to be workaround so far

mac2000 avatar Jul 11 '23 12:07 mac2000

Hello Everyone,

Unfortunately, we won't be able to ship GCR as an available upstream this month. I will update this thread when I have a new accurate Timeline.

JXavierMSFT avatar Jul 31 '23 16:07 JXavierMSFT

Hi, is there any update on the new timeline?

frank-m avatar Sep 28 '23 13:09 frank-m

Yes, the PRs necessary to enable gcr.io as an upstream have been merged and will be shipped in our next deployment, which will be kicked off within a month. We can post again here when the deployment is completed in all regions

mabenedi avatar Sep 28 '23 18:09 mabenedi

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.

github-actions[bot] avatar Nov 28 '23 01:11 github-actions[bot]

Hello Everyone,

Google Container Registry is available for use with Artifact Cache. You can check out the docs at aka.ms/acr/cache.

JXavierMSFT avatar Nov 29 '23 16:11 JXavierMSFT

I ran az acr Cache create -r myazurecr -n myrulename -s 'eu.gcr.io/my-gcr-registry/*' -t 'sync/*'

(UpstreamNotSupported) Unsupported upstream or login server 'eu.gcr.io/my-gcr-registry/*' provided. Supported upstreams or login servers are: docker.io, mcr.microsoft.com, quay.io, public.ecr.aws, ghcr.io, nvcr.io, registry.k8s.io, gcr.io.

Running it with gcr.io, even though the wrong hostname, works. Is eu.gcr.io not going to be supported?

sengjea avatar Jan 15 '24 12:01 sengjea

The docs at aka.ms/acr/cache claim that google cloud is supported with both authenticated pulls and unauthenticated pulls.

google cloud is supporting _json_key for authentication. I did not find any documentation how to setup authenticated pulls here.

I tried adding _json_key as username and privatekey as password but didn't work directly. Is this supposed to work how?

kimsandb avatar Mar 07 '24 06:03 kimsandb

Running it with gcr.io, even though the wrong hostname, works. Is eu.gcr.io not going to be supported?

@sengjea We are looking at adding eu.gcr.io support.

mabenedi avatar Mar 07 '24 20:03 mabenedi

The docs at aka.ms/acr/cache claim that google cloud is supported with both authenticated pulls and unauthenticated pulls.

google cloud is supporting _json_key for authentication. I did not find any documentation how to setup authenticated pulls here.

I tried adding _json_key as username and privatekey as password but didn't work directly. Is this supposed to work how?

Yes, this is supported. _json_key should be your username secret value and the contents of the keyfile should be your password secret value. When we go to do authenticated pulls, we are just grabbing the values of these secrets and using them to do what is essentially a docker login. Theoretically, if it works for docker login, it should work for authenticated pulls

mabenedi avatar Mar 07 '24 20:03 mabenedi

@mabenedi I have some images which we want to pull from **-docker.pkg.dev which is google cloud registry but they are not allowed (via the CLI) as the domain is not gcr.io Is there a way to make this work as well?

KevinDW-Fluxys avatar Apr 10 '24 08:04 KevinDW-Fluxys

@mabenedi I have some images which we want to pull from **-docker.pkg.dev which is google cloud registry but they are not allowed (via the CLI) as the domain is not gcr.io Is there a way to make this work as well?

There's not currently a way to make a cacherule with that as a source as we are strict about the domain allowlist regardless of the backing registry.

I've passed your request along to the team to see if we can add **-docker.pkg.dev to the allowlist in the future

mabenedi avatar Apr 10 '24 21:04 mabenedi