Skip to content

Commit 80d07c9

Browse files
dilyevskyclaude
dilyevsky
and
claude
committed
feat: move edge-runtime images to GAR, keep others on Docker Hub
Docker Hub was rejecting crane index append requests. Move edge-runtime to Google Artifact Registry (us-west1-docker.pkg.dev/apoxy-internal/cloud) like we do for envoy in apoxy-cloud. Other images stay on Docker Hub. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
1 parent ea5de14 commit 80d07c9

File tree

3 files changed

+45
-32
lines changed

3 files changed

+45
-32
lines changed

.github/workflows/main.yaml

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -21,12 +21,12 @@ jobs:
2121
go-version: ">=1.24"
2222
- name: Build and publish edge-runtime (${{ matrix.arch }})
2323
env:
24-
APOXY_DOCKERHUB_PASSWORD: ${{ secrets.APOXY_DOCKERHUB_PASSWORD }}
24+
APOXY_INTERNAL_GAR_CREDENTIALS: ${{ secrets.APOXY_INTERNAL_GAR_CREDENTIALS }}
2525
SCCACHE_WEBDAV_TOKEN: ${{ secrets.SCCACHE_WEBDAV_TOKEN }}
2626
SHUTUP: 1
2727
timeout-minutes: 30
2828
run: |
29-
dagger call -v publish-edge-runtime --sha=${GITHUB_SHA::7} --registry-password=env:APOXY_DOCKERHUB_PASSWORD --sccache-token=env:SCCACHE_WEBDAV_TOKEN
29+
dagger call -v publish-edge-runtime --sha=${GITHUB_SHA::7} --gcr-creds=env:APOXY_INTERNAL_GAR_CREDENTIALS --sccache-token=env:SCCACHE_WEBDAV_TOKEN
3030
3131
publish-edge-runtime-multiarch:
3232
needs: build-edge-runtime
@@ -39,11 +39,11 @@ jobs:
3939
go-version: ">=1.24"
4040
- name: Create edge-runtime multi-arch manifest
4141
env:
42-
APOXY_DOCKERHUB_PASSWORD: ${{ secrets.APOXY_DOCKERHUB_PASSWORD }}
42+
APOXY_INTERNAL_GAR_CREDENTIALS: ${{ secrets.APOXY_INTERNAL_GAR_CREDENTIALS }}
4343
SHUTUP: 1
4444
timeout-minutes: 5
4545
run: |
46-
dagger call -v publish-edge-runtime-multiarch --sha=${GITHUB_SHA::7} --registry-password=env:APOXY_DOCKERHUB_PASSWORD
46+
dagger call -v publish-edge-runtime-multiarch --sha=${GITHUB_SHA::7} --gcr-creds=env:APOXY_INTERNAL_GAR_CREDENTIALS
4747
4848
publish-images:
4949
needs: publish-edge-runtime-multiarch
@@ -57,7 +57,8 @@ jobs:
5757
- name: Build and publish all images
5858
env:
5959
APOXY_DOCKERHUB_PASSWORD: ${{ secrets.APOXY_DOCKERHUB_PASSWORD }}
60+
APOXY_INTERNAL_GAR_CREDENTIALS: ${{ secrets.APOXY_INTERNAL_GAR_CREDENTIALS }}
6061
SHUTUP: 1
6162
timeout-minutes: 30
6263
run: |
63-
dagger call -v publish-images --src=. --tag=latest --sha=${GITHUB_SHA::7} --registry-password=env:APOXY_DOCKERHUB_PASSWORD --edge-runtime-tag=${GITHUB_SHA::7}
64+
dagger call -v publish-images --src=. --tag=latest --sha=${GITHUB_SHA::7} --registry-password=env:APOXY_DOCKERHUB_PASSWORD --edge-runtime-tag=${GITHUB_SHA::7} --gcr-creds=env:APOXY_INTERNAL_GAR_CREDENTIALS

.github/workflows/release.yaml

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -24,12 +24,12 @@ jobs:
2424
go-version: ">=1.24"
2525
- name: Build and publish edge-runtime (${{ matrix.arch }})
2626
env:
27-
APOXY_DOCKERHUB_PASSWORD: ${{ secrets.APOXY_DOCKERHUB_PASSWORD }}
27+
APOXY_INTERNAL_GAR_CREDENTIALS: ${{ secrets.APOXY_INTERNAL_GAR_CREDENTIALS }}
2828
SCCACHE_WEBDAV_TOKEN: ${{ secrets.SCCACHE_WEBDAV_TOKEN }}
2929
SHUTUP: 1
3030
timeout-minutes: 30
3131
run: |
32-
dagger call -v publish-edge-runtime --sha=${GITHUB_SHA::7} --registry-password=env:APOXY_DOCKERHUB_PASSWORD --sccache-token=env:SCCACHE_WEBDAV_TOKEN
32+
dagger call -v publish-edge-runtime --sha=${GITHUB_SHA::7} --gcr-creds=env:APOXY_INTERNAL_GAR_CREDENTIALS --sccache-token=env:SCCACHE_WEBDAV_TOKEN
3333
3434
publish-edge-runtime-multiarch:
3535
needs: build-edge-runtime
@@ -44,11 +44,11 @@ jobs:
4444
go-version: ">=1.24"
4545
- name: Create edge-runtime multi-arch manifest
4646
env:
47-
APOXY_DOCKERHUB_PASSWORD: ${{ secrets.APOXY_DOCKERHUB_PASSWORD }}
47+
APOXY_INTERNAL_GAR_CREDENTIALS: ${{ secrets.APOXY_INTERNAL_GAR_CREDENTIALS }}
4848
SHUTUP: 1
4949
timeout-minutes: 5
5050
run: |
51-
dagger call -v publish-edge-runtime-multiarch --sha=${GITHUB_SHA::7} --registry-password=env:APOXY_DOCKERHUB_PASSWORD
51+
dagger call -v publish-edge-runtime-multiarch --sha=${GITHUB_SHA::7} --gcr-creds=env:APOXY_INTERNAL_GAR_CREDENTIALS
5252
5353
publish-images:
5454
needs: publish-edge-runtime-multiarch
@@ -64,10 +64,11 @@ jobs:
6464
- name: Build and publish all images
6565
env:
6666
APOXY_DOCKERHUB_PASSWORD: ${{ secrets.APOXY_DOCKERHUB_PASSWORD }}
67+
APOXY_INTERNAL_GAR_CREDENTIALS: ${{ secrets.APOXY_INTERNAL_GAR_CREDENTIALS }}
6768
SHUTUP: 1
6869
timeout-minutes: 30
6970
run: |
70-
dagger call -v publish-images --src=. --tag=$GITHUB_REF_NAME --sha=${GITHUB_SHA::7} --registry-password=env:APOXY_DOCKERHUB_PASSWORD --edge-runtime-tag=${GITHUB_SHA::7}
71+
dagger call -v publish-images --src=. --tag=$GITHUB_REF_NAME --sha=${GITHUB_SHA::7} --registry-password=env:APOXY_DOCKERHUB_PASSWORD --edge-runtime-tag=${GITHUB_SHA::7} --gcr-creds=env:APOXY_INTERNAL_GAR_CREDENTIALS
7172
7273
publish-github-release:
7374
needs: publish-images

ci/main.go

Lines changed: 33 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -374,6 +374,9 @@ func (m *ApoxyCli) PublishGithubRelease(
374374
// EdgeRuntimeVersion is the version of the Apoxy edge-runtime fork.
375375
const EdgeRuntimeVersion = "v0.1.0"
376376

377+
// GARRegistry is the Google Artifact Registry for internal images.
378+
const GARRegistry = "us-west1-docker.pkg.dev"
379+
377380
func (m *ApoxyCli) BuildEdgeRuntime(
378381
ctx context.Context,
379382
platform string,
@@ -417,11 +420,11 @@ func (m *ApoxyCli) BuildEdgeRuntime(
417420
return builder.WithExec([]string{"cargo", "build", "--release"})
418421
}
419422

420-
// PublishEdgeRuntime builds edge-runtime for the host architecture and publishes it.
423+
// PublishEdgeRuntime builds edge-runtime for the host architecture and publishes it to GAR.
421424
// This should be run on native arch workers (amd64 and arm64) in parallel.
422425
func (m *ApoxyCli) PublishEdgeRuntime(
423426
ctx context.Context,
424-
registryPassword *dagger.Secret,
427+
gcrCreds *dagger.Secret,
425428
sha string,
426429
// +optional
427430
sccacheToken *dagger.Secret,
@@ -441,10 +444,10 @@ func (m *ApoxyCli) PublishEdgeRuntime(
441444
WithExec([]string{"rm", "-rf", "/var/lib/apt/lists/*"}).
442445
WithFile("/usr/local/bin/edge-runtime", builder.File("/edge-runtime"))
443446

444-
// Publish with arch-specific tag.
447+
// Publish to GAR with arch-specific tag.
445448
addr, err := ctr.
446-
WithRegistryAuth("registry-1.docker.io", "apoxy", registryPassword).
447-
Publish(ctx, fmt.Sprintf("docker.io/apoxy/edge-runtime:%s-%s", sha, goarch))
449+
WithRegistryAuth(GARRegistry, "_json_key", gcrCreds).
450+
Publish(ctx, fmt.Sprintf("%s/apoxy-internal/cloud/edge-runtime:%s-%s", GARRegistry, sha, goarch))
448451
if err != nil {
449452
return fmt.Errorf("failed to publish edge-runtime: %w", err)
450453
}
@@ -453,18 +456,17 @@ func (m *ApoxyCli) PublishEdgeRuntime(
453456
return nil
454457
}
455458

456-
// PublishEdgeRuntimeMultiarch combines arch-specific edge-runtime images into a multi-arch manifest.
459+
// PublishEdgeRuntimeMultiarch combines arch-specific edge-runtime images into a multi-arch manifest in GAR.
457460
func (m *ApoxyCli) PublishEdgeRuntimeMultiarch(
458461
ctx context.Context,
459-
registryPassword *dagger.Secret,
462+
gcrCreds *dagger.Secret,
460463
sha string,
461464
) error {
462-
crane := m.CraneContainer(ctx, registryPassword)
465+
crane := m.CraneContainer(ctx, gcrCreds)
463466

464-
manifest := fmt.Sprintf("docker.io/apoxy/edge-runtime:%s", sha)
467+
manifest := fmt.Sprintf("%s/apoxy-internal/cloud/edge-runtime:%s", GARRegistry, sha)
465468
craneCmd := []string{
466469
"crane", "index", "append",
467-
"--docker-empty-base", // Use Docker manifest list format instead of OCI index
468470
"--manifest", manifest + "-amd64",
469471
"--manifest", manifest + "-arm64",
470472
"--tag", manifest,
@@ -478,8 +480,8 @@ func (m *ApoxyCli) PublishEdgeRuntimeMultiarch(
478480
return nil
479481
}
480482

481-
// PullEdgeRuntime pulls edge-runtime from registry or builds from source.
482-
// If edgeRuntimeTag is provided, pulls from docker.io/apoxy/edge-runtime:<tag>.
483+
// PullEdgeRuntime pulls edge-runtime from GAR or builds from source.
484+
// If edgeRuntimeTag is provided, pulls from GAR.
483485
// Otherwise builds from source (slow, avoid in CI).
484486
func (m *ApoxyCli) PullEdgeRuntime(
485487
ctx context.Context,
@@ -491,15 +493,18 @@ func (m *ApoxyCli) PullEdgeRuntime(
491493
sccacheToken *dagger.Secret,
492494
// +optional
493495
edgeRuntimeTag string,
496+
// +optional
497+
gcrCreds *dagger.Secret,
494498
) *dagger.Container {
495499
goarch := archOf(platform)
496500

497501
var edgeRuntimeBinary *dagger.File
498502

499503
if edgeRuntimeTag != "" {
500-
// Pull pre-built edge-runtime from registry.
504+
// Pull pre-built edge-runtime from GAR.
501505
edgeRuntimeCtr := dag.Container(dagger.ContainerOpts{Platform: platform}).
502-
From(fmt.Sprintf("docker.io/apoxy/edge-runtime:%s", edgeRuntimeTag))
506+
WithRegistryAuth(GARRegistry, "_json_key", gcrCreds).
507+
From(fmt.Sprintf("%s/apoxy-internal/cloud/edge-runtime:%s", GARRegistry, edgeRuntimeTag))
503508
edgeRuntimeBinary = edgeRuntimeCtr.File("/usr/local/bin/edge-runtime")
504509
} else {
505510
// Build from source (fallback for local dev).
@@ -559,6 +564,8 @@ func (m *ApoxyCli) BuildAPIServer(
559564
sccacheToken *dagger.Secret,
560565
// +optional
561566
edgeRuntimeTag string,
567+
// +optional
568+
gcrCreds *dagger.Secret,
562569
) *dagger.Container {
563570
if platform == "" {
564571
platform = runtime.GOOS + "/" + runtime.GOARCH
@@ -573,7 +580,7 @@ func (m *ApoxyCli) BuildAPIServer(
573580
WithEnvVariable("CC", fmt.Sprintf("zig-wrapper cc --target=%s-linux-musl", canonArchFromGoArch(goarch))).
574581
WithExec([]string{"go", "build", "-o", "apiserver", "./cmd/apiserver"})
575582

576-
runtimeCtr := m.PullEdgeRuntime(ctx, p, src, sccacheToken, edgeRuntimeTag)
583+
runtimeCtr := m.PullEdgeRuntime(ctx, p, src, sccacheToken, edgeRuntimeTag, gcrCreds)
577584

578585
return dag.Container(dagger.ContainerOpts{Platform: p}).
579586
From("cgr.dev/chainguard/wolfi-base:latest").
@@ -596,8 +603,8 @@ func hostPlatform() string {
596603
return runtime.GOOS + "/" + runtime.GOARCH
597604
}
598605

599-
// CraneContainer returns a container with crane installed and authenticated.
600-
func (m *ApoxyCli) CraneContainer(ctx context.Context, registryPassword *dagger.Secret) *dagger.Container {
606+
// CraneContainer returns a container with crane installed and authenticated to GAR.
607+
func (m *ApoxyCli) CraneContainer(ctx context.Context, gcrCreds *dagger.Secret) *dagger.Container {
601608
cranePlatform := "x86_64"
602609
if runtime.GOARCH == "arm64" {
603610
cranePlatform = "arm64"
@@ -610,10 +617,10 @@ func (m *ApoxyCli) CraneContainer(ctx context.Context, registryPassword *dagger.
610617
"sh", "-c",
611618
fmt.Sprintf("curl -sL https://github.com/google/go-containerregistry/releases/latest/download/go-containerregistry_Linux_%s.tar.gz | tar xzf - -C /usr/local/bin crane", cranePlatform),
612619
}).
613-
WithSecretVariable("REGISTRY_PASSWORD", registryPassword).
620+
WithSecretVariable("GCR_CREDS", gcrCreds).
614621
WithExec([]string{
615622
"sh", "-c",
616-
`echo $REGISTRY_PASSWORD | crane auth login registry-1.docker.io -u apoxy --password-stdin`,
623+
fmt.Sprintf(`echo "$GCR_CREDS" | crane auth login %s -u _json_key --password-stdin`, GARRegistry),
617624
})
618625
}
619626

@@ -627,6 +634,8 @@ func (m *ApoxyCli) BuildBackplane(
627634
sccacheToken *dagger.Secret,
628635
// +optional
629636
edgeRuntimeTag string,
637+
// +optional
638+
gcrCreds *dagger.Secret,
630639
) *dagger.Container {
631640
if platform == "" {
632641
platform = runtime.GOOS + "/" + runtime.GOARCH
@@ -658,7 +667,7 @@ func (m *ApoxyCli) BuildBackplane(
658667
WithExec([]string{"go", "build", "-o", "/src/" + otelOut}).
659668
WithWorkdir("/src")
660669

661-
runtimeCtr := m.PullEdgeRuntime(ctx, p, src, sccacheToken, edgeRuntimeTag)
670+
runtimeCtr := m.PullEdgeRuntime(ctx, p, src, sccacheToken, edgeRuntimeTag, gcrCreds)
662671

663672
return dag.Container(dagger.ContainerOpts{Platform: p}).
664673
From("cgr.dev/chainguard/wolfi-base:latest").
@@ -758,10 +767,12 @@ func (m *ApoxyCli) PublishImages(
758767
sccacheToken *dagger.Secret,
759768
// +optional
760769
edgeRuntimeTag string,
770+
// +optional
771+
gcrCreds *dagger.Secret,
761772
) error {
762773
var apiCtrs []*dagger.Container
763774
for _, platform := range []string{"linux/amd64", "linux/arm64"} {
764-
apiCtrs = append(apiCtrs, m.BuildAPIServer(ctx, src, platform, sccacheToken, edgeRuntimeTag))
775+
apiCtrs = append(apiCtrs, m.BuildAPIServer(ctx, src, platform, sccacheToken, edgeRuntimeTag, gcrCreds))
765776
}
766777

767778
addr, err := dag.Container().
@@ -781,7 +792,7 @@ func (m *ApoxyCli) PublishImages(
781792

782793
var bCtrs []*dagger.Container
783794
for _, platform := range []string{"linux/amd64", "linux/arm64"} {
784-
bCtrs = append(bCtrs, m.BuildBackplane(ctx, src, platform, sccacheToken, edgeRuntimeTag))
795+
bCtrs = append(bCtrs, m.BuildBackplane(ctx, src, platform, sccacheToken, edgeRuntimeTag, gcrCreds))
785796
}
786797

787798
addr, err = dag.Container().

0 commit comments

Comments
 (0)