Add way to configure image registries without secret store integration for fedramp_high (#11196)

* Fix nits from #10605

* non-secret-store mode

* update containers api client

* clean up fedramp region code

* add tests

* changeset

* containers-shared minor

* prettify

---------

Co-authored-by: Nikita Sharma <nsharma@cloudflare.com>

Author: emily-shen

.changeset/evil-paws-check.md

@@ -0,0 +1,7 @@
+---
+"wrangler": minor
+"@cloudflare/containers-shared": minor
+---
+
+For containers being created in a FedRAMP high environment, registry credentials are encrypted by the container platform.
+Update wrangler to correctly send a request to configure a registry for FedRAMP containers.

packages/containers-shared/src/client/models/ImageRegistryAuth.ts

@@ -2,13 +2,15 @@
 /* tslint:disable */
 /* eslint-disable */
 
+import type { SecretsStoreRef } from "./SecretsStoreRef";
+
 /**
- * A JSON string that encodes the auth required to authenticate with an external image registry. The format of the JSON object is determined by the registry being configured.
+ * Credentials needed to authenticate with an external image registry.
  */
 export type ImageRegistryAuth = {
+	/**
+	 * The format of this value is determined by the registry being configured.
+	 */
 	public_credential: string;
-	private_credential: {
-		store_id: string;
-		secret_name: string;
-	};
+	private_credential: string | SecretsStoreRef;
 };

packages/containers-shared/src/client/models/SecretsStoreRef.ts

@@ -0,0 +1,17 @@
+/* istanbul ignore file */
+/* tslint:disable */
+/* eslint-disable */
+
+/**
+ * A reference to a secret stored in Secrets Store
+ */
+export type SecretsStoreRef = {
+	/**
+	 * Store ID where the secret is stored
+	 */
+	store_id: string;
+	/**
+	 * Name of the secret being referenced
+	 */
+	secret_name: string;
+};

packages/containers-shared/src/images.ts

@@ -206,9 +206,9 @@ export function resolveImageName(accountId: string, image: string): string {
 }
 
 /**
- * get type of container registry, and validate
- * currently we support cloudflare managed registries and AWS ECR
- * when using cloudflare mananged registries we expect CLOUDFLARE_CONTAINER_REGISTRY to be set
+ * Get type of container registry, and validate.
+ * Currently we support Cloudflare managed registries and AWS ECR.
+ * When using Cloudflare managed registries we expect CLOUDFLARE_CONTAINER_REGISTRY to be set
  */
 export const getAndValidateRegistryType = (domain: string): RegistryPattern => {
 	// TODO: use parseImageName when that gets moved to this package

packages/wrangler/src/__tests__/containers/registries.test.ts

@@ -1,5 +1,5 @@
 import { http, HttpResponse } from "msw";
-import { afterEach, beforeEach, describe, expect, it } from "vitest";
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
 import { mockAccount } from "../cloudchamber/utils";
 import { mockAccountId, mockApiToken } from "../helpers/mock-account-id";
 import { mockCLIOutput } from "../helpers/mock-cli-output";
@@ -66,6 +66,43 @@ describe("containers registries configure", () => {
 		`);
 	});
 
+	it("should validate command line arguments for Secrets Store", async () => {
+		const domain = "123456789012.dkr.ecr.us-west-2.amazonaws.com";
+		await expect(
+			runWrangler(
+				`containers registries configure ${domain} --public-credential=test-id --disableSecretsStore`
+			)
+		).rejects.toThrowErrorMatchingInlineSnapshot(
+			`[Error: Secrets Store can only be disabled in FedRAMP compliance regions.]`
+		);
+
+		// Set compliance region to FedRAMP High
+		vi.stubEnv("CLOUDFLARE_COMPLIANCE_REGION", "fedramp_high");
+		await expect(
+			runWrangler(
+				`containers registries configure ${domain} --aws-access-key-id=test-access-key-id --secret-store-id=storeid`
+			)
+		).rejects.toThrowErrorMatchingInlineSnapshot(
+			`[Error: Secrets Store is not supported in FedRAMP compliance regions. You must set --disableSecretsStore.]`
+		);
+
+		await expect(
+			runWrangler(
+				`containers registries configure ${domain} --aws-access-key-id=test-access-key-id --secret-store-id=storeid --disableSecretsStore`
+			)
+		).rejects.toThrowErrorMatchingInlineSnapshot(
+			`[Error: Arguments secret-store-id and disableSecretsStore are mutually exclusive]`
+		);
+
+		await expect(
+			runWrangler(
+				`containers registries configure ${domain} --aws-access-key-id=test-access-key-id --secret-name=secret-name --disableSecretsStore`
+			)
+		).rejects.toThrowErrorMatchingInlineSnapshot(
+			`[Error: Arguments secret-name and disableSecretsStore are mutually exclusive]`
+		);
+	});
+
 	it("should no-op on cloudflare registry (default)", async () => {
 		await runWrangler(
 			`containers registries configure registry.cloudflare.com --public-credential=test-id`
@@ -83,6 +120,75 @@ describe("containers registries configure", () => {
 		`);
 	});
 
+	describe("FedRAMP compliance region", () => {
+		beforeEach(() => {
+			vi.stubEnv("CLOUDFLARE_COMPLIANCE_REGION", "fedramp_high");
+		});
+
+		it("should configure AWS ECR registry with interactive prompts", async () => {
+			setIsTTY(true);
+			const awsEcrDomain = "123456789012.dkr.ecr.us-west-2.amazonaws.com";
+			mockPrompt({
+				text: "Enter AWS Secret Access Key:",
+				options: { isSecret: true },
+				result: "test-secret-access-key",
+			});
+
+			mockPutRegistry({
+				domain: "123456789012.dkr.ecr.us-west-2.amazonaws.com",
+				is_public: false,
+				auth: {
+					public_credential: "test-access-key-id",
+					private_credential: "test-secret-access-key",
+				},
+				kind: "ECR",
+			});
+
+			await runWrangler(
+				`containers registries configure ${awsEcrDomain} --aws-access-key-id=test-access-key-id --disableSecretsStore`
+			);
+
+			expect(cliStd.stdout).toMatchInlineSnapshot(`
+				"╭ Configure a container registry
+				│
+				│ Configuring AWS ECR registry: 123456789012.dkr.ecr.us-west-2.amazonaws.com
+				│
+				│ Getting AWS Secret Access Key...
+				│
+				╰ Registry configuration completed
+
+				"
+			`);
+		});
+
+		describe("non-interactive", () => {
+			beforeEach(() => {
+				setIsTTY(false);
+			});
+			const awsEcrDomain = "123456789012.dkr.ecr.us-west-2.amazonaws.com";
+			const mockStdIn = useMockStdin({ isTTY: false });
+
+			it("should accept the secret from piped input", async () => {
+				const secret = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY";
+
+				mockStdIn.send(secret);
+				mockPutRegistry({
+					domain: awsEcrDomain,
+					is_public: false,
+					auth: {
+						public_credential: "test-access-key-id",
+						private_credential: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
+					},
+					kind: "ECR",
+				});
+
+				await runWrangler(
+					`containers registries configure ${awsEcrDomain} --public-credential=test-access-key-id --disableSecretsStore`
+				);
+			});
+		});
+	});
+
 	describe("AWS ECR registry configuration", () => {
 		it("should configure AWS ECR registry with interactive prompts", async () => {
 			setIsTTY(true);
@@ -219,7 +325,6 @@ describe("containers registries configure", () => {
 				│ Getting AWS Secret Access Key...
 				│
 				│
-				│
 				│ Setting up integration with Secrets Store...
 				│
 				│

packages/wrangler/src/containers/index.ts

@@ -100,7 +100,7 @@ export const containers = (
 		)
 		.command(
 			"registries",
-			// hide for now so it doesn't show up in help while we not publicly available
+			// hide for now so it doesn't show up in help while not publicly available
 			// "Configure and manage non-Cloudflare registries",
 			false,
 			(args) => registryCommands(args).command(subHelp)