Container Image Components

Container images allow you to import prebuilt container images from public sources, and private ECR repositories. Please refer to the Terraform reference for full configuration options.

​

Container Images vs Docker Build images

Container images are used to import prebuilt images, that have already been pushed to either a public registry, or a private ECR repository.

​

When to use a docker build component

Use a docker build component if:

• your container build process does not do any additional scanning/processing on your built container images
• you do not need to access any internal resources during the build process
• you want to get started faster

​

When to use a container image component

• you want to leverage public images
• you post process or scan built container images
• your build process accesses internal resources (such as a private dependency registry)
• you value building once, and using everywhere for consistency purposes

​

Configuring a container image component

To configure a container image component, use either a public container image (from any registry), or a private container image from an AWS ECR repository.

resource "nuon_container_image_component" "public" {
  name   = "public"
  app_id = nuon_app.main.id

  public = {
    image_url = "kennethreitz/httpbin"
    tag       = "latest"
  }
}

To use an AWS ECR image, please follow the directions to setup an IAM role, granting access to Nuon to pull the image.

​

Deployments

Container image components can not be deployed directly in a customer install. When an image is released, it will be synced into the customer install and made available to other components via variables.

To deploy a Container image component, reference the image from a Helm component, Terraform component or Job component:

  name   = "helm"
  app_id = nuon_app.main.id

  value {
    name = "env.IMAGE_TAG"
    value = "{{.nuon.components.image.image.tag}}"
  }
  value {
    name = "env.IMAGE_REPOSITORY"
    value = "{{.nuon.components.image.image.repository.uri}}"
  }
}

​

Image Syncing

When a Container image component is released, Nuon will automatically sync the image into the end customer account. This image is stored in a local registry that is provisioned in the customer account.

Nuon image syncing allows you to sync images into accounts, without worrying about cross account permissions, registry authentication or publishing public images. Any Dockerfile in a repo can be built, and synced.

The sync process works by creating a 1-time authentication flow that grants the install runner access to pull the image from the org data plane, and copy it into the local registry.

​

AWS ECR Access IAM Role

To use a private AWS ECR image, you must create an IAM role that grants Nuon access to pull your container image. When building your component, nuon will automatically assume the role and pull the image from your build runner.

The easiest way to setup an IAM role to configure your component with is using our Terraform Module.

module "nuon_ecr_access" {
  source  = "nuonco/ecr-access/aws"

  repository_arns = ["<repository-arn>"]
}

output "ecr_access_iam_role" {
  value = module.nuon_ecr_access.ecr_access_iam_role
}

​

Importing Images Outside of AWS ECR

We currently only support public container images and private container images pushed to AWS ECR private images.

If your registry is supported by AWS ECR’s pull through cache, the easiest way to import the images into Nuon is to setup a pull through cache and configure your container image to use it.

This works for Docker Hub, Github Container Registry and Microsoft Azure Container Registry.