Container images allow you to import prebuilt container images from public sources, and private ECR repositories.

Container Images vs Docker Build images

Container images are used to import prebuilt images, that have already been pushed to either a public registry, or a private ECR repository.

When to use a docker build component

Use a docker build component if:

  • your container build process does not do any additional scanning/processing on your built container images
  • you do not need to access any internal resources during the build process
  • you want to get started faster

When to use a container image component

  • you want to leverage public images
  • you post process or scan built container images
  • your build process accesses internal resources (such as a private dependency registry)
  • you value building once, and using everywhere for consistency purposes

If you have private prebuilt images in a registry other than AWS ECR, that you would like to use, please get in touch!

Configuring a container image component

Using a Public Image

To use a public image from any container registry, configure the public block.

nuon.<your-app>.toml
[[components]]
name   = "public"
type   = "container_image"
[components.public]
image_url = "kennethreitz/httpbin"
tag       = "latest"

Using a Private AWS ECR Image

To use an image from a private ECR registry, configure the aws_ecr block.

nuon.<your-app>.toml
name   = "ecr"
type   = "container_image"
[components.aws_ecr]
image_url    = "123927561584.dkr.ecr.us-west-2.amazonaws.com/repo-name"
tag          = "latest"
region       = "us-west-2"
iam_role_arn = "arn:aws:iam::123927561584:role/nuon-container-image-access"

To use an AWS ECR image, please follow the directions to setup an IAM role, granting access to Nuon to pull the image.

Deployments

Container image Components cannot be deployed directly in a customer install. When an image is released, it will be synced into the customer install and made available to other Components via variables.

To deploy a Container image component, reference the image from a Helm component or Terraform component:

nuon.<your-app>.toml
[[components]]
name       = "eks_deployment"
type       = "helm_chart"
chart_name = "<your-app>"
[components.connected_repo]
repo      = "<your-app>"
directory = "components/helm-chart"
branch    = "main"
[components.values]
"env.IMAGE_TAG"        = "{{.nuon.components.app_image.image.tag}}"
"env.IMAGE_REPOSITORY" = "{{.nuon.components.app_image.image.repository.uri}}"

[[components]]
name              = "ecs_service"
type              = "terraform_module"
terraform_version = "v1.6.3"
[components.connected_repo]
repo      = "<your-app>"
directory = "components/ecs-service"
branch    = "main"
[components.vars]
"image_tag"        = "{{.nuon.components.app_image.image.tag}}"
"image_repository" = "{{.nuon.components.app_image.image.repository.uri}}"

[[components]]
name      = "eks_job"
type      = "job"
image_url = "{{.nuon.components.app_image.image.repository.uri}}"
tag       = "{{.nuon.components.app_image.image.tag}}"

Image Syncing

When a Container image component is released, Nuon will automatically sync the image into the end customer account. This image is stored in a local registry that is provisioned in the customer account.

Nuon image syncing allows you to sync images into accounts, without worrying about cross account permissions, registry authentication or publishing public images. Any Dockerfile in a repo can be built, and synced.

The sync process works by creating a 1-time authentication flow that grants the install runner access to pull the image from the org data plane, and copy it into the local registry.

AWS ECR Access IAM Role

To use a private AWS ECR image, you must create an IAM role that grants Nuon access to pull your container image. When building your component, nuon will automatically assume the role and pull the image from your build runner.

The easiest way to setup an IAM role to configure your component with is using our Terraform Module.

module "nuon_ecr_access" {
  source  = "nuonco/ecr-access/aws"

  repository_arns = ["<repository-arn>"]
}

output "ecr_access_iam_role" {
  value = module.nuon_ecr_access.ecr_access_iam_role
}

If you are having trouble finding the repository ARN in the AWS console, you can run aws ecr describe-repositories to print the ARNs of all repositories in your current context.

Importing Images Outside of AWS ECR

We currently only support public container images and private container images pushed to AWS ECR private registries.

If your registry is supported by AWS ECR’s pull through cache, the easiest way to import the images into Nuon is to setup a pull through cache and configure your container image to use it.

This works for Docker Hub, Github Container Registry and Microsoft Azure Container Registry.

If you would like to use a different private container registry than AWS ECR, we would love to know more. Please get in touch to tell us more about your use case.