Skip to content

feat(ST-3501): Add GAR support for DIND image pulling #797

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Halama wants to merge 5 commits into
base: main
Choose a base branch
from
Draft

feat(ST-3501): Add GAR support for DIND image pulling #797

Halama wants to merge 5 commits into from

Conversation

@Halama
Copy link
Member

@Halama Halama commented Jan 20, 2026
edited by devin-ai-integration bot
Loading

Jira: ST-3501

Before asking for review, check the following:

  • For any functionality change or the addition of a new feature, I verified if it should also be implemented in the no-DIND version. If so, I created a corresponding task [PST-XXX] under the no-DIND epic

Note: This feature is DIND-only by design. No-DIND uses Kubernetes imagePullSecrets for registry authentication, which is a different mechanism.

In this PR I have...

Summary

Adds support for pulling component images from Google Artifact Registry (GAR) instead of AWS ECR in DIND mode. When enabled via environment variables, the ImageFactory routes aws-ecr type components to a new GoogleArtifactRegistry class that handles URL transformation and GCP authentication.

Key changes:

  • New GoogleArtifactRegistry class extending Image with GCP service account JSON key authentication
  • ImageFactory conditionally routes to GAR when USE_GAR_REGISTRY=true and registry URLs are configured
  • Image URL transformation: replaces ECR registry prefix with GAR registry prefix

Environment variables used:

  • USE_GAR_REGISTRY - flag to enable GAR (must be 'true')
  • GAR_REGISTRY_URL - target GAR URL (e.g., us-central1-docker.pkg.dev/project/ecr-cache)
  • ECR_REGISTRY_URL - source ECR URL to replace
  • GOOGLE_APPLICATION_CREDENTIALS - path to GCP service account key file

Updates since last revision

  • Rebased onto origin/main to fix PR showing unrelated changes (the branch was originally based on origin/master which diverged from main)
  • Adapted code to match the updated architecture on main:
    • Uses ComponentSpecification instead of legacy Component class
    • Removed ObjectEncryptor dependency (no longer used in Image classes)
    • Uses Process::fromShellCommandline() pattern
    • Simplified pullImage() to use direct docker commands (matching AWSElasticContainerRegistry pattern)
  • Fixed PHPStan errors: getenv() returns string|false, so added proper type handling with ?: '' fallback and explicit === false checks
  • Fixed PHPCS error: added trailing comma to multi-line constructor parameter list

Review & Testing Checklist for Human

  • Verify docker login command construction: The getLoginParams() method reads the JSON key file content and passes it via --password=. Verify this works correctly with special characters in the key.
  • Test with real GAR credentials: This code path hasn't been tested against an actual GAR registry. End-to-end testing with real GCP service account credentials is required.
  • Verify URL transformation edge cases: The str_replace() in getImageId() assumes the ECR URL appears exactly once at the start. Verify this handles all ECR URL formats correctly.
  • Verify getenv() behavior: The code uses getenv() directly in ImageFactory. Confirm these env vars are properly propagated to the DIND runner pod.

Test Plan

  1. Deploy to a test environment with GAR disabled (default) - verify existing ECR image pulls work unchanged
  2. Enable GAR with valid credentials and registry URLs - verify image pulls succeed from GAR
  3. Test with invalid/missing credentials - verify appropriate error messages

Notes

This is the docker-bundle portion of ST-3501. Related PRs:

Note: No unit tests are included in this PR. The existing test patterns in this codebase would need to be followed for proper test coverage.

Link to Devin run: https://app.devin.ai/sessions/554c0e412c984d4c8010abdae36e757d
Requested by: Martin Halamíček (@Halama)

Release Notes

Justification, description

Infrastructure support for GAR (Google Artifact Registry) in DIND job runner. Feature is disabled by default.

Plans for Customer Communication

N/A

Impact Analysis

No impact when disabled (default). When enabled, DIND jobs will pull component images from GAR instead of ECR.

Deployment Plan

Merge & automatic deploy. Feature requires explicit enablement via infrastructure configuration.

Rollback Plan

Revert of this PR.

Post-Release Support Plan

N/A

@linear
Copy link

linear bot commented Jan 20, 2026

ST-3501 Image Replication - POC of pull-through cache

@devin-ai-integration
Copy link
Contributor

devin-ai-integration bot commented Jan 20, 2026

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

@devin-ai-integration @Halama
feat(ST-3501): add GAR support for DIND image pulling
6eacc98 
Add GoogleArtifactRegistry class for pulling component images from
Google Artifact Registry instead of AWS ECR.

Changes:
- GoogleArtifactRegistry: new Image subclass that handles GAR auth
  using GCP service account JSON key and URL rewriting from ECR to GAR
- ImageFactory: route to GoogleArtifactRegistry when USE_GAR_REGISTRY
  env var is set to 'true' and GAR_REGISTRY_URL/ECR_REGISTRY_URL are
  configured

Environment variables used:
- USE_GAR_REGISTRY: flag to enable GAR (must be 'true')
- GAR_REGISTRY_URL: target GAR URL (e.g., us-central1-docker.pkg.dev/project/ecr-cache)
- ECR_REGISTRY_URL: source ECR URL to replace
- GOOGLE_APPLICATION_CREDENTIALS: path to GCP service account key file

Co-Authored-By: Martin Halamíček <martin@halamicek.cz>
@devin-ai-integration devin-ai-integration bot force-pushed the devin/ST-3501-1768913117-gar-support branch from 69473f0 to 6eacc98 Compare January 20, 2026 12:55
@devin-ai-integration @Halama
fix(ST-3501): fix PHPStan errors with getenv() return type
b05bf73 
Co-Authored-By: Martin Halamíček <martin@halamicek.cz>
@Halama Halama mentioned this pull request Jan 20, 2026
Draft
4 tasks
devin-ai-integration bot and others added 3 commits January 20, 2026 14:32
@devin-ai-integration @Halama
fix(ST-3501): add trailing comma to constructor parameter
9b60725 
Co-Authored-By: Martin Halamíček <martin@halamicek.cz>
@Halama @claude
fix(ST-3501): rename env var to GAR_PULL_GOOGLE_APPLICATION_CREDENTIALS
bdcfdc2 
Rename GOOGLE_APPLICATION_CREDENTIALS to GAR_PULL_GOOGLE_APPLICATION_CREDENTIALS
to avoid conflicts with other GCP services that may use the standard variable name.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@Halama @claude
fix(ST-3501): replace ECR_REGISTRY_URL env var with hardcoded constant
409dbd2 
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@Halama Halama

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Halama