From 16a79d95b56f53050384a21c3c2a35baa9d871fb Mon Sep 17 00:00:00 2001
From: Chander Ganesan <chander@otg-nc.com>
Date: Sat, 3 Oct 2020 16:07:42 -0400
Subject: [PATCH] Update to improve the private registry docs (#633)

* Update to improve the private registry docs

* minor adjustments

I know it's totally OK to enumerate a list using the same number in markdown, but for the sake of people reading the raw docs, I'd still like them to be numbered.
Also removed a superfluous `version: 3` and made sure all other versions were set to `"3.4"`.

Co-authored-by: Simon Aronsson <simme@arcticbit.se>
---
 docs/private-registries.md | 106 ++++++++++++++++++++++++-------------
 1 file changed, 70 insertions(+), 36 deletions(-)

diff --git a/docs/private-registries.md b/docs/private-registries.md
index 147e307..535b3e8 100644
--- a/docs/private-registries.md
+++ b/docs/private-registries.md
@@ -59,14 +59,14 @@ docker run [...] -v <PATH_TO_HOME_DIR>/.docker/config.json:/config.json containr
 When creating the watchtower container via docker-compose, use the following lines:
 
 ```yaml
-version: "3"
-[...]
-watchtower:
-  image: index.docker.io/containrrr/watchtower:latest
-  volumes:
+version: "3.4"
+services:
+  watchtower:
+    image: index.docker.io/containrrr/watchtower:latest
+    volumes:
       - /var/run/docker.sock:/var/run/docker.sock
       - <PATH_TO_HOME_DIR>/.docker/config.json:/config.json
-[...]
+  ...
 ```
 
 #### Docker Config path
@@ -74,10 +74,13 @@ By default, watchtower will look for the `config.json` file in `/`, but this can
 Example usage:
 
 ```yaml
-watchtower:
-  image: containrrr/watchtower
-  environment:
-      DOCKER_CONFIG: /config
+version: "3.4"
+
+services: 
+  watchtower:
+    image: containrrr/watchtower
+    environment:
+        DOCKER_CONFIG: /config
     volumes:
       - /etc/watchtower/config/:/config/
       - /var/run/docker.sock:/var/run/docker.sock
@@ -94,6 +97,12 @@ helper in a separate container and mount it using volumes.
 ### Example
 Example implementation for use with [amazon-ecr-credential-helper](https://github.com/awslabs/amazon-ecr-credential-helper):
 
+
+Use the dockerfile below to build the [amazon-ecr-credential-helper](https://github.com/awslabs/amazon-ecr-credential-helper),
+in a volume that may be mounted onto your watchtower container.
+
+1.  Create the Dockerfile (contents below):    
+
 ```Dockerfile
 FROM golang:latest
 
@@ -111,43 +120,68 @@ RUN go build \
 WORKDIR /go/bin/
 ```
 
+2.  Use the following commands to build the aws-ecr-dock-cred-helper and store it's output in a volume:
+
+```shell script
+# Create a volume to store the command (once built)
+docker volume create helper 
+
+# Build the container
+docker build -t aws-ecr-dock-cred-helper .
+
+# Build the command and store it in the new volume in the /go/bin directory.
+docker run  -d --rm --name aws-cred-helper --volume helper:/go/bin aws-ecr-dock-cred-helper
+
+```
+
+3.  Create a configuration file for docker, and store it in $HOME/.docker/config.json (replace the <AWS_ACCOUNT_ID>
+    placeholders with your AWS Account ID):
+
+```json
+{
+    "credsStore" : "ecr-login",
+    "HttpHeaders" : {
+      "User-Agent" : "Docker-Client/19.03.1 (XXXXXX)"
+    },
+    "auths" : {
+      "<AWS_ACCOUNT_ID>.dkr.ecr.us-west-1.amazonaws.com" : {}
+    },
+    "credHelpers": {
+      "<AWS_ACCOUNT_ID>.dkr.ecr.us-west-1.amazonaws.com" : "ecr-login"
+    }
+}
+```
+
+4.  Create a docker-compose file (as an example) to help launch the container:
+
 and the docker-compose definition:
 ```yaml
-version: "3"
-
+version: "3.4"
 services:
+  # Check for new images and restart things if a new image exists
+  # for any of our containers.
   watchtower:
-    image: index.docker.io/containrrr/watchtower:latest
+    image: containrrr/watchtower:latest
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
-      - <PATH_TO_HOME_DIR>/.docker/config.json:/config.json
+      - .docker/config.json:/config.json
       - helper:/go/bin
     environment:
       - HOME=/
       - PATH=$PATH:/go/bin
-      - AWS_REGION=<AWS_REGION>
-      - AWS_ACCESS_KEY_ID=<AWS_ACCESS_KEY>
-      - AWS_SECRET_ACCESS_KEY=<AWS_SECRET_ACCESS_KEY>
+      - AWS_REGION=us-west-1
 volumes:
-  helper: {}
+  helper: 
+    external: true
 ```
 
-and for `<PATH_TO_HOME_DIR>/.docker/config.json`:
-```json
-  {
-    "HttpHeaders" : {
-      "User-Agent" : "Docker-Client/19.03.1 (XXXXXX)"
-    },
-    "credsStore" : "osxkeychain",
-    "auths" : {
-      "xyzxyzxyz.dkr.ecr.eu-north-1.amazonaws.com" : {},
-      "https://index.docker.io/v1/": {}
-    },
-    "credHelpers": {
-      "xyzxyzxyz.dkr.ecr.eu-north-1.amazonaws.com" : "ecr-login",
-      "index.docker.io": "osxkeychain"
-    }
-  }
-```
+A few additional notes:
 
-*Note:* `osxkeychain` can be changed to your preferred credentials helper.
+1.  With docker-compose the volume (helper, in this case) MUST be set to `external: true`, otherwise docker-compose 
+    will preface it with the directory name.
+2.  Note that "credsStore" : "ecr-login" is needed - and in theory if you have that you can remove the 
+    credHelpers section 
+3.  I have this running on an EC2 instance that has credentials assigned to it - so no keys are needed; however, 
+    you may need to include the `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` environment variables as well.
+4.  An alternative to adding the various variables is to create a ~/.aws/config and ~/.aws/credentials files and 
+    place the settings there, then mount the ~/.aws directory to / in the container.