Trigger for Container Registry that sends messages to WebSocket connections
A trigger for Container Registry sends messages to WebSocket connections when certain events occur with a Container Registry Docker image. The trigger must be in the same cloud as the registry whose events it is subscribed to.
A trigger for Container Registry requires a service account to send messages to WebSocket connections.
For more information about creating a trigger for Container Registry, see Creating a trigger for Container Registry that sends messages to WebSocket connections.
Events for setting up a trigger
Events with Docker images that can be tracked using a trigger:
- Creating a Docker image.
- Delete Docker images.
- Creating a Docker image tag.
- Deleting a Docker image tag.
A Docker image is always pushed with a tag (if no tag is specified, Docker automatically inserts the latest
tag). Therefore the CreateImage
event is always paired with CreateImageTag
. You can add an arbitrary number of tags to a Docker image by pushing the same image with other tags. In this case, only the CreateImageTag
event will occur, without CreateImage
.
A tag can go from one Docker image to another. This happens when pushing a new Docker image with a tag that is already used in another Docker image. In this case, the CreateImage
event will occur for the new Docker image, while changing the tag will trigger two events: DeleteImageTag
(removing the tag from the old Docker image) and CreateImageTag
(assigning the tag to the new Docker image).
When you delete a Docker image, all its tags are deleted. This is why deleting a Docker image always triggers the DeleteImage
event and as many DeleteImageTag
events as the Docker image had tags at the time of deletion.
Filtering events
Events are filtered using tags and names of Docker images that you push. When using a name and tag at the same time, filtering is done based on the logical AND
: for the trigger to work, the image must match both the name and tag.
Batching
Batching settings allow you to send multiple events to WebSocket connections in one go. They set a top limit on event group size and on event group accumulation time. For example, if the event group size is 3, WebSocket connections can receive groups containing from 1 to 3 events.
Roles required for the proper operation of a trigger for Container Registry
- To create a trigger, you need:
- Permission for the service account under which the trigger executes the operation. This permission comes with the iam.serviceAccounts.user and editor roles or higher.
- The
container-registry.images.puller
role for the registry whose events are processed by the trigger.
- To activate a trigger, the service account needs the
api-gateway.websocketBroadcaster
role for the folder containing the API gateway.
Read more about access management.
Container Registry trigger message format
After the trigger fires, it will send the following message to WebSocket connections:
{
"messages": [
{
"event_metadata": {
"cloud_id": "b1gvlrnlw2e6********",
"created_at": "2020-09-07T11:09:14Z",
"event_id": "crtpk611vb7g********",
"event_type": "yandex.cloud.events.containerregistry.CreateImage",
"folder_id": "b1g88tfl0pl8********",
"tracing_context": {
"parent_span_id": "-14915794679********",
"span_id": "-72326631357********",
"trace_id": "70e7m4n2********"
}
},
"details": {
"image_digest": "sha256:45f8f740272f1f2a053eade37d8d************************************",
"image_id": "crti2c9b************",
"registry_id": "crt2504s************",
"repository_name": "crt2504s************/ubuntu",
"tag": "latest"
}
}]
}