Triggers for Container Registry

Events for setting up a trigger
- Filtering events
Roles required for the proper operation of a trigger for Container Registry
Trigger message format Container Registry

Triggers for Container Registry run a function when certain events occur with a Docker-image from Yandex Container Registry. The trigger must be in the same cloud as the registry, whose events it's subscribed to.

A trigger for Container Registry needs a service account to invoke the function.

Events for setting up a trigger

Events with Docker images that can be tracked using a trigger:

Creating a Docker image.
Deleting a Docker image.
Creating a Docker image tag.
Deleting a Docker image tag.

A Docker image is always pushed with a tag (if no tag is specified, Docker automatically inserts the latest tag). Therefore the CreateImage event is always paired with CreateImageTag. You can add an arbitrary number of tags to a Docker image by pushing the same image with other tags. In this case, only the CreateImageTag event will occur, without CreateImage.

A tag can go from one Docker image to another. This happens when pushing a new Docker image with a tag that is already used in another Docker image. In this case, the CreateImage event will occur for the new Docker image, while changing the tag will trigger two events: DeleteImageTag (removing the tag from the old Docker image) and CreateImageTag (assigning the tag to the new Docker image).

When you delete a Docker image, all its tags are deleted. This is why deleting a Docker image always triggers the DeleteImage event and as many DeleteImageTag events as the Docker image had tags at the time of deletion.

Filtering events

Events are filtered using tags and names of Docker images that you push. When using a name and tag at the same time, filtering is done based on the logical AND: for the trigger to work, the image must match both the name and tag.

Roles required for the proper operation of a trigger for Container Registry

To create a trigger, you need a permission for a service account that runs the trigger executing the operation. This permission is included in the roles iam.serviceAccounts.user, editor, and higher.
To create a trigger, you'll also need the container-registry.images.puller role for the registry whose events the trigger will handle.
To run a trigger, the service account needs the serverless.functions.invoker role for the folder containing the function called by the trigger.

Learn more about access management.

Trigger message format Container Registry

After the trigger is activated, it sends the following message to the function:

{
  "messages": [
  {
    "event_metadata": {
          "cloud_id": "b1gvlrnl************",
          "created_at": "2020-09-07T11:09:14Z",
          "event_id": "crtpk611************",
          "event_type": "yandex.cloud.events.containerregistry.CreateImage",
          "folder_id": "b1g88tfl************",
          "tracing_context": {
            "parent_span_id": "-1491579************",
            "span_id": "-7232663************",
            "trace_id": "70e7************"
          }
        },
      "details": {
        "image_digest": "sha256:45f8f740272f1f2a053eade37d8d************************************",
        "image_id": "crti2c9b************",
        "registry_id": "crt2504s************",
        "repository_name": "crt2504s************/ubuntu",
        "tag": "latest"
      }
    }
  ]
}