Optionally mirror dependent Docker Hub images

[sethvargo]

Also allow customizing the image used in CI via an environment variable.

Fixes #959

Release Note

Add Terraform module to optionally mirror dependent Docker Hub images for tests

/assign @chaodaiG

[sethvargo]

@chaodaiG to use this, we'll need to:

1. Choose a project to host the mirror (could be any of them)
2. Run the Terraform there and grant the Prow service account read permissions
3. Set the CI_POSTGRES_IMAGE environment variable to point to the Artifact Registry image instead

Any thoughts on which project we should use? I already ran the Terraform against one for testing, so we could use that one. It doesn't have to be the same project as Prow.

[chaodaiG]

@chaodaiG to use this, we'll need to:

1. Choose a project to host the mirror (could be any of them)
2. Run the Terraform there and grant the Prow service account read permissions
3. Set the CI_POSTGRES_IMAGE environment variable to point to the Artifact Registry image instead

Any thoughts on which project we should use? I already ran the Terraform against one for testing, so we could use that one. It doesn't have to be the same project as Prow.

The GCP projects used for testing are not relevant in presubmit tests right now, the only cluster used for presubmit tests is the prow build cluster. So I would prefer let prow build cluster host these images.

2. Run the Terraform there and grant the Prow service account read permissions

The prow service account used for test is the default compute engine service account for the project, I can grant it permission

[sethvargo]

So I would prefer let prow build cluster host these images.

That would involve a decent amount of setup on the prow projects.

The prow service account used for test is the default compute engine service account for the project, I can grant it permission

See the PR in the -infra repo (I CCed you).

[chaodaiG]

I see your point, and agreed. we can use one of the test project for this, let's use apollo-boskos-key-terraform-02

[sethvargo]

@chaodaiG do we run the risk of that project being auto-deleted or cleaned up? I'd rather use one of our more static projects.

[chaodaiG]

@sethvargo , actually you're right, there is a risk of cloud run service being cleaned up, but it's controlled by us. I wouldn't imagine the images being cleaned up though.

For static project, we don't have a different static project yet other than the prow build cluster, if desired we can set up another one, but it'll take some time for a reason.

[chaodaiG]

/lgtm
/approve

[google-oss-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: chaodaiG, sethvargo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [chaodaiG,sethvargo]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment