19 Temmuz 2022 Salı

Google Cloud - Google Cloud Registry (GCR)

Giriş
Açıklaması şöyle
Most of the time, developers store their docker images in the Docker Hub. If you are working on a project and you have private images that need to be stored in a private place, most of the time developers configure a nexus server and store it there.

But Google Cloud’s GCR is a perfect solution to this problem. With GCR, you can store, manage, and secure your Docker container images easily. All you want is a service account with proper access permission. GCR is not just a docker repository. You can easily set up CI/CD pipelines with integration to Cloud Build or deploy directly to Google Kubernetes Engine, App Engine, Cloud Functions, or Firebase with GCR.
Sunucu İsimleri
Açıklaması şöyle
gcr.io hosts images in data centers in the United States, but the location may change in the future
us.gcr.io hosts images in data centers in the United States, in a separate storage bucket from images hosted by gcr.io
eu.gcr.io hosts the images in the European Union
asia.gcr.io hosts images in data centers in Asia
GCloud and configure
Önce şöyle yaparız
Go to Google Container Registry (GCR) and enable the Container Registry API.
Google hesabına giriş için şöyle yaparız
gcloud auth login
Daha sonra servise erişmek gerekir. Açıklaması şöyle
Then run the command to configure authentication with service account credentials. Replace the below variables.
- service_account_name — the name of the service account created in step 01.
project_id — your project ID
downloaded_key_file_name — the name of the downloaded key file in step 01.
Servise erişmek için şöyle yaparız
gcloud auth 
  activate-service-account  <SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com> 
  --key-file=<DOWNLOADED_KEY_FILE_NAME>.json
docker konfigürasyonuna GCR'yi eklemek için şöyle yaparız
gcloud auth configure-docker
Çıktısı şöyle
Adding credentials for all GCR repositories.
WARNING: A long list of credential helpers may cause delays running 'docker build'. 
We recommend passing the registry name to configure only the registry you are using.
After update, the following will be written to your Docker config file
located at [/Users/romina/.docker/config.json]:
{
 "credHelpers": {
   "gcr.io": "gcloud",
   "us.gcr.io": "gcloud",
   "eu.gcr.io": "gcloud",
   "asia.gcr.io": "gcloud",
   "staging-k8s.gcr.io": "gcloud",
   "marketplace.gcr.io": "gcloud"
 }
}
Do you want to continue (Y/n)?  Y
Docker configuration file updated.
Örnek
us-east1 için şöyle yaparız
gcloud auth configure-docker us-east1-docker.pkg.dev
GCR'ye Image Push
1. Yerel image retag'lenir
2. Sonra image push'laınr
Örnek
Yerel image'a retag atmak için şöyle yaparız
docker tag hello-world:latest gcr.io/PROJECT_ID/hello-world:v1
Kontrol etmek için şöyle yaparız
docker images
Push'lamak için şöyle yaparız
docker push gcr.io/PROJECT_ID/hello-world:v1
Kontrol etmek için şöyle yaparız
docker pull gcr.io/PROJECT_ID/hello-world:v1
Örnek
Şöyle yaparız
docker tag my-image us-east1-docker.pkg.dev/my-project/my-repo/test-image
docker push us-east1-docker.pkg.dev/PROJECT-ID/REPOSITORY/IMAGE:TAG


GCR'yi Başka Bir Kubernetes Ortamından Kullanmak - imagePullSecrets

Authentication
Herhangi bir GCR'ye erişmek için doğrulama gerekir. 

1. Create Credentials for GCR
Adımlar şöyle
1. Go to the GCP Console. Select “API & Services” > “Credentials”
2. Select “Create credentials” > “Services Account Key” > “Create New Services Account”.
3. And then, fill the service account name, and for the Role, select the Viewer
4. And click Create. After we create, the credential will automatically be downloaded in a JSON file.
2. Add a Kubernetes Secret in Kubernetes Cluster
Örnek
Şöyle yaparız. secret ismi gcr-json-key. Dosya ismi json-key-file-from-gcp.json
$ kubectl create secret docker-registry gcr-json-key \
--docker-server=asia.gcr.io \
--docker-username=_json_key \
--docker-password="$(cat ~/json-key-file-from-gcp.json)" \
--docker-email=any@valid.email
Secret'ı kontrol etmek için şöyle yaparız
$ kubectl get secret
NAME         TYPE                                  DATA   AGE
gcr-json-key kubernetes.io/dockerconfigjson        1      6s
3: Using the Secret for Deployment
Burada iki seçenek var. Bunlar şöyle
- Add the secret into ImagePullSecrets in default service account in a Kubernetes’s namespace.   With this  method, every pod that will be deployed will use the secret when pulling the images.

- The other way is, add the secret directly to deployment configuration to each pod who needs it.
kubetctl komutuna eklemek için şöyle yaparız
$ kubectl patch serviceaccount default \
-p '{"imagePullSecrets": [{"name": "gcr-json-key"}]}'
yaml dosyasına eklemek için şöyle yaparız. Burada image isminde "gcr.io/PROJECT_ID/hello-world" gibi bir şey kullanıldığını görebiliriz.
apiVersion: v1
kind: Pod
metadata:
  name: august
spec:
  containers:
  - name: august
    image: asia.gcr.io/personal-project/august:latest
  imagePullSecrets:
  - name: gcr-json-key


Hiç yorum yok:

Yorum Gönder