Google Cloud - Google Cloud Registry (GCR)

Giriş

Açıklaması şöyle

Most of the time, developers store their docker images in the Docker Hub. If you are working on a project and you have private images that need to be stored in a private place, most of the time developers configure a nexus server and store it there.

But Google Cloud’s GCR is a perfect solution to this problem. With GCR, you can store, manage, and secure your Docker container images easily. All you want is a service account with proper access permission. GCR is not just a docker repository. You can easily set up CI/CD pipelines with integration to Cloud Build or deploy directly to Google Kubernetes Engine, App Engine, Cloud Functions, or Firebase with GCR.

Sunucu İsimleri

Açıklaması şöyle

- gcr.io hosts images in data centers in the United States, but the location may change in the future

- us.gcr.io hosts images in data centers in the United States, in a separate storage bucket from images hosted by gcr.io

- eu.gcr.io hosts the images in the European Union

- asia.gcr.io hosts images in data centers in Asia

GCloud and configure

Önce şöyle yaparız

Go to Google Container Registry (GCR) and enable the Container Registry API.

Google hesabına giriş için şöyle yaparız

gcloud auth login

Daha sonra servise erişmek gerekir. Açıklaması şöyle

Then run the command to configure authentication with service account credentials. Replace the below variables.

- service_account_name — the name of the service account created in step 01.
- project_id — your project ID
- downloaded_key_file_name — the name of the downloaded key file in step 01.

Servise erişmek için şöyle yaparız

gcloud auth 
  activate-service-account  <SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com> 
  --key-file=<DOWNLOADED_KEY_FILE_NAME>.json

docker konfigürasyonuna GCR'yi eklemek için şöyle yaparız

gcloud auth configure-docker

Çıktısı şöyle

Adding credentials for all GCR repositories.
WARNING: A long list of credential helpers may cause delays running 'docker build'. 
We recommend passing the registry name to configure only the registry you are using.
After update, the following will be written to your Docker config file
located at [/Users/romina/.docker/config.json]:
{
 "credHelpers": {
   "gcr.io": "gcloud",
   "us.gcr.io": "gcloud",
   "eu.gcr.io": "gcloud",
   "asia.gcr.io": "gcloud",
   "staging-k8s.gcr.io": "gcloud",
   "marketplace.gcr.io": "gcloud"
 }
}
Do you want to continue (Y/n)?  Y
Docker configuration file updated.

Örnek

us-east1 için şöyle yaparız

gcloud auth configure-docker us-east1-docker.pkg.dev

GCR'ye Image Push

1. Yerel image retag'lenir

2. Sonra image push'laınr

Örnek

Yerel image'a retag atmak için şöyle yaparız

docker tag hello-world:latest gcr.io/PROJECT_ID/hello-world:v1

Kontrol etmek için şöyle yaparız

docker images

Push'lamak için şöyle yaparız

docker push gcr.io/PROJECT_ID/hello-world:v1

Kontrol etmek için şöyle yaparız

docker pull gcr.io/PROJECT_ID/hello-world:v1

Örnek

Şöyle yaparız

docker tag my-image us-east1-docker.pkg.dev/my-project/my-repo/test-image
docker push us-east1-docker.pkg.dev/PROJECT-ID/REPOSITORY/IMAGE:TAG

GCR'yi Başka Bir Kubernetes Ortamından Kullanmak - imagePullSecrets

Authentication

Herhangi bir GCR'ye erişmek için doğrulama gerekir. 

1. Create Credentials for GCR

Adımlar şöyle

1. Go to the GCP Console. Select “API & Services” > “Credentials”

2. Select “Create credentials” > “Services Account Key” > “Create New Services Account”.

3. And then, fill the service account name, and for the Role, select the Viewer

4. And click Create. After we create, the credential will automatically be downloaded in a JSON file.

2. Add a Kubernetes Secret in Kubernetes Cluster

Örnek

Şöyle yaparız. secret ismi gcr-json-key. Dosya ismi json-key-file-from-gcp.json

$ kubectl create secret docker-registry gcr-json-key \
 --docker-server=asia.gcr.io \
 --docker-username=_json_key \
 --docker-password="$(cat ~/json-key-file-from-gcp.json)" \
 --docker-email=any@valid.email

Secret'ı kontrol etmek için şöyle yaparız

$ kubectl get secret
NAME         TYPE                                  DATA   AGE
gcr-json-key kubernetes.io/dockerconfigjson        1      6s

3: Using the Secret for Deployment

Burada iki seçenek var. Bunlar şöyle

- Add the secret into ImagePullSecrets in default service account in a Kubernetes’s namespace.   With this  method, every pod that will be deployed will use the secret when pulling the images.

- The other way is, add the secret directly to deployment configuration to each pod who needs it.

kubetctl komutuna eklemek için şöyle yaparız

$ kubectl patch serviceaccount default \
-p '{"imagePullSecrets": [{"name": "gcr-json-key"}]}'

yaml dosyasına eklemek için şöyle yaparız. Burada image isminde "gcr.io/PROJECT_ID/hello-world" gibi bir şey kullanıldığını görebiliriz.

apiVersion: v1
kind: Pod
metadata:
  name: august
spec:
  containers:
  - name: august
    image: asia.gcr.io/personal-project/august:latest
  imagePullSecrets:
  - name: gcr-json-key