Google Artifact Registry - Docker Repository

Introduction

Bunnyshell supports connecting Google Artifact Registries to your organization, allowing you to use those registries to store your container images and deploy them on Kubernetes clusters.

In order to connect GAR to Bunnyshell, you will need a service account with the following permissions:

  1. artifactregistry.repositories.get: In order to pull images from the cluster after a deployment
  2. artifactregistry.repositories.uploadArtifacts: In order to push images from component builds

🚧

Requirement

If you're just starting out with Google Cloud you will also need permissions to:

  1. Enable Google Artifact Registry within Google Cloud
  2. Create a GAR Docker Repository
  3. Optional: Create a dedicated Service Account
  4. Optional: Create a dedicated IAM role

Enable Google Artifact Registry within Google Cloud

  1. Install the gcloud CLI using the instructions available here.

  2. Enable Google Artifact Registry API using the command below.

gcloud services enable artifactregistry.googleapis.com

Create a GAR Docker Repository

You can skip this if you already have a GAR Docker Repository

  1. Create a GAR Docker Repository using the command below or using the Google Cloud UI:
gcloud artifacts repositories create "{REPOSITORY}" \
	--format json \
	--repository-format docker \
	--immutable-tags \
	\
	--project "{PROJECT}" \
	--location "{LOCATION}" \
;
gcloud artifacts repositories create "bunnyshell" \
	--format json \
	--repository-format docker \
	--immutable-tags \
	\
	--project "bunnyshell-84194" \
	--location "europe" \
;

📘

Note

In the example, bunnyshell-84194 is our Google Cloud Project ID.

When creating a repository:

  1. Take note of the repository, you will need to specify it when connecting the repository in Bunnyshell
  2. Take note of the location, you will need to specify it when connecting the repository in Bunnyshell
  3. Make sure the repository format is docker

Create a dedicated Service Account

You can skip this if you already have a dedicated Service Account which you can share with Bunnyshell

  1. Create a service account using the command below:
gcloud iam service-accounts create {USER}
gcloud iam service-accounts create bunnyshell-access

📘

Note

In the example, bunnyshell-access is the Google Cloud User ID we used.

Grant access to GAR

  1. Grant the Service Account access to GAR:
gcloud projects add-iam-policy-binding {PROJECT_ID} \
	--member=serviceAccount:{USER}@{PROJECT_ID}.iam.gserviceaccount.com \
	--role=roles/artifactregistry.admin \
;
gcloud iam roles create {ROLE_NAME} \
	--project={PROJECT_ID} \
	--title="Bunnyshell GAR access" \
	--description="Bunnyshell Google Artifact Registry access" \
	--permissions=artifactregistry.repositories.get,artifactregistry.repositories.uploadArtifacts \
;

gcloud projects add-iam-policy-binding {PROJECT_ID} \
	--member=serviceAccount:{USER}@{PROJECT_ID}.iam.gserviceaccount.com \
	--role=projects/{PROJECT_ID}/roles/{ROLE_NAME} \
;

Example

gcloud projects add-iam-policy-binding bunnyshell-84194 \
	--member=serviceAccount:[email protected] \
	--role=roles/artifactregistry.admin \
;
gcloud iam roles create bunnyshell-role \
	--project=bunnyshell-84194 \
	--title="Bunnyshell GAR access" \
	--description="Bunnyshell Google Artifact Registry access" \
	--permissions=artifactregistry.repositories.get,artifactregistry.repositories.uploadArtifacts \
;

gcloud projects add-iam-policy-binding bunnyshell-84194 \
	--member=serviceAccount:[email protected] \
	--role=projects/bunnyshell-84194/roles/bunnyshell-role \
;

📘

Note

In this case, bunnyshell-84194 is our Google Cloud Project ID.

Other predefined rules you can use include:

  1. roles/artifactregistry.reader: If you only need to fetch images from GCP
  2. roles/artifactregistry.writer: If Bunnyshell should also be used to build and push images to GCP

Retrieve your Project ID

  1. The Project ID can be fetched by clicking on the {Project Name} in the top bar.

Retrieve a Service Account key

  1. Retrieve the Google Service Account key using the command below:
gcloud iam service-accounts keys create gsa-key.json \
	--iam-account={USER}@{PROJECT_ID}.iam.gserviceaccount.com \
;
gcloud iam service-accounts keys create gsa-key.json \
	--iam-account=bunnyshell-access@bunnyshell-84194.iam.gserviceaccount.com \
;

Connect your GAR Registry

  1. Access the Bunnyshell interface and click the Integrations button on the left side.

  1. Click Container Registries on the left-side menu.

  2. Click the Connect container registry button and select Google Artifact Registry.

  3. A new window will pop-up, where you will have to provide the following information:

  • Registry Name: Choose what name your registry will have in Bunnyshell.
  • Repository Name: The name of the repository as defined in Create a docker repository
  • Region: The location of the repository, location where the image will be stored. More details about GAR regions are available on the Google Cloud documentation site.

📘

Note

Bunnyshell supports both single regions and multi regions such as US, EU or ASIA.

Check the official Google Cloud documentation on how multi regions are handled

📘

Note

If you have a Google Service Account already created, the ID is the string before the @ in the email address.

Example:
In the address [email protected], the string bunnyshell-access is the Google Service Account ID.