Create Artifact Registry
Duration: 5 min | Persona: Platform Admin
In this section, you will set up your own private Artifact Registry to store both all the container images and the Helm charts required for this workshop. You will also grant viewer access to both: the GKE’s GSA and Config Sync’s GSA.
Initialize variables:
WORK_DIR=~/
source ${WORK_DIR}acm-workshop-variables.sh
CONTAINER_REGISTRY_NAME=containers
echo "export CONTAINER_REGISTRY_NAME=${CONTAINER_REGISTRY_NAME}" >> ${WORK_DIR}acm-workshop-variables.sh
CHART_REGISTRY_NAME=charts
echo "export CHART_REGISTRY_NAME=${CHART_REGISTRY_NAME}" >> ${WORK_DIR}acm-workshop-variables.sh
CONTAINER_REGISTRY_HOST_NAME=${GKE_LOCATION}-docker.pkg.dev
echo "export CONTAINER_REGISTRY_HOST_NAME=${CONTAINER_REGISTRY_HOST_NAME}" >> ${WORK_DIR}acm-workshop-variables.sh
echo "export CONTAINER_REGISTRY_REPOSITORY=${CONTAINER_REGISTRY_HOST_NAME}/${TENANT_PROJECT_ID}/${CONTAINER_REGISTRY_NAME}" >> ${WORK_DIR}acm-workshop-variables.sh
echo "export CHART_REGISTRY_REPOSITORY=${CONTAINER_REGISTRY_HOST_NAME}/${TENANT_PROJECT_ID}/${CHART_REGISTRY_NAME}" >> ${WORK_DIR}acm-workshop-variables.sh
echo "export HELM_CHARTS_READER_GSA=helm-charts-reader" >> ${WORK_DIR}acm-workshop-variables.sh
source ${WORK_DIR}acm-workshop-variables.sh
Define Artifact Registry containers
repository
Define the Artifact Registry containers
repository:
cat <<EOF > ${WORK_DIR}$TENANT_PROJECT_DIR_NAME/artifactregistry-containers.yaml
apiVersion: artifactregistry.cnrm.cloud.google.com/v1beta1
kind: ArtifactRegistryRepository
metadata:
annotations:
cnrm.cloud.google.com/project-id: ${TENANT_PROJECT_ID}
name: ${CONTAINER_REGISTRY_NAME}
namespace: ${TENANT_PROJECT_ID}
spec:
format: DOCKER
location: ${GKE_LOCATION}
EOF
Define Artifact Registry reader role for the GKE’s GSA for the container images
cat <<EOF > ${WORK_DIR}$TENANT_PROJECT_DIR_NAME/artifactregistry-reader.yaml
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
name: artifactregistry-reader
namespace: ${TENANT_PROJECT_ID}
annotations:
config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/${TENANT_PROJECT_ID}/IAMServiceAccount/${GKE_SA},artifactregistry.cnrm.cloud.google.com/namespaces/${TENANT_PROJECT_ID}/ArtifactRegistryRepository/${CONTAINER_REGISTRY_NAME}
spec:
memberFrom:
serviceAccountRef:
name: ${GKE_SA}
namespace: ${TENANT_PROJECT_ID}
resourceRef:
kind: ArtifactRegistryRepository
name: ${CONTAINER_REGISTRY_NAME}
role: roles/artifactregistry.reader
EOF
Define Artifact Registry charts
repository
Define the Artifact Registry charts
repository:
cat <<EOF > ${WORK_DIR}$TENANT_PROJECT_DIR_NAME/artifactregistry-charts.yaml
apiVersion: artifactregistry.cnrm.cloud.google.com/v1beta1
kind: ArtifactRegistryRepository
metadata:
annotations:
cnrm.cloud.google.com/project-id: ${TENANT_PROJECT_ID}
name: ${CHART_REGISTRY_NAME}
namespace: ${TENANT_PROJECT_ID}
spec:
format: DOCKER
location: ${GKE_LOCATION}
EOF
Define Artifact Registry reader role for the RepoSync’s GSA for the Helm charts
Define the Helm charts registry’s Google Service Account:
cat <<EOF > ${WORK_DIR}$TENANT_PROJECT_DIR_NAME/repo-syncs-sa.yaml
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
annotations:
cnrm.cloud.google.com/project-id: ${TENANT_PROJECT_ID}
name: ${HELM_CHARTS_READER_GSA}
namespace: ${TENANT_PROJECT_ID}
spec:
displayName: ${HELM_CHARTS_READER_GSA}
EOF
cat <<EOF > ${WORK_DIR}$TENANT_PROJECT_DIR_NAME/artifactregistry-charts-reader.yaml
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
name: artifactregistry-charts-reader
namespace: ${TENANT_PROJECT_ID}
annotations:
config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/${TENANT_PROJECT_ID}/IAMServiceAccount/${HELM_CHARTS_READER_GSA},artifactregistry.cnrm.cloud.google.com/namespaces/${TENANT_PROJECT_ID}/ArtifactRegistryRepository/${CHART_REGISTRY_NAME}
spec:
memberFrom:
serviceAccountRef:
name: ${HELM_CHARTS_READER_GSA}
namespace: ${TENANT_PROJECT_ID}
resourceRef:
kind: ArtifactRegistryRepository
name: ${CHART_REGISTRY_NAME}
role: roles/artifactregistry.reader
EOF
Deploy Kubernetes manifests
cd ${WORK_DIR}$TENANT_PROJECT_DIR_NAME/
git add . && git commit -m "Artifact Registry for containers and charts for GKE cluster" && git push origin main
Check deployments
graph TD; ArtifactRegistryRepository-.->Project IAMPolicyMember-->ArtifactRegistryRepository IAMPolicyMember-.->IAMServiceAccount
List the Kubernetes resources managed by Config Sync in Config Controller for the Tenant project configs repository:
Run this command and click on this link:
echo -e "https://console.cloud.google.com/kubernetes/config_management/packages?project=${HOST_PROJECT_ID}"
Wait until you see the Sync status
column as Synced
and the Reconcile status
column as Current
.
Run this command:
gcloud alpha anthos config sync repo describe \
--project $HOST_PROJECT_ID \
--managed-resources all \
--sync-name repo-sync \
--sync-namespace $TENANT_PROJECT_ID
Wait and re-run this command above until you see "status": "SYNCED"
. All the managed_resources
listed should have STATUS: Current
too.
List the GitHub runs for the Tenant project configs repository:
cd ${WORK_DIR}$TENANT_PROJECT_DIR_NAME && gh run list
List the Google Cloud resources created:
gcloud artifacts repositories get-iam-policy $CONTAINER_REGISTRY_NAME \
--project $TENANT_PROJECT_ID \
--location $GKE_LOCATION \
--filter="bindings.members:${GKE_SA}@${TENANT_PROJECT_ID}.iam.gserviceaccount.com" \
--flatten="bindings[].members" \
--format="table(bindings.role)"
gcloud artifacts repositories list \
--project $TENANT_PROJECT_ID
Wait and re-run this command above until you see the resources created.