Create Artifact Registry

Platform Admin Duration: 5 min | Persona: Platform Admin

In this section, you will set up

Initialize variables:

WORK_DIR=~/
source ${WORK_DIR}acm-workshop-variables.sh
CONTAINER_REGISTRY_NAME=containers
echo "export CONTAINER_REGISTRY_NAME=${CONTAINER_REGISTRY_NAME}" >> ${WORK_DIR}acm-workshop-variables.sh
CONTAINER_REGISTRY_HOST_NAME=${GKE_LOCATION}-docker.pkg.dev
echo "export CONTAINER_REGISTRY_HOST_NAME=${CONTAINER_REGISTRY_HOST_NAME}" >> ${WORK_DIR}acm-workshop-variables.sh
echo "export CONTAINER_REGISTRY_REPOSITORY=${CONTAINER_REGISTRY_HOST_NAME}/${TENANT_PROJECT_ID}/${CONTAINER_REGISTRY_NAME}" >> ${WORK_DIR}acm-workshop-variables.sh
source ${WORK_DIR}acm-workshop-variables.sh

Define Artifact Registry resource

Define the Artifact Registry resource:

cat <<EOF > ${WORK_DIR}$TENANT_PROJECT_DIR_NAME/artifactregistry.yaml
apiVersion: artifactregistry.cnrm.cloud.google.com/v1beta1
kind: ArtifactRegistryRepository
metadata:
  name: ${CONTAINER_REGISTRY_NAME}
  namespace: ${TENANT_PROJECT_ID}
spec:
  format: DOCKER
  location: ${GKE_LOCATION}
EOF

Define Artifact Registry reader role

cat <<EOF > ${WORK_DIR}$TENANT_PROJECT_DIR_NAME/artifactregistry-reader.yaml
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: artifactregistry-reader
  namespace: ${TENANT_PROJECT_ID}
  annotations:
    config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/${TENANT_PROJECT_ID}/IAMServiceAccount/${GKE_SA},artifactregistry.cnrm.cloud.google.com/namespaces/${TENANT_PROJECT_ID}/ArtifactRegistryRepository/${CONTAINER_REGISTRY_NAME}
spec:
  memberFrom:
    serviceAccountRef:
      name: ${GKE_SA}
      namespace: ${TENANT_PROJECT_ID}
  resourceRef:
    kind: ArtifactRegistryRepository
    name: ${CONTAINER_REGISTRY_NAME}
  role: roles/artifactregistry.reader
EOF

Deploy Kubernetes manifests

cd ${WORK_DIR}$TENANT_PROJECT_DIR_NAME/
git add . && git commit -m "Artifact Registry for GKE cluster" && git push origin main

Check deployments

graph TD; ArtifactRegistryRepository-.->Project IAMPolicyMember-->ArtifactRegistryRepository IAMPolicyMember-.->IAMServiceAccount

List the Kubernetes resources managed by Config Sync in Config Controller for the Tenant project configs repository:

gcloud alpha anthos config sync repo describe \
    --project $HOST_PROJECT_ID \
    --managed-resources all \
    --sync-name repo-sync \
    --sync-namespace $TENANT_PROJECT_ID

Wait and re-run this command above until you see "status": "SYNCED". All the managed_resources listed should have STATUS: Current as well.

List the GitHub runs for the Tenant project configs repository:

cd ${WORK_DIR}$TENANT_PROJECT_DIR_NAME && gh run list

List the Google Cloud resources created:

gcloud artifacts repositories get-iam-policy $CONTAINER_REGISTRY_NAME \
    --project $TENANT_PROJECT_ID \
    --location $GKE_LOCATION \
    --filter="bindings.members:${GKE_SA}@${TENANT_PROJECT_ID}.iam.gserviceaccount.com" \
    --flatten="bindings[].members" \
    --format="table(bindings.role)"
gcloud artifacts repositories list \
    --project $TENANT_PROJECT_ID

Wait and re-run this command above until you see the resources created.