Container Registry
The Container registry is the place where we host the docker images that are built by Teamcity. VSETH currently has two registries:
Public Registry
eu.gcr.io/vseth-public Contains the Base Images. This registry is publicly available in the internet. Since only base images are present in this registry, no structure is needed and all base images are just located in the root of the registry, so for example:
eu.gcr.io/vseth-public/base .
Private Registry
eu.gcr.io/aerial-reef-202214 contains all the application images. The structure is the same as in Gitlab so for example the image for https://gitlab.ethz.ch/vseth/0403-isg/sip-api-apps/peopleapi would be located at
eu.gcr.io/aerial-reef-202214/vseth/0403-isg/sip-api-apps/peopleapi.
Accessing the registry
For devs it might sometimes be useful to download images from this registry, so you do not need to build them locally. The authentication methods that can be used to access the registry can be found here: https://cloud.google.com/container-registry/docs/advanced-authentication
As a developer you will use the method using the glcoud tool. Step-by-step guide:
- Make sure you have gcloud installed and are logged in
(gcloud auth login) - Then you can run:
gcloud auth configure-docker
docker will be configured to authenticate with the registry. Contrary to the default implementation of docker we do not provide a "latest" tag but rather the tag based on the current branch. This is usually "master" or "main".
Now you should be able to pull docker images, for example:
docker pull eu.gcr.io/aerial-reef-202214/vseth/0403-isg/sip-vseth-apps/vseth-account:master
ISG Internal
This section is only relevant for the ISG:
Access Control
The Access control to the Google Cloud Registry is managed by the underlying Cloud Storage Bucket. More Info can be found here: https://cloud.google.com/container-registry/docs/access-control
To give a user or service account access to the registry you have to set the permission on the storage buckets.
In general the permissions are:
| Action | Permissions | Role | Role Title |
|---|---|---|---|
| Push (Read and Write) | storage.buckets.create storage.buckets.delete storage.buckets.get storage.buckets.list storage.buckets.update storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update | roles/storage.admin | Storage Admin |
| Pull (Read Only) | storage.objects.get storage.objects.list | roles/storage.objectViewer | Storage Object Viewer |
Source: https://cloud.google.com/container-registry/docs/access-control