Google Container Registry with Google Apps

The Container Registry allows you to easily push your docker images to Cloud Storage.

Nominally, the registry entry for an image will be gcr.io/projectname/imagename, where projectname is the name of the project on the Developer Console and containername is whatever id you want. At this point, however, both of these only reliably seem to support A-Za-z_-.

TL;DR: If you're using my container script:

echo REMOTE=gcr.io/projectname/imagename >> container.cfg

Or, for Google Apps:

echo REMOTE=b.gcr.io/bucketname/imagename >> container.cfg

Then, you can simply

./container.sh push

Bucket Setup

Since I have a Google Apps domain, my Developer Console projects are all kylelemons.net:$project which can't be used as the projectname in the gcr.io registry. I've found two ways around this problem

Solution 1: Separate Project

My first solution was to use a non-Google-Apps project for the Cloud Storage. This turned out to be somewhat more complicated than I had anticipated. I did end up getting it working, so I want to try to document it here.

  1. If you haven't already, spin up a GKE Cluster.
    • I believe this will ensure that the right robot accounts are created.
  2. Create a public project (yourproject below)
  3. Create a storage bucket named artifacts.yourproject.appspot.com
  4. Configure the ACL for the bucket
    • Log into the developer console for your apps project (example.com:project below)
    • Open the Permissions tab and copy the Compute Engine Service Account (it will be something like 123...789@project.gserviceaccount.com)
      • If you have multiple service accounts listed, you can run curl http://metadata/computeMetadata/v1beta1/instance/service-accounts/default/email from a running instance to find the service account to use
    • Go to the public storage bucket in Storage > Cloud Storage > Storage Browser
    • Edit the bucket permissions to add a "User" with the service account as a "Reader"
    • Do the same for the default object permissions
  5. Use gcloud docker push to push the image.
    • Check the permissions on the repositories/library/imagename/tag_latest file within the bucket to ensure that the permissions applied correctly.

If you are doing this after the fact, you can use the following command to update the already-created objects (note the :R after the service account):

gsutil -m acl ch -r -u 123...789@project.gserviceaccount.com:R gs://artifacts.yourproject.appspot.com  

Solution 2: Bucket registry

It turns out that you can use a special _b_ prefix to specify a bucket name instead of a project name! You can use b.gcr.io to push to an existing Google Cloud Storage bucket!

With this solution, it's as simple as

docker tag your/docker-image b.gcr.io/bucketname/imagename 
gcloud docker push b.gcr.io/bucketname/imagename