Building and Deploying Containers to Google Container Registry (GCR) with CircleCI
The following cookbook describes how to set up automated build and deployment for containers with CircleCI, a useful pattern for scheduling custom jobs in Google Kubernetes Engine.
Note that this method intended for rapid prototyping rather than for production workloads. If you need to transition a prototype to a production deployment, file a Data Platform and Tools > Operations bug to start the conversation.
Assumptions
- Your GitHub project's repository has a working Dockerfile at its root
- If your file is not named
Dockerfileor not located in the repo root, see the docs for the CircleCI GCP-GCR orb for additional configuration
- If your file is not named
- The repository is in the
mozillaGitHub org (or another org with a paid CircleCI account)
Steps
On GCP
- Make sure "Container Registry" (https://console.cloud.google.com/gcr/images/<your-project-id>) is enabled for your GCP project
- Create a service account, give it the "Storage Admin" role and create a key
- Console Link: Google Cloud Platform
- Additional documentation: Configuring access control | Container Registry Documentation
On CircleCI
- IMPORTANT SECURITY STEP
- Go to your project’s CircleCI Advanced Settings Page (e.g. https://circleci.com/gh/mozilla/pensieve/edit#advanced-settings) and make sure that the "Pass secrets to builds from forked pull requests" option is TURNED OFF
- This prevents a bad actor from creating a PR with a CI job that spits out your environment variables to the console, for instance
- If you can't access your project settings page, make sure you’re logged into CircleCI via your Mozilla GitHub account and that you are a project administrator
- Go to your project’s CircleCI Advanced Settings Page (e.g. https://circleci.com/gh/mozilla/pensieve/edit#advanced-settings) and make sure that the "Pass secrets to builds from forked pull requests" option is TURNED OFF
- On the CircleCI Environment Variables page (e.g. https://circleci.com/gh/mozilla/pensieve/edit#env-vars), add:
GOOGLE_PROJECT_ID: the project ID that you created in step 1GOOGLE_COMPUTE_ZONE: any compute zone will do, apparently -- tryus-west1if you're agnosticGCLOUD_SERVICE_KEY: paste in the entire text of the service account key that you generated in step 2- Check out the docs for the CircleCI GCP-GCR orb for other environment variables that you may set
In your GitHub Repo
- In your CircleCI config file add a changeset like this:
- Add automated deployment of docker image to google container registry…
- The
orbdirective allows the use of the CircleCI GCP-GCR orb build-and-push-image job - In your
workflowssection, addgcp-gcr/build-and-push-imageas a job and require any dependencies you’d like to pass before pushing a new image. Assuming you only want this deployment to occur on new commits to main, add a filter for only the main branch (as in the changeset above)
- Create and merge a pull request for this changeset and your newly built image should be in your project’s container registry in a few moments!
Optional
If your repository is public, you may want to make its container registry publicly readable as well. Go to the GCP container registry’s Settings tab and in the "Public access" section change the visibility for gcr.io (the default host if you followed these instructions) to Public.