Building and Deploying Containers to Google Container Registry (GCR) with CircleCI

The following cookbook describes how to set up automated build and deployment for containers with CircleCI, a useful pattern for scheduling custom jobs in Google Kubernetes Engine.

Note that this method intended for rapid prototyping rather than for production workloads. If you need to transition a prototype to a production deployment, file a Data Platform and Tools > Operations bug to start the conversation.

Assumptions

  • Your GitHub project's repository has a working Dockerfile at its root
    • If your file is not named Dockerfile or not located in the repo root, see the docs for the CircleCI GCP-GCR orb for additional configuration
  • The repository is in the mozilla GitHub org (or another org with a paid CircleCI account)

Steps

On GCP

On CircleCI

  • IMPORTANT SECURITY STEP
    • Go to your project’s CircleCI Advanced Settings Page (e.g. https://circleci.com/gh/mozilla/pensieve/edit#advanced-settings) and make sure that the "Pass secrets to builds from forked pull requests" option is TURNED OFF
      • This prevents a bad actor from creating a PR with a CI job that spits out your environment variables to the console, for instance
    • If you can't access your project settings page, make sure you’re logged into CircleCI via your Mozilla GitHub account and that you are a project administrator
  • On the CircleCI Environment Variables page (e.g. https://circleci.com/gh/mozilla/pensieve/edit#env-vars), add:
    • GOOGLE_PROJECT_ID: the project ID that you created in step 1
    • GOOGLE_COMPUTE_ZONE: any compute zone will do, apparently -- try us-west1 if you're agnostic
    • GCLOUD_SERVICE_KEY: paste in the entire text of the service account key that you generated in step 2
    • Check out the docs for the CircleCI GCP-GCR orb for other environment variables that you may set

In your GitHub Repo

  • In your CircleCI config file add a changeset like this:
  • Create and merge a pull request for this changeset and your newly built image should be in your project’s container registry in a few moments!

Optional

If your repository is public, you may want to make its container registry publicly readable as well. Go to the GCP container registry’s Settings tab and in the "Public access" section change the visibility for gcr.io (the default host if you followed these instructions) to Public.