Skip to main content

Publicación

Publishing Docker images to a registry is an essential step in sharing and distributing the container images you have built.

For this purpose, we make use of the following tool in this project:

Crane

Crane is a tool that facilitates the manipulation and management of Docker images in remote registries. It is specially designed to work with alternative registries to the default Docker registry, such as Amazon ECR, Google Container Registry, Azure Container Registry, among others.

Crane Key Features: Simplified Interface: Provides a simple command line interface for managing images in registries other than the default Docker registry.

Support for Alternate Registries: Crane allows you to work with a variety of registries, making it useful for projects that do not rely on Docker Hub as their primary image repository.

Authentication and Credential Management: Facilitates authentication and credential management for interacting with remote records, allowing users to easily authenticate to access and manipulate images in these records.

Image Push and Pull: Allows you to push and pull images to and from remote registries, similar to how you work with the default Docker registry.

Tag and Version Management: Crane provides options for managing image tags and versions, making it easy to identify and manipulate specific versions of images.

Advantages of using Crane:

  1. Facilitates Migration: For projects that migrate between different image logs, Crane simplifies the process by providing a dedicated image manipulation tool.

  2. Registry Choice Flexibility: Allows teams to use alternative registries to Docker Hub based on their infrastructure needs and security policies.

  3. Automation in Workflows: Supporting a variety of records, it can be easily integrated into automated workflows and CI/CD scripts.

Crane Usage: Installation: Crane can be installed as a standalone tool and then used via the command line.

  1. Basic Commands: Provides commands such as crane pull, crane push, crane auth, among others, which are analogous to Docker commands but adapted to work with remote logs.

  2. Credentials Configuration: Before interacting with remote registries, it is required to configure the corresponding credentials for authentication.

Limitations: While Crane is useful for working with alternate logs, it may have some limitations compared to the more comprehensive and specific functionality offered by the native tools of the remote logs themselves.

Usage

GitLab Integration

The first thing we have to do is to register the credentials of our container registrar in the CI/CD variables of gitlab, for them we go to Harbor and create a robot account, we can make it global or per project.

As our idea is always to think about security, we have to configure it with the minimum privileges which we see in the image.

Permissions

We create our token and add it to the variables.

Token

variables CI

Now that we have the users ready we can publish the previously generated image in the job docker_build

.gitlab-ci.yml
docker_push:
stage: push_image
dependencies: ["docker_build"]
variables:
GIT_STRATEGY: none
image:
name: gcr.io/go-containerregistry/crane:v0.16.1
entrypoint: [""]
script:
- cd tar_images
- |
crane auth login -u $DOCKER_REGISTRY_USER -p $DOCKER_REGISTRY_PASS $DOCKER_REGISTRY_URL;
for tar_image in *.tar;
do
crane push $tar_image $DOCKER_REGISTRY_URL/osdo/osdo-app:$CI_COMMIT_SHORT_SHA -v;
DIGEST=$(crane digest $DOCKER_REGISTRY_URL/osdo/osdo-app:$CI_COMMIT_SHORT_SHA);
echo "DIGEST=${DIGEST}" >> digest.env
done
artifacts:
reports:
dotenv: tar_images/digest.env
expire_in: 10 min

The stage called docker_push is located at stage push_image of the CI/CD cycle and is responsible for performing the push of the Docker images that have been previously built at stage docker_build.

  • dependencies: ["docker_build"]: This stage depends on the successful outcome of the docker_build stage, which ensures that the images to be pushed are built correctly before proceeding with the release.

  • variables: GIT_STRATEGY: none: The GIT_STRATEGY variable is set to none, indicating that no Git-specific strategy is required for this stage, as it is mainly container operations.

  • image: The Docker image gcr.io/go-containerregistry/crane:v0.16.1 is used to execute image push related operations. This image includes the crane tool, which is used to interact with container logs.

  • script: In this section, a script is executed that performs the following actions:

    • Authenticate with the container registry using the credentials provided in the environment variables $DOCKER_REGISTRY_USER and $DOCKER_REGISTRY_PASS, along with the registry URL $DOCKER_REGISTRY_URL.
    • Switch to the tar_images directory, which is where the Docker images in .tar format that were built earlier are located.
    • Iterate through each .tar file in the directory.
    • Then, use crane to push the image to the registry by specifying the image tag as $CI_COMMIT_SHORT_SHA (which is usually a single version generated by GitLab).
    • Captures the digest value of the image just pushed and stores it in a file named digest.env.
  • artifacts: This section is configured to collect and store the digest.env file as an artifact. This is useful to have a record of the digest of the uploaded image, which we will use in the next steps to sign it.