Deploy the Container Registry with Deployment Manager

[Rael Garcia]

Hello,

I'm trying to figure out how to initialise the Container Registry for a project with deployment manager but it's seems that the only way is by pushing an image.

If you try to create the bucket that GCR will deploy (eu.artifacts.${PROJECT-ID}.appspot.com), it fails as the bucket creation requires `appspot.com` domain ownership:

```

ERROR: (gcloud.deployment-manager.deployments.create) Error in Operation [operation-1551561065099-58322f621f064-85f94e1b-2a7cc248]: errors:

- code: RESOURCE_ERROR

  location: /deployments/${PROJECT-ID}-grc-bucket/resources/eu.artifacts.${PROJECT-ID}.appspot.com-iam-policy

  message: '{"ResourceType":"gcp-types/storage-v1:storage.buckets.setIamPolicy","ResourceErrorCode":"404","ResourceErrorMessage":{"code":404,"errors":[{"domain":"global","message":"Not

    Found","reason":"notFound"}],"message":"Not Found","statusMessage":"Not Found","requestPath":"https://www.googleapis.com/storage/v1/b/eu.artifacts.${PROJECT-ID}.appspot.com/iam","httpMethod":"PUT"}}'

- code: RESOURCE_ERROR

  location: /deployments/${PROJECT-ID}-grc-bucket/resources/eu.artifacts.${PROJECT-ID}.appspot.com

  message: '{"ResourceType":"storage.v1.bucket","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"errors":[{"domain":"global","message":"The

    bucket you tried to create requires domain ownership verification.","reason":"forbidden"}],"message":"The

    bucket you tried to create requires domain ownership verification.","statusMessage":"Forbidden","requestPath":"https://www.googleapis.com/storage/v1/b","httpMethod":"POST","suggestion":"Consider

    granting permissions to **@cloudservices.gserviceaccount.com"}}'

make: *** [dm-create-${PROJECT-ID}/storage/grc-bucket] Error 1

```

My current work around:

1. Pushing a image to the GCR endpoint (the GCR bucket appears in the console)

2. Acquiring the created Cloud Storage Bucket and then to the acquired resource apply with code the policies, acls,... required for my use case.

```

- name: eu.artifacts.${PROJECT-ID}.appspot.com
  properties:
    location: eu
    storageClass: multi_regional
  type: storage.v1.bucket

- action: gcp-types/storage-v1:storage.buckets.setIamPolicy
  name: eu.artifacts.${PROJECT-ID}.appspot.com-iam-policy
  properties:
    bindings:
    - members:

....

```

Am I missing something? Is there a way to create the GCR resource only with DM?

Thanks,

[James Richard Boa (Google Cloud Platform Support)]

Hello Rael,

You don’t need to own any domains to be able to push images to the container registry.

From your description it’s hard for me to gauge what you are trying to do. If you can give us some more context or details on your use case it would help us be a little more specific with the help we can provide but I will try to cover as much as I can.

The 403 error you are seeing is definitely a permissions error but I strongly suspect the issue is with the way you are calling the API and most specifically the naming convention.

There is a good example of creating a template for the Deployment manager that deploys a Cloud Storage Bucket[1] in the article below that you can use for reference.

I have also included another reference article below that covers in more detail how to create a container deployment with some example configuration files.

[1] https://github.com/GoogleCloudPlatform/deploymentmanager-samples/tree/master/community/storage-bucket-acl

[2] https://cloud.google.com/deployment-manager/docs/create-container-deployment

[Rael Garcia]

Hello James,

Thanks for the update!

What I want to do is deploy a Google Container Registry with Deployment Manager. The problem when trying to create the bucket from DM, it raises the 403 error because the bucket is under the `appspot.com` domain and any bucket with using a fqdn as name requires ownership of the domain.

So, it looks like you can't deploy a GCR with DM. The only solution I found to be able to manage a GCR with DM, is to trigger the creation of the GCR bucket by pushing an image to the registry and then ACQUIRE the bucket with DM.

The deployment manager deployment I'm using is:

- https://github.com/raelga/gcp.rael.io/blob/master/dm/deployments/kubone/storage/grc-bucket.yaml

- https://github.com/raelga/gcp-dm-templates/blob/master/storage/bucket.jinja

Thanks,

[Anthony (Google Cloud Support)]

Hi Rael,

To answer your question,

You can deploy a GCR with DM, however by doing so, the DM will automatically generate a bucket under the ‘appspot.com’. So when you initialize a project with DM by pushing an image, Container Registry creates a storage bucket as per this documentation [1].

The 403 error is indeed triggered because ‘appspot.com’ is a default bucket created by the DM and it isn’t under your ownership, because you do not own the ‘appspot.com’ domain.

However as you have mentioned, If you already have an existing bucket, then as per this [2] documentation, you can have the DM acquire your bucket by including ACQUIRE when setting the policy.

I hope this helps.

[1]: https://cloud.google.com/container-registry/docs/overview#registry_name

[2]: https://cloud.google.com/deployment-manager/docs/deployments/#create-policy

[Rael Garcia]

Hello Anthony,

How you can deploy a GCR with DM? 

I don't see in the documentation any reference to the GCR resource:

https://cloud.google.com/deployment-manager/docs/configuration/supported-resource-types

Neither in:

PS C:\Users\rael\Desktop> gcloud deployment-manager types list | grep registry
PS C:\Users\rael\Desktop> gcloud deployment-manager types list | grep container
container.v1.cluster
container.v1.nodePool

Do you have some information on how to deploy a GCR with Deployment Manager?

Thanks!

[Jason]

Hi,

There is no service name to enable GCR. The reason why is that when GCR needs to be enabled for DM to work. When DM is enabled, GCR is enabled automatically.

[Rael Garcia]

Hello Jason,

Thanks for the review, the problem is that creating a GCR, requires an initial docker push. Currently, deployment manager cannot create GCR registry and we want to have everything as code.

Can this be implemented in the future? Should we open a Feature Request? 

The feature is: Create a GCR with deployment manager (without docker push and without acquiring the generated bucket on the appspot.com domain).

Thanks!

On Tue, May 21, 2019 at 3:13 PM 'Jason' via gce-discussion <gce-dis...@googlegroups.com> wrote:

Hi,

There is no service name to enable GCR. The reason why is that when GCR needs to be enabled for DM to work. When DM is enabled, GCR is enabled automatically.

--
© 2018 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043
 
Email preferences: You received this email because you signed up for the Google Compute Engine Discussion Google Group (gce-dis...@googlegroups.com) to participate in discussions with other members of the Google Compute Engine community and the Google Compute Engine Team.
---
You received this message because you are subscribed to a topic in the Google Groups "gce-discussion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/gce-discussion/7ZhddsXcoDE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to gce-discussio...@googlegroups.com.
To post to this group, send email to gce-dis...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/gce-discussion/2c8deb60-1d6a-42b7-a8bc-bbc58884170a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Jason]

Hi,

If you would like this functionality to be available in the future, I would suggest creating a Feature Request by going to "https://issuetracker.google.com" and filing a Feature Request through a Public Issue Tracker. This would be the best avenue to take at this point.