For the last week or so I’ve been evaluating drone.io as a replacement for our current CI engine (spoiler: we aren’t going to use it). Something that I ran across that wasn’t immediately obvious on how to achieve was pulling private images from Google Container Repository. Although there is a thread on the Discouse forums that touches on it, I had to do some testing on my own to actually get it working. Here is what I did.
First, make sure you have a Service Account set up through the IAM and the user has “Storage Creator” and “Storage Viewer” roles assigned to them. You will also need the Service Account’s json access key file.
Next, on a fresh machine (I used a Vagrant machine), install Docker and make sure it works. Now on this machine you need to log into the GCR using those json credentials. Depending on the age of your Docker install there are two ways to do this (either using --password-stdin or not). I am going to show both below, but you only need to do one of them:
[root@localhost ~]# cat keyfile.json | docker login -u _json_key --password-stdin https://us.gcr.io
unknown flag: --password-stdin
See 'docker login --help'.
[root@localhost ~]# docker login -u _json_key -p "$(cat keyfile.json)" https://us.gcr.io
Login Succeeded
Running on a base CentOS 7 machine with the normal Docker from the CentOS repos only the second command works. No matter which command works, you want to see the Login Succeeded. Once the login has succeeded you will need to copy the ~/.docker/config.json file. It will look something like this (but WAY longer):
{
"auths": {
"https://us.gcr.io": {
"auth": "INCREADIBLY LONG AUTH STRING"
}
}
}
Finally, log into your drone.io project, and click on the settings. Under “Secrets” add this entire json into the “Secret Value” field and set the “Secret Name” to dockerconfigjson. Finally, at the very end of your .drone.yml file add the following:
image_pull_secrets:
- dockerconfigjson
And that’s it! Now you can reference private images that are stored in GCR and use them in your testing and builds.