Google Container Registry w/ OCI

May 8, 2020 - 2 minutes read - 318 words

I’ve been spending some time this week with Krustlet.

I’m working on documenting how to run Krustlet(s) alongside GKE. I’ve been running a Krustlet with MicroK8s.

The Krustlet demos reference WASM assemblines stored in Azure Container Registry as OCI containers. Google Container Registry supports OCI format and so I tried (successfully) using GCR instead of AZR.

There may be an easier approach but this is how I got this working.

Krustlet uses wasm-to-oci. I was challenged by wasm-to-oci authentication. wasm-to-oci uses ORAS. It turns out that, after authenticating using ORAS, I’m able to use wasm-to-oci to authenticate to a GCR registry!

PROJECT=[YOUR-PROJECT]
BILLING=[YOUR-BILLING]

gcloud projects create ${PROJECT}
gcloud alpha billing projects link ${PROJECT} \
--billing-account=${BILLING}

# Enable Container Registry
gcloud services enable containerregistry.googleapis.com \
--project=${PROJECT}

Then, using ORAS (!) login using a gcloud access token:

gcloud auth print-access-token |\
oras login \
  -u oauth2accesstoken \
  --password-stdin \
  https://gcr.io

IIUC this configures Docker authentication. This can be shown with:

more ${HOME}/.docker/config.json
{
  "auths": {
    "https://gcr.io": {
      "auth": "b2F1dGgy..."
    }
  }
}

Unfortunately, this isn’t trivial for me to test but I suspect, you should be able to do the following for the same result:

gcloud auth print-access-token |\
docker login \
-u oauth2accesstoken \
--password-stdin \
https://gcr.io

Optionally, test push and pull using oras:

echo "Hello Freddie!" > artifact.txt
oras push gcr.io/${PROJECT}/hello-freddie:v1 ./artifact.txt

Should yield something similar to:

Uploading 0060e7e892de artifact.txt
Pushed gcr.io/${PROJECT}/hello-freddie:v1
Digest: sha256:c330be5cf8bbc34f87db380aaba72e774d7ee1064085b3e2ec2b071be292e2a2

And:

oras pull gcr.io/${PROJECT}/hello-artifact:v1
Downloaded 0060e7e892de artifact.txt
Pulled gcr.io/dazwilkin-200504-krustlet/hello-artifact:v1
Digest: sha256:c330be5cf8bbc34f87db380aaba72e774d7ee1064085b3e2ec2b071be292e2a2

cat ./artifact.txt 
Hello Freddie!

Then, assuming you have a signed WASM lying around… I had a run-through on this waSCC tutorial and hello_signed.wasm available.

wasm-to-oci push hello_signed.wasm gcr.io/${PROJECT}/hello-freddie:v2

which yielded:

INFO[0008] Pushed: gcr.io/${PROJECT}/hello-freddie:v2
INFO[0008] Size: 7216465
INFO[0008] Digest: sha256:ded794404cc982a510a238d5e2710f08f9fd08c4527ffa504391df14e1af6bab

gcloud container images list --project=${PROJECT}
NAME
gcr.io/${PROJECT}/hello-freddie

gcloud container images list-tags gcr.io/${PROJECT}/hello-freddie
DIGEST        TAGS    TIMESTAMP
ded794404cc9  v2      2020-05-08T12:00:00
c330be5cf8bb  v1      2020-05-08T12:00:00

Then:

wasm-to-oci pull gcr.io/${PROJECT}/hello-freddie:v2
INFO[0001] Pulled: gcr.io/${PROJECT}/hello-freddie:v2
INFO[0001] Size: 7216465
INFO[0001] Digest: sha256:f5974be7d9d8eee1ed009dd1cbcf25d275740ae2c3645fd8e30adf711a4035ef