Google Artifact Registry (GAR)
Introduction
Google Artifact Registry (GAR) is a solution from Google Cloud Platform (GCP) to store container images and language packages.
In this article, we will use the TorizonCore Builder Tool to authenticate and pre-provide the target devices with a private container image hosted in GAR. This guide assumes you have followed the steps in the Private Registry Introduction and Prerequisites.
This guide offers a general guideline for further development and, therefore, should always be adapted to your specific use case.
In real-world scenarios, ensure you set up the appropriate access control, authentication and permissions.
Set up the Google Cloud Environment
Please check Configure roles and permissions and Configure authentication to Artifact Registry. to find the set of permissions that better fits your specific application.
Create a private registry: For more information, see Quickstart GCP Artifact Registry.
Create two IAM service principal accounts.
- One IAM service account with full registry management permission for the host machine.
- Another with read-only permission for the deployed device (in this guide, we are using roles/artifactregistry.reader).
Please secure the
keys.jsonfile in an appropriate place as it contains the authenticating information of your registry. Set the appropriate permission and enable access to the Artifact Registry API.The GCP CLI is not required to follow this guide, neither in the host machine nor in the target devices.
Get the Authentication Tokens (Host Machine)
In this guide, we are going to use a Service account key. For other authentication methods, please refer to the complete official documentation Configure authentication to Artifact Registry.
In the host machine service account page, create and download the service account keys.
Encode the
<key.json>file using base64,<key64.json>is the encoded output file.$ base64 -w 0 key.json > <key64.json>To save the credentials to be used by docker, run the
docker logincommand.$ cat key64.json | docker login -u <username> --password-stdin <registry-url>- The
<username>is_json_key_base64. - The
<registry-url>looks likehttps://<region>-docker.pkg.dev.
- The
Push the image to GCP Cloud. The
docker pushcommand should be working normally by default, using the host-machine Access Keys. For more details check the official documentation docker push in GCP.
Push the GPC Docker-Compose to Torizon Cloud Using TCB
It is a best practice to canonicalize the version of the docker-compose file before pushing it to Torizon OTA.
To use
torizoncore-builder platform pushwith private repositories, we need to authenticate using the following flag:--login-to <repository-url> <username> <password>To get the
<password>, run thecatcommand in the file from encode the key step.$ cat <key64.json>Push the docker-compose file to Torizon Cloud. If you are missing
<path-to-credentials.zip>, please check the prerequisites.$ torizoncore-builder platform push \
--credentials <path-to-credentials.zip> \
--login-to <registry-url> <username> <password> \
--canonicalize \
<path-to-dockercompose.yml>
Get the Authentication Tokens (Deployed Device)
The authentication token from GCP is long-lived and the expiration date can be set in the Google Cloud Console.
Run the following command to save the authentication token to
/etc/docker/config.json.$ cat deploy-key64.json | docker --config /etc/docker login -u <username> --password-stdin <registry-url>Copy the authentication file (
/etc/docker/config.json) from the host machine to the target device and it should be ready to receive an update from the Torizon Cloud.This is going to enable this single device to receive an OTA update. Scaling is really simple with torizoncore-builder and Torizon Cloud, check the section on how to enable multiple devices.
For more information on setting up a container update, take a look at the overview article. If you want to learn more, see Torizon Cloud Web Interface.