Google Cloud's Artifact Registry is a powerful tool for managing your application's dependencies. This guide demonstrates how to create a Cloud Build pipeline to enable Docker to access Python packages stored in Artifact Registry. By following these steps, you can securely manage dependencies and streamline deployments.
Prerequisites
- Google Cloud Project: Ensure you have a GCP project set up.
- Artifact Registry: A Python repository should already be configured in the Artifact Registry.
- Cloud Build: Enable the Cloud Build API for your project.
- Authentication: Configure service account permissions to access the Artifact Registry.
Steps to Configure Cloud Build
1. Generate an Artifact Registry Token
Use gcloud auth to generate an access token that will allow the Docker build process to authenticate with the Artifact Registry. Here's how you can do this:
steps:
# Generate Artifact Registry token
- name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
entrypoint: bash
args:
- '-c'
- |
art=$(gcloud auth print-access-token)
echo "$art" > /workspace/artifact_registry_token
echo "$art"
2. Use the Token in Docker Build
Once the token is generated, it can be passed to the docker build process as a build argument. Here's how:
- name: gcr.io/cloud-builders/docker
id: Build
env:
- 'btf=/workspace/artifact_registry_token'
entrypoint: bash
args:
- '-c'
- |
docker build \
--build-arg ARTIFACT_REGISTRY_TOKEN=$(cat $btf) \
--build-arg PROJECT_ID=$PROJECT_ID \
-t test-image:latest \
-f Dockerfile .
3. Create the Dockerfile
The Dockerfile is configured to use the token to download Python packages from Artifact Registry:
# syntax=docker/dockerfile:1
FROM python:3.11-slim
ARG ARTIFACT_REGISTRY_TOKEN
ARG PROJECT_ID
# Keeps Python from buffering stdout and stderr
ENV PYTHONUNBUFFERED=1
WORKDIR /app
RUN pip install --no-cache-dir -r requirements.txt
COPY . .
# Install dependencies using the token
RUN pip install \
--index-url https://pypi.org/simple \
--extra-index-url https://oauth2accesstoken:${ARTIFACT_REGISTRY_TOKEN}@us-central1-python.pkg.dev/${PROJECT_ID}/python-packages/simple/ \
"your-package-name==your-package-version"
# Expose the application port
EXPOSE 8080
# Command to run the application
CMD ["uvicorn", "main:app", "--port=8080", "--host=0.0.0.0"]
4. Add Build Config Options
Finally, define other configurations such as machine type, logging, and substitutions:
options:
machineType: E2_HIGHCPU_8
substitutionOption: ALLOW_LOOSE
logging: CLOUD_LOGGING_ONLY
substitutions:
_PACKAGE: your-package-name==your-package-version
_REPOSITORY: python-packages
_LOCATION: us-central1
_PROJECT_ID: your-project-id
Tags and Metadata
To organize your builds better, include meaningful tags:
tags:
- gcp-cloud-build
- artifact-registry
- docker-python-packages
Summary
This setup ensures that your Docker builds in Cloud Build can securely pull Python dependencies from your Artifact Registry using an access token. Adjust the provided configuration to your project-specific details, such as package names, repository URLs, and deployment targets.
Implementing this pipeline will improve security and make dependency management seamless for your projects.
Top comments (0)