Using Google Container Builder Service from Gitlab CE

I am a big fan of Gitlab but when it comes to container registry, Google Cloud Container Builder is lot more flexible, fast and also economical with very less overhead. Whether there’re lots of build or lots of pulls(adopting container orchestration platform, Kubernetes) or managing docker images with privilege to pull is an ease with Google Cloud Platform Container Builder. Vulnerability scanning is there out of the box.

Create Google Cloud Service Account for Gitlab Runner

Create a new service account from IAM & admin section with suitable name and download the key. Then assign the roles for container builder to the service account. For now, we give Cloud Container Builder Editor,
Storage Admin, Project Viewer roles. Login to gitlab server and activate the service account: gcloud auth activate-service-account [ACCOUNT] --key-file=[KEY_FILE]

Create .gitlab-ci.yml

stages:
- build
build:
stage: build
script:
- gcloud container builds submit . --config=cloudbuild.yaml --substitutions BRANCH_NAME=$CI_COMMIT_REF_NAME,_IMAGE_NAME=$IMAGE_NAME
only:
- branches

Create $IMAGE_NAME environment variable which will be the name we will be using while pulling docker image. For eg, mycoolimage is the IMAGE_NAME of gcr.io/myproject/mycoolimage.

Create cloudbuild.yaml

steps:
- name: gcr.io/cloud-builders/docker
args: ['build', '-t', 'gcr.io/$PROJECT_ID/${_IMAGE_NAME}:${BRANCH_NAME}', '.']
images: ['gcr.io/$PROJECT_ID/${_IMAGE_NAME}']

Register Runner

For easiness, we install gcloud sdk on the gitlab server and create a shell runner using the token for the project.

Now, on each push on any branch, it triggers the container build with the tag name as branch.

Bonus: Delete untagged or past docker images on GCR

When a new docker image is created with the same tag as previous, the last one is untagged and the newer image is assigned with the tag. So, when you have a lots of builds, unusable images are piled up on cloud storage. Here is how to remove them:

for reg in $(gcloud container images list --repository=gcr.io/[PROJECT_NAME]);do for digest in $(gcloud container images list-tags "${reg}" --filter='-tags:*'  --format='get(digest)' --limit=50); do gcloud container images --quiet delete "${reg}"@"${digest}";

A Kubernetes cronjob that deletes untagged google container images at the end of day:

apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: gcloud-cron
  namespace: default
spec:
  concurrencyPolicy: Allow
  failedJobsHistoryLimit: 1
  jobTemplate:
    metadata:
      creationTimestamp: null
    spec:
      template:
        metadata:
          creationTimestamp: null
        spec:
          containers:
          - args:
            - /bin/bash
            - -c
            - for reg in $(gcloud container images list --repository=gcr.io/[PROJECT_NAME]);
              do for digest in $(gcloud container images list-tags "${reg}" --filter='-tags:*'  --format='get(digest)'
              --limit=50); do gcloud container images --quiet delete "${reg}"@"${digest}";
              done; done
            image: google/cloud-sdk
            imagePullPolicy: Always
            name: gcloud-cron
            resources: {}
            terminationMessagePath: /dev/termination-log
            terminationMessagePolicy: File
          dnsPolicy: ClusterFirst
          restartPolicy: OnFailure
          schedulerName: default-scheduler
          securityContext: {}
          terminationGracePeriodSeconds: 30
  schedule: 0 0 0 * *
  successfulJobsHistoryLimit: 3
  suspend: false