Switch to artifact registry for GKE
msvticket opened this issue · 2 comments
Currently Jenkins X on GKE is by default using Container Registry for images. But Google will discontinue container registry and recommends migration to Artifact Registry. https://cloud.google.com/artifact-registry/docs/transition/transition-from-gcr
So what is needed is (at least):
- https://github.com/jenkins-x/terraform-google-jx needs to activate artifact registry instead of container registry, add a docker repository and permissions given need to be adjusted accordingly. Also the the registry and dockerRegistryOrg needs to be added to jx-requirements.yml. The repository name should be configurable but probably default to "oci". Supplying repository region and/or an existing repository should also be possible. The version with these changes need to be clearly marked as a breaking change. An optional compatibility setting to let the cluster read existing images from container registry might be needed. (It shouldn't be default, since it is likely to cause problem when the container registry is gone.)
- This then needs to be followed up with changes in https://github.com/jx3-gitops-repositories/jx3-terraform-gke
- https://github.com/jx3-gitops-repositories/jx3-gke-gsm
- https://github.com/jenkins-x/jx3-oss-infra
- authentication to registry might needs to be updated here https://github.com/jenkins-x/jx3-versions/blob/master/charts/jxgh/jxboot-helmfile-resources/secret-schema.yaml (it could be that tekton handles that automatically)
- Documentation (probably on https://github.com/jenkins-x/terraform-google-jx and advertised where we can (blog, slack, https://jenkins-x.io/v3/develop/faq/config/registries/, where else?)) needs to describe how to transition to artifact registry for an existing Jenkins X installation. Migration of existing images will likely not be automated, but tools provided by Google can be used. On the other hand it might be better to just rebuild your applications. Otherwise you would really need to go the gcr.io compatibility way, which I don't think should be the default. Guidance for those that has already started the migration and created a repository should also be given. Before upgrading terraform-google-jx they would probably need to do some
terraform state rmto prevent cloud registry from being disabled while migrating. Also https://jenkins-x.io/v3/admin/platforms/google/svc_acct/ needs to be updated to include the role roles/artifactregistry.admin.
The above assumes the same repository is used for all images. If we instead want to follow the convention of having the name of the git repository owner as repository (or in Jenkins X parlance "docker registry org") support in jx-registry for checking the existence of and if needed create the repository is needed. But I don't think that is worth the effort.
Hi @msvticket i made a PR jenkins-x/terraform-google-jx#235 where i added the GCP Artifact Registry for Docker image, don't need authentication, I used service account (default to allow nodes to download images), and tekton to upload images.
I made a PR in jx3-terraform-gke to reflect the changes on terraform-google-jx