Help us understand the problem. What is going on with this article?

CircleCI から GCR に Push できなくなった時(2018/11現在)

More than 1 year has passed since last update.

CircleCI から GCR への Push ができなくなった時の対処

今まで動いていた CirclrCI から GCR(Google Container Registry) への Push が、ある日突然失敗することが・・・
あったので、ちょっと対応してみます。

こんなの発見

とりあえずここから。

gcloud docker は Docker 18.03 以降をサポートしないらしい。

それを拝見しながら試行錯誤してるうちに、こんな感じのメッセージが出てきました。

unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication

Authentication Methods

要は、docker-credential-gcr 入れろってことですよね。

結局やったこと

gcloud authdeploy 以外は適当です。

"./.circleci/config.yml"
version: '2'
jobs:
  build:
    working_directory: ~/work
    machine: true
    steps:
      - checkout
      - run:
          name: check docker version
          command: |
            docker version
            docker-compose version
      - run:
          name: get dependencies
          command: |
            make dep
      - run:
          name: generate clients
          command: |
            make generate-clients
      - run:
          name: build docker
          command: |
            make build
            docker-compose up -d
      - run:
          name: gcloud auth
          command: |
            ./gcloud.sh
      - deploy:
          command: |
            ./docker-push.sh latest
workflows:
  version: 2
  workflow:
    jobs:
        - build:
            context: <コンテキスト名>
  • credential を取得する部分では、docker-credential-gcr を使うのが肝です。
  • docker-credential-gcr を入れたそのままだと、Path がダメと言われるので、Path が通ってる場所にコピーします。
"./gcloud.sh"
#!/bin/bash

echo $<Environment Variables name> | base64 --decode --ignore-garbage > ${HOME}/gcloud-service-key.json
sudo /opt/google-cloud-sdk/bin/gcloud --quiet components update
sudo /opt/google-cloud-sdk/bin/gcloud components install docker-credential-gcr
sudo cp -p /opt/google-cloud-sdk/bin/docker-credential-gcr /usr/bin/
sudo /opt/google-cloud-sdk/bin/gcloud auth activate-service-account --key-file ${HOME}/gcloud-service-key.json
sudo /usr/bin/docker-credential-gcr configure-docker
  • 実際プッシュを行う部分では、gcloud コマンドではなく、docker コマンドを使用するようにしました。
"./docker-push.sh"
#!/bin/bash

if [ $# -ne 1 ]; then
  echo "指定された引数は$#個です。" 1>&2
  echo "実行するには1個の引数が必要です。" 1>&2
  exit 1
fi

container_tag=${1}
dest=asia.gcr.io/<project name>/<repository name>

docker-compose build
sudo docker tag <repository name>:latest ${dest}:${container_tag}
sudo docker push ${dest}:${container_tag}
Why do not you register as a user and use Qiita more conveniently?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
Comments
Sign up for free and join this conversation.
If you already have a Qiita account
Why do not you register as a user and use Qiita more conveniently?
You need to log in to use this function. Qiita can be used more conveniently after logging in.
You seem to be reading articles frequently this month. Qiita can be used more conveniently after logging in.
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away