Last active
September 27, 2022 16:46
-
-
Save mathieu-benoit/57cda70cffc343d5a0ec562bac4ef502 to your computer and use it in GitHub Desktop.
Test oras with GAR
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ORAS_VERSION=0.15.0 | |
curl -LO https://github.com/oras-project/oras/releases/download/v$ORAS_VERSION/oras_$ORAS_VERSION_linux_amd64.tar.gz | |
mkdir -p oras-install/ | |
tar -zxf oras_$ORAS_VERSION_*.tar.gz -C oras-install/ | |
sudo mv oras-install/oras /usr/local/bin/ | |
rm -rf oras_$ORAS_VERSION_*.tar.gz oras-install/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
PROJECT=FIXME | |
REPO=artifacts | |
REGION=us-east4 | |
ZONE=us-east4-a | |
gcloud artifacts repositories create $REPO \ | |
--project $PROJECT \ | |
--location $REGION \ | |
--repository-format docker | |
# For authentication, we'll use Artifact Registry credentials configured for Docker | |
gcloud auth configure-docker $REGION-docker.pkg.dev |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Commands tested here: | |
# - oras push | |
# - oras repository show-tags | |
# - oras pull | |
# - oras copy | |
# - oras tag | |
# Let's have a file | |
echo "Here is a file!" > first-file.txt | |
# Push the file in Artifact Registry: | |
oras push \ | |
$REGION-docker.pkg.dev/$PROJECT/$REPO/my-artifact:v1 \ | |
first-file.txt | |
# Verify the artifact is there: | |
gcloud artifacts docker images list $REGION-docker.pkg.dev/$PROJECT/$REPO/my-artifact --include-tags | |
oras repository show-tags $REGION-docker.pkg.dev/$PROJECT/$REPO/my-artifact | |
oras repository list $REGION-docker.pkg.dev/$PROJECT | |
# --> Error: invalid reference: invalid registry | |
# Pull the file back: | |
rm first-file.txt | |
oras pull \ | |
$REGION-docker.pkg.dev/$PROJECT/$REPO/my-artifact:v1 | |
cat first-file.txt | |
# Let's add more files in this artifact | |
echo "Here is a second file!" > second-file.txt | |
mkdir subfolder | |
echo "Here is a third file!" > subfolder/third-file.txt | |
oras push \ | |
$REGION-docker.pkg.dev/$PROJECT/$REPO/my-artifact:v2 \ | |
first-file.txt second-file.txt subfolder/ | |
# Verify the artifact is there: | |
gcloud artifacts docker images list $REGION-docker.pkg.dev/$PROJECT/$REPO/my-artifact --include-tags | |
oras repository show-tags $REGION-docker.pkg.dev/$PROJECT/$REPO/my-artifact | |
# Copy v2 to v2-copied | |
oras copy $REGION-docker.pkg.dev/$PROJECT/$REPO/my-artifact:v2 $REGION-docker.pkg.dev/$PROJECT/$REPO/my-artifact:v2-copied | |
# Verify the artifact is there: | |
gcloud artifacts docker images list $REGION-docker.pkg.dev/$PROJECT/$REPO/my-artifact --include-tags | |
oras repository show-tags $REGION-docker.pkg.dev/$PROJECT/$REPO/my-artifact | |
# Tag v2 to v2-tagged | |
oras tag $REGION-docker.pkg.dev/$PROJECT/$REPO/my-artifact:v2 v2-tagged | |
# Verify the artifact is there: | |
gcloud artifacts docker images list $REGION-docker.pkg.dev/$PROJECT/$REPO/my-artifact --include-tags | |
oras repository show-tags $REGION-docker.pkg.dev/$PROJECT/$REPO/my-artifact |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Commands tested here: | |
# - oras push | |
# - oras repository show-tags | |
# - oras pull | |
# - oras copy | |
# - oras tag | |
# Create a simple Kubernetes Namespace resource definition: | |
cat <<EOF> test-namespace.yaml | |
apiVersion: v1 | |
kind: Namespace | |
metadata: | |
name: test | |
EOF | |
# Create an archive of that file: | |
tar -cf test-namespace.tar test-namespace.yaml | |
# Push the file in Artifact Registry: | |
oras push \ | |
$REGION-docker.pkg.dev/$PROJECT/$REPO/test-namespace:1.0.0 \ | |
test-namespace.tar | |
# Verify the artifact is there: | |
gcloud artifacts docker images list $REGION-docker.pkg.dev/$PROJECT/$REPO/test-namespace --include-tags | |
oras repository show-tags $REGION-docker.pkg.dev/$PROJECT/$REPO/test-namespace | |
oras repository list $REGION-docker.pkg.dev/$PROJECT | |
# --> Error: invalid reference: invalid registry | |
# Pull the file back: | |
rm test-namespace.yaml | |
rm test-namespace.tar | |
oras pull \ | |
$REGION-docker.pkg.dev/$PROJECT/$REPO/test-namespace:1.0.0 | |
tar -xvf test-namespace.tar | |
cat test-namespace.yaml | |
# Copy v2 to v2-copied | |
oras copy $REGION-docker.pkg.dev/$PROJECT/$REPO/test-namespace:1.0.0 $REGION-docker.pkg.dev/$PROJECT/$REPO/test-namespace:1.0.0-copied | |
# Verify the artifact is there: | |
gcloud artifacts docker images list $REGION-docker.pkg.dev/$PROJECT/$REPO/test-namespace --include-tags | |
oras repository show-tags $REGION-docker.pkg.dev/$PROJECT/$REPO/test-namespace | |
# Tag v2 to v2-tagged | |
oras tag $REGION-docker.pkg.dev/$PROJECT/$REPO/test-namespace:1.0.0 1.0.0-tagged | |
# Verify the artifact is there: | |
gcloud artifacts docker images list $REGION-docker.pkg.dev/$PROJECT/$REPO/test-namespace --include-tags | |
oras repository show-tags $REGION-docker.pkg.dev/$PROJECT/$REPO/test-namespace |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Create a GKE cluster registered in a Fleet to enable Config Management: | |
gcloud services enable container.googleapis.com | |
CLUSTER_NAME=FIXME | |
gcloud container clusters create ${CLUSTER_NAME} \ | |
--workload-pool=${PROJECT}.svc.id.goog \ | |
--zone ${ZONE} | |
gcloud services enable gkehub.googleapis.com | |
gcloud container fleet memberships register ${CLUSTER_NAME} \ | |
--gke-cluster ${ZONE}/${CLUSTER_NAME} \ | |
--enable-workload-identity | |
gcloud beta container fleet config-management enable | |
# Install Config Sync in this GKE cluster: | |
cat <<EOF > acm-config.yaml | |
applySpecVersion: 1 | |
spec: | |
configSync: | |
enabled: true | |
EOF | |
gcloud beta container fleet config-management apply \ | |
--membership ${CLUSTER_NAME} \ | |
--config acm-config.yaml | |
# Create a dedicated Google Cloud Service Account with the fine granular access (roles/artifactregistry.reader) to that Artifact Registry repository: | |
PULLER_GSA_NAME=configsync-oci-sa | |
PULLER_GSA_ID=$PULLER_GSA_NAME@$PROJECT.iam.gserviceaccount.com | |
gcloud iam service-accounts create $PULLER_GSA_NAME \ | |
--display-name=$PULLER_GSA_NAME | |
gcloud artifacts repositories add-iam-policy-binding $REPO \ | |
--location $REGION \ | |
--member "serviceAccount:$PULLER_GSA_ID" \ | |
--role roles/artifactregistry.reader | |
# Allow Config Sync to synchronize resources for a specific RootSync: | |
ROOT_SYNC_NAME=root-sync-artifact | |
gcloud iam service-accounts add-iam-policy-binding \ | |
--role roles/iam.workloadIdentityUser \ | |
--member "serviceAccount:$PROJECT.svc.id.goog[config-management-system/root-reconciler-$ROOT_SYNC_NAME]" \ | |
$PULLER_GSA_ID |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Sync this artifact from Artifact Registry: | |
cat << EOF | kubectl apply -f - | |
apiVersion: configsync.gke.io/v1beta1 | |
kind: RootSync | |
metadata: | |
name: ${ROOT_SYNC_NAME} | |
namespace: config-management-system | |
spec: | |
sourceFormat: unstructured | |
sourceType: oci | |
oci: | |
image: ${REGION}-docker.pkg.dev/${PROJECT}/${REPO}/test-namespace:1.0.0 | |
dir: . | |
auth: gcpserviceaccount | |
gcpServiceAccountEmail: ${PULLER_GSA_ID} | |
EOF | |
nomos status \ | |
--contexts=$(kubectl config current-context) | |
kubectl describe ns test |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment