Artifact Registry 可以說是 Container Registry 的進化版，可讓貴機構集中管理容器映像檔和語言套件 (例如 Maven 和 npm)。Artifact Registry 與 Google Cloud 的工具和執行階段全方位整合，並且支援原生構件通訊協定，讓您輕鬆與持續整合/持續推送軟體更新 (CI/CD) 工具整合，進而設定自動化管道。

1. Artifact Registry
Introduction
KAI CHU CHUNG
Cloud GDE, GDG Cloud Taipei co-organizer
Taipei

2. Agenda
1. Quick review Container Registry
2. Artifact Registry

3. Quick review
Container Registry

4. Container Registry
1. Manage Container images
2. Vulnerability analysis
3. Access control
4. CI/CD integration

5. - Docker Image Manifest V2
- OCI image formats
HOSTNAME/PROJECT-ID/IMAGE:TAG
( gcr.io / asia.gcr.io /
eu.gcr.io / us.gcr.io )

6. - Scan with Container Analysis
- Enforce deployment policies with
Binary Authorization

7. Implementing Binary Authorization using Cloud Build and GKE
Implementing Binary Authorization using Cloud Build and GKE - https://cloud.google.com/architecture/binary-auth-with-cloud-build-and-gke

8. Access Control
- Public/Private
- Primitive
- roles/storage.objectViewer
- roles/storage.legacyBucketWriter
- roles/storage.admin

9. CI/CD Integration
Kubernetes
Engine
Container
Registry
Cloud Build Cloud Build

10. CI/CD Integration
Kubernetes
Engine
Container
Registry
Cloud Build Cloud Build
Helm + GCS
plugin

11. Artifact Registry

12. Artifact Registry
1. Manage Container images with
additional features
2. Regional and multi-regional
repositories
3. Multiple repositories per Google
Cloud project
4. Repository-native IAM with granular
permissions

13. Artifacts
- Container images
- Helm chart
- Java, Node.js, and Python packages
- Debian and RPM Linux packages

14. Helm chart
1. Create a repository in Artifact
Registry
2. Create a chart
3. Authenticate with the repository
4. Push the chart to the repository
5. Deploy the chart
export HELM_EXPERIMENTAL_OCI=1

15. $ gcloud beta artifacts repositories create
(REPOSITORY : --location=LOCATION)
--repository-format=REPOSITORY_FORMAT
[--allow-snapshot-overwrites] [--async]
[--description=DESCRIPTION] [--kms-key=KMS_KEY]
[--labels=[KEY=VALUE,…]]
[--version-policy=VERSION_POLICY;
default="NONE"] [GCLOUD_WIDE_FLAG …]

16. $ gcloud beta artifacts repositories
create gcf-worker
--repository-format=docker
--location=asia-east1
--description="devfest21 aritfact registry
demo"

17. $ helm package gcf-worker
$ gcloud auth print-access-token | helm
registry login -u oauth2accesstoken
--password-stdin
https://asia-east1-docker.pkg.dev
$ helm push gcf-worker-0.1.0.tgz
oci://asia-east1-docker.pkg.dev/cloud-build-tes
tbed/devfest-demo

18. $ gcloud artifacts docker images list
[IMAGE_PATH] [--include-tags]
[--occurrence-filter=OCCURRENCE_FILTER;
default='kind="BUILD" OR kind="IMAGE" OR
kind="DISCOVERY"'] [--show-occurrences]
[--show-occurrences-from=SHOW_OCCURRENCES_FROM;
default=10] [--filter=EXPRESSION]
[--limit=LIMIT] [--page-size=PAGE_SIZE]
[--sort-by=[FIELD,…]] [GCLOUD_WIDE_FLAG …]

19. $ gcloud artifacts docker images list
asia-east1-docker.pkg.dev/cloud-build-testbed/devfest-demo
Listing items under project cloud-build-testbed, location
asia-east1, repository devfest-demo.
IMAGE
DIGEST
CREATE_TIME UPDATE_TIME
asia-east1-docker.pkg.dev/cloud-build-testbed/devfest-demo
/gcf-worker
sha256:a47cc170ff19a83cade7438f60ee373df4193b252e0bad5fd09
f22c69701ea50 2021-11-15T23:16:10 2021-11-15T23:16:10

20. $ helm install gcf-worker
oci://asia-east1-docker.pkg.dev/cloud-build-tes
tbed/devfest-demo/gcf-worker --version 0.1.0
NAME: gcf-worker
LAST DEPLOYED: Mon Nov 15 23:29:11 2021
NAMESPACE: default
STATUS: deployed
REVISION: 1
TEST SUITE: None

21. Locations
North America
- Montréal / Toronto / Iowa / South Carolina / Northern Virginia /
Oregon / Los Angeles / Salt Lake City / Las Vegas
South America
- São Paulo
Europe
- Warsaw / Finland / Belgium / London / Frankfurt / Netherlands /
Zürich
Asia
- Taiwan / Hong Kong / Tokyo / Osaka / Seoul / Mumbai / Delhi /
Singapore / Jakarta
Australia
- Sydney / Melbourne
All regions are at least 100 miles apart.

22. Repositories
project
Repository - APT
Repository - Docker
Repository - Python
Repository - Node
Repository - Maven
Repository - Yum
Australia-southeast2 Melbourne
Asia-east1 Taiwan
asia-northeast2 Osaka
asia
Northamerica-northeast2 Toronto
Us-west2 Los Angeles
us
Europe-west3 Frankfurt
Europe-north1 Finland
europe

23. Access Control
Primitive IAM Role
- Project Owner
- roles/artifactregistry.repoAdmin
- roles/artifactregistry.admin
- Project Editor
- roles/artifactregistry.writer
- Project Viewer
- roles/artifactregistry.reader

24. Artifact Registry permissions
- roles/artifactregistry.reader
- roles/artifactregistry.writer
- roles/artifactregistry.repoAdmin
- roles/artifactregistry.admin
bindings:
- members:
- user: user@gmail.com
role: roles/owner
- members:
- serviceAccount:
repo-readonly@iam.gserviceaccount.com
- user: user2@gmail.com
role: roles/artifactregistry.reader
- members:
- serviceAccount:
repo-write@iam.gserviceaccount.com
role: roles/artifactregistry.writer
- members:
- serviceAccount:
repo-admin@iam.gserviceaccount.com
role: roles/artifactregistry.repoAdmin
- members:
- serviceAccount:
ar-admin@iam.gserviceaccount.com
role: roles/artifactregistry.admin
Implementing Binary Authorization using Cloud Build and GKE - https://cloud.google.com/architecture/binary-auth-with-cloud-build-and-gke

25. CI/CD Integration
Kubernetes
Engine
Artifacts
Registry
Cloud Build Cloud Build
Flexible

27. Pricing
Docker repositories
- Storage
- Network egress
- Vulnerability scanning, if
the Container Scanning API
is enabled
Package repositories
- Storage
- Network egress

28. Artifact Registry is the recommended service for
managing container images. Container Registry is still
supported but will only receive critical security fixes

29. Q & A