Search code examples
dockerdocker-composegcloudgoogle-container-registrydocker-watchtower

Watchtower with GCR's gcloud cred helper

Has anyone figured out how to pull from private GCR repos in the containrrr watchtower image in docker compose?

For context, I ran gcloud auth configure-docker in the host, and added these volumes to watchtower:

version: "3.4"
services:
  app:
    image: gcr.io/<proj>/<img>:latest
  watchtower:
    image: containrrr/watchtower
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /root/.docker/config.json:/config.json
      - /root/.config/gcloud:/.config/gcloud
      - /usr/lib/google-cloud-sdk:/usr/lib/google-cloud-sdk
    command: --interval 10
    environment:
      - PATH=$PATH:/usr/lib/google-cloud-sdk/bin
      - HOME=/
    labels:
      - com.centurylinklabs.watchtower.enable=false

It just keeps saying

watchtower_1  | time="2021-06-03T22:36:13Z" level=info msg="Unable to update container \"/gce_app_1\": Error response from daemon: unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication. Proceeding to next."
Solution

  • I found a solution. The caveat is, that the gcloud helper requires a python installation to work. So even if you add all the configs and binaries to your watchtower container, it still doesn't run properly.

    As a solution, I came up with a minimal docker image that has both watchtower and python3 installed. It's yspreen/watchtower. You can find the full readme on github, but here's the summary:

    version: "3.4"
services:
  app:
    image: gcr.io/<project>/<image>:latest
  watchtower:
    image: yspreen/watchtower
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /root/.docker/config.json:/config.json
      - /root/.config/gcloud:/.config/gcloud
      - /usr/lib/google-cloud-sdk:/usr/lib/google-cloud-sdk
    command: --cleanup --interval 10
    environment:
      - PATH=$PATH:/usr/lib/google-cloud-sdk/bin
      - HOME=/
    labels:
      - com.centurylinklabs.watchtower.enable=false

    Config file:

    {
  "credsStore": "gcloud",
  "credHelpers": {
    "gcr.io": "gcloud",
    "us.gcr.io": "gcloud",
    "eu.gcr.io": "gcloud",
    "asia.gcr.io": "gcloud",
    "staging-k8s.gcr.io": "gcloud",
    "marketplace.gcr.io": "gcloud"
  }
}