Dependency management with Artifact Registry

1. Overview

As the evolution of Container Registry, Artifact Registry is a single place for your organization to manage container images and language packages (such as Maven and npm). It is fully integrated with Google Cloud's tooling and runtimes and comes with support for language based dependency management for use with tools like npm and Maven. This makes it simple to integrate it with your CI/CD tooling to set up automated pipelines.

This lab will walk you through some features available in Artifact Registry.

What you will learn

What are the learning objectives of this lab?

  • Create repositories for Containers and Language Packages
  • Manage container images with Artifact Registry
  • Configure Maven to use Artifact Registry for Java Dependencies

2. Setup and Requirements

Self-paced environment setup

  1. Sign-in to the Google Cloud Console and create a new project or reuse an existing one. If you don't already have a Gmail or Google Workspace account, you must create one.

b35bf95b8bf3d5d8.png

a99b7ace416376c4.png

bd84a6d3004737c5.png

  • The Project name is the display name for this project's participants. It is a character string not used by Google APIs. You can update it at any time.
  • The Project ID is unique across all Google Cloud projects and is immutable (cannot be changed after it has been set). The Cloud Console auto-generates a unique string; usually you don't care what it is. In most codelabs, you'll need to reference the Project ID (it is typically identified as PROJECT_ID). If you don't like the generated ID, you may generate another random one. Alternatively, you can try your own and see if it's available. It cannot be changed after this step and will remain for the duration of the project.
  • For your information, there is a third value, a Project Number which some APIs use. Learn more about all three of these values in the documentation.
  1. Next, you'll need to enable billing in the Cloud Console to use Cloud resources/APIs. Running through this codelab shouldn't cost much, if anything at all. To shut down resources so you don't incur billing beyond this tutorial, you can delete the resources you created or delete the whole project. New users of Google Cloud are eligible for the $300 USD Free Trial program.

Set up gcloud

In Cloud Shell, set your project ID and project number. Save them as PROJECT_ID and PROJECT_NUMBER variables.

export PROJECT_ID=$(gcloud config get-value project)
export PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format='value(projectNumber)')

Enable Google Services

gcloud services enable \
  cloudresourcemanager.googleapis.com \
  container.googleapis.com \
  artifactregistry.googleapis.com \
  containerregistry.googleapis.com \
  containerscanning.googleapis.com

Get the source code

The source code for this lab is located in the GoogleCloudPlatform org on GitHub. Clone it with the command below then change into the directory.

git clone https://github.com/GoogleCloudPlatform/cloud-code-samples/

3. Working with container images

Create a Docker Repository on Artifact registry

Artifact Registry supports managing container images and language packages. Different artifact types require different specifications. For example the requests for Maven dependencies are different from requests for Node dependencies.

To support the different API specifications, Artifact Registry needs to know what format you want the API responses to follow. To do this you will create a repository and pass in the --repository-format flag indicating the type of repository desired

From Cloud Shell run the following command to create a repository for Docker images:

gcloud artifacts repositories create container-dev-repo --repository-format=docker \
--location=us-central1 --description="Docker repository for Container Dev Workshop"

Click Authorize if the Cloud Shell authorization prompt appears

Go to Google Cloud Console - Artifact Registry - Repositories and notice your newly created Docker repository named container-dev-repo, if you click on it you can see that it's empty at the moment

Configure Docker Authentication to Artifact Registry

When connecting to Artifact Registry credentials are required in order to provide access. Rather than set up separate credentials, Docker can be configured to use your gcloud credentials seamlessly.

From Cloud Shell run the following command to configure Docker to use the Google Cloud CLI to authenticate requests to Artifact Registry in the us-central1 region,

gcloud auth configure-docker us-central1-docker.pkg.dev

The command will prompt for a confirmation to change the Cloud Shell docker configuration, hit enter.

Explore the sample Application

A sample application is provided in the git repository you cloned in an earlier step. Change into the java directory and review the application code.

cd cloud-code-samples/java/java-hello-world

The folder contains an example Java application that renders a simple web page: in addition to various files not relevant for this specific lab, it contains the source code, under the src folder, and a Dockerfile we will use to build a container image locally.

Build the Container Image

Before you can store container images in Artifact Registry you will need to create one.

Run the following command to build the container image and tag it properly to push it to your repository in the next step:

docker build -t us-central1-docker.pkg.dev/$PROJECT_ID/container-dev-repo/java-hello-world:tag1 .

Push the Container Image to Artifact Registry

Run the following command to push the container image to the repository created previously:

docker push us-central1-docker.pkg.dev/$PROJECT_ID/container-dev-repo/java-hello-world:tag1

Review the image in Artifact Registry

Go to Google Cloud Console - Artifact Registry - Repositories. Click into container-dev-repo and check that the java-hello-world image is there. Click on the image and note the image tagged tag1. You can see that Vulnerability Scanning is running or already completed and the number of vulnerabilities detected is visible.

9cb46d3689b3ed2.png

Click on the number of vulnerabilities and you will see the list of vulnerabilities detected in the image, with the CVE bulletin name and the severity, you can click VIEW on each listed vulnerability to get more details:

c2a961e6218d5a45.png

4. Working with language packages

In this section you will see how to set up an Artifact Registry Java repository and upload packages to it, leveraging them in different applications.

Create a Java package repository

From Cloud Shell run the following command to create a repository for Java artifacts:

gcloud artifacts repositories create container-dev-java-repo \
    --repository-format=maven \
    --location=us-central1 \
    --description="Java package repository for Container Dev Workshop"

Click Authorize if the Cloud Shell authorization prompt appears

Go to Google Cloud Console - Artifact Registry - Repositories and notice your newly created Maven repository named container-dev-java-repo, if you click on it you can see that it's empty at the moment.

Set up authentication to Artifact Repository

Use the following command to update the well-known location for Application Default Credentials (ADC) with your user account credentials so that the Artifact Registry credential helper can authenticate using them when connecting with repositories:

gcloud auth login --update-adc

Configure Maven for Artifact Registry

Run the following command, from the java-hello-world folder to open Cloud Shell Editor and add the application folder to his workspace:

cloudshell workspace .

Enable third-party cookies by clicking on "Site now working?" and then "Allow cookies".

After Browser will reload, open Cloud Shell and run the command above one more time to load application folder.

62328383ea59b30c.png

a9d756bf08575b0d.png

Open the pom.xml in Cloud Shell Editor, click "Open Editor"

95d98e831787b2ff.png

Open terminal from Cloud Shell Editor and run the following command to print the repository configuration to add to your Java project:

gcloud artifacts print-settings mvn \
    --repository=container-dev-java-repo \
    --location=us-central1

and add the returned settings to the appropriate sections in the pom.xml file.

Cloud Editor view with built-in terminal:

33c3bfa412b7babd.png

Update the distributionManagement section

<distributionManagement>
   <snapshotRepository>
     <id>artifact-registry</id>
     <url>artifactregistry://us-central1-maven.pkg.dev/<PROJECT>/container-dev-java-repo</url>
   </snapshotRepository>
   <repository>
     <id>artifact-registry</id>
     <url>artifactregistry://us-central1-maven.pkg.dev/<PROJECT>/container-dev-java-repo</url>
   </repository>
</distributionManagement>

Update the repositories section

 <repositories>
   <repository>
     <id>artifact-registry</id>
     <url>artifactregistry://us-central1-maven.pkg.dev/<PROJECT>/container-dev-java-repo</url>
     <releases>
       <enabled>true</enabled>
     </releases>
     <snapshots>
       <enabled>true</enabled>
     </snapshots>
   </repository>
 </repositories>

Update the extensions

<extensions>
     <extension>
       <groupId>com.google.cloud.artifactregistry</groupId>
       <artifactId>artifactregistry-maven-wagon</artifactId>
       <version>2.1.0</version>
     </extension>
   </extensions>

Here's an example of the complete file for your reference. Ensure to replace <PROJECT> with your project id.

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 <modelVersion>4.0.0</modelVersion>
 
 <artifactId>hello-world</artifactId>
 <packaging>jar</packaging>
 <name>Cloud Code Hello World</name>
 <description>Getting started with Cloud Code</description>
 <version>1.0.0</version>
<distributionManagement>
   <snapshotRepository>
     <id>artifact-registry</id>
     <url>artifactregistry://us-central1-maven.pkg.dev/<PROJECT>/container-dev-java-repo</url>
   </snapshotRepository>
   <repository>
     <id>artifact-registry</id>
     <url>artifactregistry://us-central1-maven.pkg.dev/<PROJECT>/container-dev-java-repo</url>
   </repository>
 </distributionManagement>
 
 <repositories>
   <repository>
     <id>artifact-registry</id>
     <url>artifactregistry://us-central1-maven.pkg.dev/<PROJECT>/container-dev-java-repo</url>
     <releases>
       <enabled>true</enabled>
     </releases>
     <snapshots>
       <enabled>true</enabled>
     </snapshots>
   </repository>
 </repositories>
 
 <parent>
   <groupId>org.springframework.boot</groupId>
   <artifactId>spring-boot-starter-parent</artifactId>
   <version>2.6.3</version>
 </parent>
 
 <properties>
   <java.version>1.8</java.version>
   <checkstyle.config.location>./checkstyle.xml</checkstyle.config.location>
 </properties>
 
 <build>
   <plugins>
     <plugin>
       <groupId>com.google.cloud.tools</groupId>
       <artifactId>jib-maven-plugin</artifactId>
       <version>3.2.0</version>
     </plugin>
     <plugin>
       <groupId>org.springframework.boot</groupId>
       <artifactId>spring-boot-maven-plugin</artifactId>
     </plugin>
     <plugin>
       <groupId>org.apache.maven.plugins</groupId>
       <artifactId>maven-checkstyle-plugin</artifactId>
       <version>3.1.2</version>
     </plugin>
   </plugins>
   <extensions>
     <extension>
       <groupId>com.google.cloud.artifactregistry</groupId>
       <artifactId>artifactregistry-maven-wagon</artifactId>
       <version>2.1.0</version>
     </extension>
   </extensions>
 </build>
 
 <!-- The Spring Cloud GCP BOM will manage spring-cloud-gcp version numbers for you. -->
 <dependencyManagement>
   <dependencies>
     <dependency>
       <groupId>org.springframework.cloud</groupId>
       <artifactId>spring-cloud-gcp-dependencies</artifactId>
       <version>1.2.8.RELEASE</version>
       <type>pom</type>
       <scope>import</scope>
     </dependency>
   </dependencies>
 </dependencyManagement>
  
 <dependencies>
 
   <dependency>
     <groupId>org.springframework.boot</groupId>
     <artifactId>spring-boot-starter</artifactId>
   </dependency>
 
   <dependency>
     <groupId>org.springframework.boot</groupId>
     <artifactId>spring-boot-starter-jetty</artifactId>
   </dependency>
 
   <dependency>
     <groupId>org.springframework</groupId>
     <artifactId>spring-webmvc</artifactId>
   </dependency>
 
   <dependency>
     <groupId>org.springframework.boot</groupId>
     <artifactId>spring-boot-starter-thymeleaf</artifactId>
   </dependency>
 
   <dependency>
     <groupId>org.springframework.boot</groupId>
     <artifactId>spring-boot-starter-test</artifactId>
     <scope>test</scope>
   </dependency>
 
   <dependency>
     <groupId>org.springframework.cloud</groupId>
     <artifactId>spring-cloud-gcp-starter-logging</artifactId>
   </dependency>
      
 </dependencies>
 
</project>

Upload your Java package to Artifact Registry

With Artifact Registry configured in Maven, you can now use Artifact Registry to store Java Jars for use by other projects in your organization.

Run the following command to upload your Java package to Artifact Registry:

mvn deploy

Check the Java package in Artifact Registry

Go to Cloud Console - Artifact Registry - Repositories Click into container-dev-java-repo and check that the hello-world binary artifact is there:

e348d976ac1ac107.png

5. Congratulations!

Congratulations, you finished the codelab!

What you've covered

  • Created Repositories for Containers and Language Packages
  • Managed container images with Artifact Registry
  • Configured Maven to use Artifact Registry for Java Dependencies

Cleanup

Run the following command to delete the project

gcloud projects delete $PROJECT_ID