Container Registry:Create a delivery chain

Step 1: Create a delivery chain and configure basic information

1. Log on to the Container Registry console.

2. In the top navigation bar, select a region.

3. In the left-side navigation pane, click Instances.

4. On the Instances page, click the Enterprise Edition instance that you want to manage.

5. On the management page of the Container Registry Enterprise Edition instance, choose Delivery Chain > Chain in the left-side navigation pane.

6. In the upper-left corner of the Chain page, click Create Delivery Chain.

7. In the Basic Information section of the Create Delivery Chain page, configure the following parameters:

   • Name: the name of the delivery chain.

   • Description: optional. The description of the delivery chain.

   • Scope: Select a namespace and an image repository in the namespace.

   • All Effective: If you turn on this switch, all repositories in the current namespace are added to the delivery chain. If you turn off this switch, you can specify the repositories that you do not want to add to the delivery chain.

Step 2: Configure image building rules

If you select an on-premises image repository, you cannot use the image building feature of the delivery chain.

1. In the Chain section, click Image Building. Then, click Add Build Rule.

2. In the Build Information step, configure the following parameters and click Next.

   Parameter	Description
   Type	Specify the type of the source code repository. Valid values: Branch and Tag.
   Branch/Tag	Select or enter a branch or a tag. Regular expressions are supported. If you use release-(?<imageTag>\w*) as the regular expression, the system builds a V1 image when the source code under the release-v1 branch is updated. The V1 image is built within a few minutes. For more information about how to use regular expressions, see Use regular expressions in named capturing groups. Note After you specify regular expressions, images can be built only by the system. You cannot manually build images.
   Build Context Directory	Specify the directory in which the Dockerfile resides. You must specify a relative directory. The parent directory is the root directory of the code branch.
   Dockerfile Filename	Specify the name of the Dockerfile. The default name is Dockerfile.

3. In the Tag step, configure the parameters, click Save, and then click Next.

   Note

   Click Add Configuration to add image tags. You can add up to three image tags.

   Parameter	Description
   Image Tag	The tag of the image. Example: latest. You can enable named capturing groups. For example, if you specify a named capturing group for Branch/Tag, you can use the captured content.
   Build Time	The time (UTC+8) when source code is pushed. Example: 20201015 or 202010151613. Note This parameter is optional. If you set this parameter, only the system can build images. You cannot manually build images.
   Commit ID	The number of characters to be obtained from the commit ID of the most recently pushed code. By default, the first six characters are used. You can adjust the slider to change the number of characters. Note This parameter is optional. If you set this parameter, only the system can build images. You cannot manually build images.

4. In the Build Configurations step, configure the following parameters and click Confirm.

   Parameter	Description
   Build Architecture	The architecture for which you want to build images. You can select multiple architectures. If you select multiple architectures, multiple container images for the architectures are built for each image tag.
   Build Parameters	The runtime parameters of the image building. Each building parameter is a key-value pair that is case-sensitive. You can configure a maximum of 20 building parameters.

Step 3: Configure the blocking rule for image security scanning

Image security scanning ensures image security when images are replicated and distributed.

1. In the Chain section, click Security Scan.

2. In the Node configuration section, configure the blocking rule.

   • Security Engine: valid values: Security Center Scan Engine and Trivy Scan Engine.

     If vulnerabilities are detected, the Security Center Scan Engine allows you to fix the vulnerabilities with a few clicks. You cannot use the Trivy San Engine of Container Registry to fix vulnerabilities with a few clicks.

     Note

     If you want to use the image scanning feature of Security Center, you must purchase the Ultimate Edition of Security Center. For more information, see Purchase Security Center. If Security Center is not activated in the current region, the option of Security Center is not displayed in the Container Registry console.

   • Block strategy:

     • Blocking: If the blocking rule is met, the system stops the subsequent steps for all images.

       You must specify the Severity and Vulnerability parameters in the blocking rule. You must specify the subsequent steps after the delivery chain is stopped, including whether to delete the original image and whether to back up the images.

     • Non-blocking: The system proceeds with subsequent steps for all images.

Step 4: Configure image replication rules

After you configure image replication rules, updated images are automatically replicated between Container Registry Enterprise Edition instances based on the rules.

1. In the Chain section, click Trigger Synchronization. Then, click Create Rule.

2. In the Create Rule dialog box, enter a rule name, specify the destination Container Registry Enterprise Edition instance, and then click Next.

   • Select a region and select an existing instance as the destination instance.

   • If you cannot select an existing instance, click Create Instance to create an instance. For more information, see Create a Container Registry Enterprise Edition instance.

   Note

   If Internet access is disabled, images can be automatically replicated in different regions.

3. In the Replication Information wizard, configure the replication information of the source instance and click Create Rule.

   Parameter	Description
   Replication Level	Select the replication level. Valid values: Namespaces and Repository.
   Source Address	Specify a namespace and a repository. Enter a regular expression to filter image tags in the repositories of the namespace or in the specified repository. By default, all image tags are replicated. You can specify the source repository only if you set the Replication Level parameter to Repository.

Step 5: Configure distribution triggers

You can configure distribution triggers to automatically distribute images. This way, applications can be automatically redeployed.

1. In the Chain section, click Trigger. Then, click Create.

2. In the Create Trigger dialog box, configure the parameters and then click Confirm.

   Parameter	Description
   Name	The name of the trigger.
   Trigger URL	The URL to which the trigger sends notifications. You can obtain the URL from the configurations of your Container Service for Kubernetes (ACK) cluster.
   Trigger	The trigger method. Valid values: All: Each time an image is updated, image distribution is triggered. By RegExp: A regular expression is used to filter image tags. Image distribution is triggered only if an image tag matches the regular expression. By Tags: Tags are used to filter images. Image distribution is triggered only if an image tag is in the specified tag list.

3. On the Create Delivery Chain page, click Create.