This document describes how to deploy GCR Cleaner to Cloud Run and invoke it via Cloud Scheduler. There is also a community-supported Terraform module for gcr-cleaner.
-
Install the Cloud SDK for your operating system. Alternatively, you can run these commands from Cloud Shell, which has the SDK and other popular tools pre-installed.
-
Export your project ID as an environment variable. The rest of this setup assumes this environment variable is set.
export PROJECT_ID="my-project"
Note this is your project ID, not the project number or name.
-
Enable the Google APIs - this only needs to be done once per project:
gcloud services enable --project "${PROJECT_ID}" \ appengine.googleapis.com \ cloudscheduler.googleapis.com \ run.googleapis.com
This operation can take a few minutes, especially for recently-created projects.
-
Create a service account which will be assigned to the Cloud Run service:
gcloud iam service-accounts create "gcr-cleaner" \ --project "${PROJECT_ID}" \ --display-name "gcr-cleaner"
-
Deploy the
gcr-cleanercontainer on Cloud Run running as the service account just created:gcloud --quiet run deploy "gcr-cleaner" \ --async \ --project ${PROJECT_ID} \ --platform "managed" \ --service-account "gcr-cleaner@${PROJECT_ID}.iam.gserviceaccount.com" \ --image "us-docker.pkg.dev/gcr-cleaner/gcr-cleaner/gcr-cleaner" \ --region "us-central1" \ --timeout "60s"
-
Grant the service account access to delete references. See Permissions for more information.
-
Create a service account with permission to invoke the Cloud Run service:
gcloud iam service-accounts create "gcr-cleaner-invoker" \ --project "${PROJECT_ID}" \ --display-name "gcr-cleaner-invoker"
gcloud run services add-iam-policy-binding "gcr-cleaner" \ --project "${PROJECT_ID}" \ --platform "managed" \ --region "us-central1" \ --member "serviceAccount:gcr-cleaner-invoker@${PROJECT_ID}.iam.gserviceaccount.com" \ --role "roles/run.invoker"
-
Create a Cloud Scheduler HTTP job to invoke the function every week:
gcloud app create \ --project "${PROJECT_ID}" \ --region "us-central" \ --quiet
# Replace this with the full name of the repository for which you # want to cleanup old references, for example: export REPO="us-docker-pkg.dev/${PROJECT_ID}/my-repo/my-image"
# Capture the URL of the Cloud Run service: export SERVICE_URL=$(gcloud run services describe gcr-cleaner --project "${PROJECT_ID}" --platform "managed" --region "us-central1" --format 'value(status.url)')
gcloud scheduler jobs create http "gcrclean-myimage" \ --project ${PROJECT_ID} \ --description "Cleanup ${REPO}" \ --uri "${SERVICE_URL}/http" \ --message-body "{\"repos\":[\"${REPO}\"]}" \ --oidc-service-account-email "gcr-cleaner-invoker@${PROJECT_ID}.iam.gserviceaccount.com" \ --schedule "0 8 * * 2" \ --time-zone="US/Eastern"
You can create specify multiple repositories in the list to clean more than one repository.
-
(Optional) Run the scheduled job now:
gcloud scheduler jobs run "gcrclean-myimage" \ --project "${PROJECT_ID}"
Note: for initial job deployments, you must wait a few minutes before invoking.