Container Registry provides the cloud-native application delivery chain feature. This feature allows you to combine tasks such as image building, image scanning, image synchronization, and image distribution in a single delivery chain. Cloud-native delivery chains are secure and can be monitored and traced. This topic describes how to create a delivery chain. You can use delivery chains to build, scan, synchronize, and distribute images around the world by submitting only changes to the source code.

Step 1: Create a delivery chain and configure basic information

  1. Log on to the Container Registry console.
  2. In the top navigation bar, select a region.
  3. In the left-side navigation pane, click Instances.
  4. On the Instances page, click the required Container Registry Enterprise Edition instance.
  5. On the management page of the Container Registry Enterprise Edition instance, choose Delivery Chain > Chain in the left-side navigation pane.
  6. In the upper-left corner of the Chain page, click Create Delivery Chain.
  7. On the Create Delivery Chain page, enter the following information in the Details section.
    • Name: the name of the delivery chain.
    • Description: Optional. The description of the delivery chain.
    • Scope: Select a namespace and an image repository in the namespace.

Step 2: Configure image building rules

If the image repository that you select is a local repository, you cannot use the build feature of the delivery chain.

  1. In the Chain section, click Image Building. Then, click Add Build Rule.
  2. In the Build Information step, set the following parameters and click Next.
    Parameter Description
    Type Specify the type of the source code repository. Valid values: Branch and Tag.
    Branch/Tag Select or enter a branch or a tag. Regular expressions are supported. If you specify the release-(?<imageTag>\w*)regular expression, the system builds a V1 image when the source code under the release-v1 branch is updated. The image is built within a few minutes. For more information about how to use regular expressions, see Use regular expressions in named capturing groups.
    Note After you specify regular expressions, only the system can build images. You cannot manually build images.
    Dockerfile Directory The directory in which the Dockerfile resides. You must specify a relative directory. The parent directory is the root directory of the code branch.
    Dockerfile Filename The name of the Dockerfile. The default name is Dockerfile.
  3. In the Tag step, set the parameters, click Save, and then click Next.
    Note Choose Add Configuration to add an image tag. You can add up to three image tags.
    Parameter Description
    Image Tag The tag of the image, for example, latest. You can enable named capturing groups. For example, if you specify a named capturing group for Branch/Tag, you can use the captured content.
    Build Time Optional. The time when source code is pushed. Specify the time in the UTC+8 format, for example, 20201015 or 202010151613.
    Note If you set this parameter, only the system can build images. You cannot manually build images.
    Commit ID The number of characters to be obtained from the commit ID of the most recently pushed code. By default, the first six characters are used. You can adjust the slider to change the number of characters.
    Note This parameter is optional. If you set this parameter, images can be built only by the system. You cannot manually build images.
  4. In the Build Configurations step, set the following parameters and click Confirm.
    Parameter Description
    Build Architecture The architecture for which you want to build images. You can select multiple architectures. If you select multiple architectures, multiple container images for the architectures are built for each image tag.
    Build Parameters The runtime parameters of the image build. Each build parameter is a key-value pair that is case-sensitive. You can set a maximum of 20 build parameters.

Step 3: Configure the scanning rules for image security scanning

Security scanning for the delivery chain ensures the security of images when images are synchronized and distributed.

  1. In the Chain section, click Security Scan.
  2. In the Node configuration section, configure the blocking rule.
    • Security Engine: You can select Security Center scan engine or built-in scan engine.
      If vulnerabilities are detected, the Security Center scan engine allows you to fix vulnerabilities with a few clicks. You cannot use the built-in scan engine of Container Registry to fix vulnerabilities with a few clicks.
      Note If you want to use the image scanning feature of Security Center, you must purchase the Ultimate Edition of Security Center. For more information, see Purchase Security Center. If Security Center is not available in your region, Security Center is not displayed on the console. To view the regions that support Security Center, see .
    • Block strategy:
      • Blocking: If the blocking rule is met, the system stops the following steps for all images.

        You must specify the Severity and Vulnerability parameters in the blocking rule. You must specify whether to delete the original image and whether to back up the images after the images in which vulnerabilities are detected are blocked and the following steps are stopped.

      • Non-blocking: The system proceeds with follow-up steps for all images.

Step 4: Configure image synchronization rules

After you configure image synchronization rules, updated images are automatically synchronized between Container Registry Enterprise Edition instances based on the rules.

  1. In the Chain section, click Trigger Synchronization. Then, click Create Rule.
  2. In the Create Rule dialog box, enter a rule name, specify the destination Container Registry Enterprise Edition instance, and then click Next.
    • If the destination instance already exists, select a region and select an existing instance as the destination instance.
    • If the destination instance does not exist, click Create Instance to create an instance. For more information, see Create a Container Registry Enterprise Edition instance.
    Note If access over the Internet is disabled, images can be automatically synchronized across regions.
  3. In the Replication Information wizard, configure the replication information of the source instance and click Create Rule.
    Parameter Description
    Replication Level Select the replication level. Valid values: Namespaces and Repository.
    Source Address Specify a namespace and a repository. Enter a regular expression to filter image tags in the repositories of the namespace or in the specified repository. By default, all image tags are synchronized. You can specify the source repository only if you set the Replication Level parameter to Repository.

Step 5: Configure distribution triggers

You can configure distribution triggers to automatically distribute images. This way, applications can be automatically redeployed.

  1. In the Chain section, click Distribution Trigger. Then, click Create.
  2. In the Create Trigger dialog box, set the parameters and click Confirm.
    Parameter Description
    Name The name of the trigger.
    Trigger URL The URL to which the trigger sends notifications. You can obtain the URL from the configurations of your Container Service for Kubernetes (ACK) cluster.
    Trigger The trigger method. Valid values:
    • All: Each time an image is updated, image distribution is triggered.
    • By RegExp: A regular expression is used to filter image tags. Image distribution is triggered only when an image tag matches the regular expression.
    • By Tags: Tags are used to filter images. Image distribution is triggered only when an image tag is in the specified tag list.
  3. On the Create Delivery Chain page, click Create.

Result

On the Chain page, you can view the created delivery chain.

After source code is submitted to the code repository or an image is pulled, you can log on to the Container Registry Enterprise Edition instance and go to the Record page. On this page, you can view the status and result of each step in the delivery chain. Then, you can check whether the images are updated in your ACK cluster.