Docker push to Google Cloud Registry -- HTTP request to an HTTPS server

Question

I can't seem to get my .gitlab-ci.yml pipeline working properly. I'm able to build, test, and re-tag on gitlab just fine, but deploy stage fails on trying to push an image to gcr.io. The relevant excerpts from the pipeline file and the fail message are below. I've tried slim and alpine images, and confirmed via echo, export, and gcloud auth list that the GCP_SERVICE_ACCOUNT variable is that which I set in the gitlab system and successfully authenticated. I can't find anything via googling that addresses the misalignment of http vs https -- only syntax consistent with what I've done, or for alternate authentication methods. In the past when I've authenticated on my local machine and pushed to gcr.io, gcloud push ... worked just fine.

I also tried inserting docker-credential-gcr configure-docker --token-source="gcloud" and using asia.gcr.io (as I'm in AUS) per answers at Push to google container registry fails: Retrying. The problem in that post isn't the same, but I'm flailing at this point.

What am I getting wrong, please?

image: docker:19.03.12

services:
  - docker:19.03.12-dind

stages:
  - build
  - test
  - release
  - deploy

variables:
  GIT_DEPTH: 1
  DOCKER_HOST: tcp://docker:2376
  DOCKER_TLS_CERTDIR: "/certs"
  CONTAINER_TEST_IMAGE: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
  CONTAINER_RELEASE_IMAGE: $CI_REGISTRY_IMAGE:latest
  GCR_IO_IMAGE: gcr.io/proj-000000/$CI_REGISTRY_IMAGE:latest

...

deploy:
  image: google/cloud-sdk:slim
  stage: deploy
  only:
  - master
  before_script:
  - echo $GCP_SERVICE_ACCOUNT > /tmp/service_account.json
  - gcloud auth activate-service-account --key-file /tmp/service_account.json
  script:
  - docker push $GCR_IO_IMAGE
  - gcloud app deploy app.yaml --project proj --image-url $GCR_IO_IMAGE

$ docker push $GCR_IO_IMAGE Error response from daemon: Client sent an HTTP request to an HTTPS server. ERROR: Job failed: exit code 1

Update following Frederic G's post below: The gcloud docker ... approach appears to be deprecated now, but following the suggestion that pops up in the fail notes:

deploy:
  image: google/cloud-sdk:alpine
  stage: deploy
  only:
  - master
  script:
  - gcloud auth activate-service-account --key-file /tmp/service_account.json
  - gcloud auth configure-docker
  - docker push $GCR_IO_IMAGE
  - gcloud app deploy sandkastenapp.yaml --project sandkasten --image-url $GCR_IO_IMAGE

now gives:

$ gcloud auth configure-docker
Adding credentials for all GCR repositories.
WARNING: A long list of credential helpers may cause delays running 'docker build'. We recommend passing the registry name to configure only the registry you are using.
After update, the following will be written to your Docker config file
 located at [/root/.docker/config.json]:
 {
  "credHelpers": {
    "gcr.io": "gcloud",
    "us.gcr.io": "gcloud",
    "eu.gcr.io": "gcloud",
    "asia.gcr.io": "gcloud",
    "staging-k8s.gcr.io": "gcloud",
    "marketplace.gcr.io": "gcloud"
  }
}
Do you want to continue (Y/n)?  
Docker configuration file updated.
$ docker push $GCR_IO_IMAGE
read tcp 172.17.0.4:42954->172.17.0.3:2376: read: connection reset by peer
ERROR: Job failed: exit code 1

Answer 1

What you could do is use the gcloud docker command to push the image like so :

gcloud docker -- push gcr.io/example-org/example-image:latest

Or alternatively, before running the docker command, I think you need to configure it by writing the credential file. You would need to run those commands :

gcloud docker --authorize-only
docker push gcr.io/example-org/example-image:latest

-EDIT-

I see that you set this variable in your Cloud Build setup

DOCKER_HOST: tcp://docker:2376

This might be causing issues since the port is mentioned in the error message you receive.

172.17.0.3:2376: read: connection reset by peer

When doing my tests, when I did not set that value, I was able to push an image with the following commands :

gcloud auth configure-docker
docker pull nginx
docker tag nginx gcr.io/[project]/website
docker push gcr.io/[project]/website