This topic explains how to update the Connect Agent if you use a private Docker registry. For more information about Connect, see the product's documentation.
Overview
If you choose to register a user cluster with Google Cloud console, a Kubernetes Deployment called the Connect Agent is created in the cluster. The Connect Agent establishes a long-lived, encrypted connection between the cluster and Google Cloud console.
Sometimes Google updates the Connect Agent. If you use a private registry with your cluster, follow these instructions to update the Connect Agent.
Pull updated Connect image
Pull the Connect Agent image from gcr.io
and push it into your registry:
docker pull gcr.io/gkeconnect/gkeconnect-gce:release docker tag gcr.io/gkeconnect/gkeconnect-gce:release \ [PRIVATE_REGISTRY_HOST]/gkeconnect/gkeconnect-gce:release docker push [PRIVATE_REGISTRY_HOST]/gkeconnect/gkeconnect-gce:release
where [PRIVATE_REGISTRY_HOST] is the hostname or IP address of your private Docker registry.
Update user cluster registration
Update your user cluster's registration to Google Cloud console:
gcloud alpha container hub register-cluster [USER_CLUSTER_NAME] \ --context=[CLUSTER_CONTEXT] \ --service-account-key-file=[CONNECT_SA_KEY_FILE] \ --kubeconfig-file=[KUBECONFIG_PATH] \ --docker-image=[DOCKER_IMAGE] \ --docker-credential-file=[DOCKER_CONFIG_PATH] \ --project=[PROJECT_ID]
where:
- [USER_CLUSTER_NAME] is the name of a registered user cluster, as it appears in Google Cloud console.
- [CLUSTER_CONTEXT] is the cluster's context as it appears in
the kubeconfig file. To get this value, run
kubectl config current-context
. - [CONNECT_SA_KEY_FILE] is the path to the connect service account's JSON key file.
- [KUBECONFIG_PATH] is the path to the user cluster's kubeconfig.
- [DOCKER_IMAGE] is the tagged image path in the private registry (
for example,
example.com/gkeconnect/gkeconnect-gce:release
). [DOCKER_CONFIG_PATH] is path to a JSON Docker config file.
The
config.json
file you used in thedocker
commands from the previous sectiondocker
commands above might have additional unnecessary credentials. You might prefer to fetch credentials from your cluster, which ensures that you don't inadvertently put additional credentials in to your cluster:kubectl get secret regcred \ -o jsonpath='{.data.\.dockerconfigjson}' -n gke-connect | \ base64 -d \ # On BSD systems (like macOS), use base64 -D >private_registry_config.json
Pass the filepath of the created file as the value of the
--docker-credential-file
flag, in place of [DOCKER_CONFIG_PATH] above.[PROJECT_ID] is the project ID of the project where the user cluster is registered. To learn how to list all projects in your organization, refer to Listing projects.