Updating the Connect agent using a private registry

This topic explains how to update the Connect Agent if you use a private Docker registry. For information about Connect, see the product's documentation.

Overview

If you choose to register a user cluster with Google Cloud Console, a Kubernetes Deployment called the Connect agent is created in the cluster. The Connect agent establishes a long-lived, encrypted connection between the cluster and Cloud Console.

Sometimes Google updates the Connect agent. If you use a private registry with your cluster, follow these instructions to update the Connect agent.

Pull updated Connect agent image

Pull the Connect agent image from gcr.io and push it into your registry:

docker pull gcr.io/gkeconnect/gkeconnect-gce:release
docker tag gcr.io/gkeconnect/gkeconnect-gce:release \
    [PRIVATE_REGISTRY_HOST]/gkeconnect/gkeconnect-gce:release
docker push [PRIVATE_REGISTRY_HOST]/gkeconnect/gkeconnect-gce:release

where [PRIVATE_REGISTRY_HOST] is the hostname or IP address of your private Docker registry.

Update user cluster registration

Update your user cluster's registration to Cloud Console:

gcloud container hub memberships register[USER_CLUSTER_NAME] \
  --context=[CLUSTER_CONTEXT] \
  --service-account-key-file=[CONNECT_SA_KEY_FILE] \
  --kubeconfig=[KUBECONFIG_PATH] \
  --docker-registry=[PRIVATE_REGISTRY_HOST] \
  --docker-credential-file=[DOCKER_CONFIG_PATH] \
  --project=[PROJECT_ID]

where:

  • [USER_CLUSTER_NAME] is the name of a registered user cluster, as it appears in Cloud Console.
  • [CLUSTER_CONTEXT] is the cluster's context as it appears in the kubeconfig file. To get this value, run kubectl config current-context.
  • [CONNECT_SA_KEY_FILE] is the path to the connect service account's JSON key file.
  • [KUBECONFIG_PATH] is the path to the user cluster's kubeconfig.
  • [DOCKER_CONFIG_PATH] is path to a JSON Docker config file.

    The config.json file you used in the docker commands from the previous section docker commands above might have additional unnecessary credentials. You might prefer to fetch credentials from your cluster, which ensures that you don't inadvertently put additional credentials in to your cluster:

    kubectl get secret regcred \
    -o jsonpath='{.data.\.dockerconfigjson}' -n gke-connect | \
    base64 -d \  # On BSD systems (like macOS), use base64 -D
    >private_registry_config.json
    

    Pass the filepath of the created file as the value of the --docker-credential-file flag, in place of [DOCKER_CONFIG_PATH] above.

  • [PROJECT_ID] is the project ID of the project where the user cluster is registered. To learn how to list all projects in your organization, refer to Listing projects.