System artifacts support the Google Distributed Cloud (GDC) air-gapped appliance system and manage the GDC deployment. The GDC private Artifact Registry stores the system artifacts. There are various formats for system artifacts, including but not limited to:
- Container images for Anthos, KubeVirt, and GDC managed and marketplace services
- Operating system (OS) images
- Firmware formats
- Golden virtual machine (VM) templates
- Helm charts
Artifact Registry participates in various GDC system operations such as installation, upgrades, and the lifecycle of resources in a secure, scalable, and tamper-proof manner.
Before you begin
To modify system artifacts, you must get diagnostic access. Diagnostic access is a privileged access mode required to securely support a customer when they encounter an issue. You must create a ticket to have this access granted.
Upload Docker images
To modify system artifacts, you must upload new Docker images. The upload method depends on which of the following two registries you push your container images to:
- Upload container images to the Artifact Registry in the bootstrap machine.
- Upload container images to the Artifact Registry in the admin cluster.
The following sections show the upload instructions for the two registry types.
Artifact Registry in the bootstrap machine
To upload container images to the Artifact Registry in the bootstrap machine, complete the following steps:
Ensure you have the modified Docker image with the breaking issues fixed.
Transfer the new image to the bootstrap node in your air-gapped environment.
Log in to the bootstrap node.
Locate the address of the Artifact Registry in the bootstrap machine at bootstrap time and set it as the REGISTRY_IP environment variable:
REGISTRY=$(kubectl get harborcluster harbor -n harbor-system -o=jsonpath='{.spec.externalURL}') REGISTRY_IP=${REGISTRY#https://}
Retrieve the credential for accessing the Artifact Registry. Use the following command to retrieve the administrator account and password:
ADMIN_PASS=$(kubectl -n harbor-system get secret harbor-admin \ -o jsonpath="{.data.secret}" | base64 -d)
Log in to the Artifact Registry:
docker login $REGISTRY_IP -u admin -p $ADMIN_PASS
A
Login Succeeded
message prints to verify a successful login to the Artifact Registry.Tag the new image:
docker image tag CONTAINER_IMAGE_URL \ $REGISTRY_IP/PROJECT_NAME/IMAGE_NAME:TAG
Replace the following:
- CONTAINER_IMAGE_URL: the local container image URL, such
as
gcr.io/repository/image:tag
. - PROJECT_NAME: the Artifact Registry project name.
- IMAGE_NAME: the container image name.
- TAG: the container image tag.
- CONTAINER_IMAGE_URL: the local container image URL, such
as
Push the new image to the Artifact Registry:
docker image push $REGISTRY_IP/PROJECT_NAME/IMAGE_NAME:TAG
Artifact Registry in the admin cluster
To upload container images to the Artifact Registry on the admin cluster, complete the following steps.
Ensure you have the modified Docker image with the breaking issues fixed.
Transfer the new image to a node that has root access with a root
kubeconfig
file to the admin cluster in your air-gapped environment.Export the admin cluster
kubeconfig
file path as an environment variable:export ADMIN_CLUSTER_KUBECONFIG=KUBECONFIG_FILE_PATH
Replace KUBECONFIG_FILE_PATH with the path to the
kubeconfig
file.Locate the in-cluster Artifact Registry address and set it as the REGISTRY_IP environment variable:
REGISTRY=$(kubectl --kubeconfig $ADMIN_CLUSTER_KUBECONFIG get harborcluster harbor -n harbor-system -o=jsonpath='{.spec.externalURL}') REGISTRY_IP=${REGISTRY#https://}
Ensure the REGISTRY_IP contains a valid URL, such as
10.200.0.36:10443
:echo ${REGISTRY_IP}
Check whether the certificate authority (CA) certificate exists:
ls -al /etc/docker/certs.d/${REGISTRY_IP}/ca.crt
If the certificate does not exist, create and configure it:
mkdir -p /etc/docker/certs.d/${REGISTRY_IP}/ chmod 755 /etc/docker/certs.d/${REGISTRY_IP}/ echo $(kubectl get secret harbor-cert-secret -n istio-system -o jsonpath='{.data.ca\.crt}' --kubeconfig $ADMIN_CLUSTER_KUBECONFIG) | openssl base64 -A -d > /etc/docker/certs.d/${REGISTRY_IP}/ca.crt chmod 755 /etc/docker/certs.d/${REGISTRY_IP}/ca.crt
Retrieve the credential for accessing the Artifact Registry. Use the following command to retrieve the administrator account and password:
ADMIN_PASS=$(kubectl --kubeconfig $ADMIN_CLUSTER_KUBECONFIG \ -n harbor-system get secret harbor-admin \ -o jsonpath="{.data.secret}" | base64 -d)
Log in to the Artifact Registry:
docker login $REGISTRY_IP -u admin -p $ADMIN_PASS
A
Login Succeeded
message prints to verify a successful login to the Artifact Registry.Tag the new image:
docker image tag CONTAINER_IMAGE_URL \ $REGISTRY_IP/PROJECT_NAME/IMAGE_NAME:TAG
Replace the following:
- CONTAINER_IMAGE_URL: the local container image URL, such
as
gcr.io/repository/image:tag
. - PROJECT_NAME: the Artifact Registry project name.
- IMAGE_NAME: the container image name.
- TAG: the container image tag.
- CONTAINER_IMAGE_URL: the local container image URL, such
as
Push the new image to the Artifact Registry:
docker image push $REGISTRY_IP/PROJECT_NAME/IMAGE_NAME:TAG