Stay organized with collections
Save and categorize content based on your preferences.
System artifacts support the Google Distributed Cloud (GDC) air-gapped appliance system and manage the
GDC deployment. The GDC private Artifact Registry stores the system artifacts.
There are various formats for system artifacts, including but not
limited to:
Container images for Anthos, KubeVirt, and GDC managed
services
Operating system (OS) images
Firmware formats
Golden virtual machine (VM) templates
Helm charts
Artifact Registry participates in various GDC system
operations such as installation, upgrades, and the lifecycle of resources
in a secure, scalable, and tamper-proof manner.
Before you begin
To modify system artifacts, you must get diagnostic access. Diagnostic access is
a privileged access mode required to securely support a customer when they
encounter an issue. You must create a ticket to have this access granted.
Upload Docker images
To modify system artifacts, you must upload new Docker images. The upload method
depends on which of the following two registries you push your container images
to:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-03 UTC."],[[["\u003cp\u003eThe Google Distributed Cloud (GDC) air-gapped system utilizes a private Artifact Registry to store various system artifacts, including container images, OS images, firmware, VM templates, and Helm charts.\u003c/p\u003e\n"],["\u003cp\u003eModifying system artifacts requires diagnostic access, which is a privileged mode granted through a support ticket.\u003c/p\u003e\n"],["\u003cp\u003eUploading container images to the system Artifact Registry can be done in two locations: either in the bootstrap machine or in the admin cluster, each with its own specific set of steps.\u003c/p\u003e\n"],["\u003cp\u003eThe process for uploading images involves logging into the respective Artifact Registry, tagging the new image, and then pushing the image to the registry.\u003c/p\u003e\n"],["\u003cp\u003eAccessing the Artifact Registry requires retrieving administrator credentials, which include the account name and password.\u003c/p\u003e\n"]]],[],null,["# Modify system artifacts\n\nSystem artifacts support the Google Distributed Cloud (GDC) air-gapped appliance system and manage the\nGDC deployment. The GDC private Artifact Registry stores the system artifacts.\nThere are various formats for system artifacts, including but not\nlimited to:\n\n- Container images for Anthos, KubeVirt, and GDC managed services\n- Operating system (OS) images\n- Firmware formats\n- Golden virtual machine (VM) templates\n- Helm charts\n\nArtifact Registry participates in various GDC system\noperations such as installation, upgrades, and the lifecycle of resources\nin a secure, scalable, and tamper-proof manner.\n| **Note:** To push a container image to the system Artifact Registry of the admin cluster, see [Push a container image from one cluster to another](/distributed-cloud/hosted/docs/latest/appliance/infrastructure/io-user/push-container-image).\n\nBefore you begin\n----------------\n\nTo modify system artifacts, you must get diagnostic access. Diagnostic access is\na privileged access mode required to securely support a customer when they\nencounter an issue. You must create a ticket to have this access granted.\n\nUpload Docker images\n--------------------\n\nTo modify system artifacts, you must upload new Docker images. The upload method\ndepends on which of the following two registries you push your container images\nto:\n\n- Upload container images to [the Artifact Registry in the bootstrap machine](#bootstrap-registry).\n- Upload container images to [the Artifact Registry in the admin cluster](#registry-admin-cluster).\n\nThe following sections show the upload instructions for the two registry types.\n\n### Artifact Registry in the bootstrap machine\n\nTo upload container images to the Artifact Registry in the bootstrap machine, complete the\nfollowing steps:\n\n1. Ensure you have the modified Docker image with the breaking issues fixed.\n\n2. Transfer the new image to the bootstrap node in your air-gapped\n environment.\n\n3. Log in to the bootstrap node.\n\n4. Locate the address of the Artifact Registry in the bootstrap machine at bootstrap time and set\n it as the \u003cvar translate=\"no\"\u003eREGISTRY_IP\u003c/var\u003e environment variable:\n\n REGISTRY=$(kubectl get harborcluster harbor -n harbor-system -o=jsonpath='{.spec.externalURL}')\n\n REGISTRY_IP=${REGISTRY#https://}\n\n5. Retrieve the credential for accessing the Artifact Registry. Use the following command\n to retrieve the administrator account and password:\n\n ADMIN_PASS=$(kubectl -n harbor-system get secret harbor-admin \\\n -o jsonpath=\"{.data.secret}\" | base64 -d)\n\n6. Log in to the Artifact Registry:\n\n docker login $REGISTRY_IP -u admin -p $ADMIN_PASS\n\n A `Login Succeeded` message prints to verify a successful login\n to the Artifact Registry.\n7. Tag the new image:\n\n docker image tag \u003cvar translate=\"no\"\u003eCONTAINER_IMAGE_URL\u003c/var\u003e \\\n $REGISTRY_IP/\u003cvar translate=\"no\"\u003ePROJECT_NAME\u003c/var\u003e/\u003cvar translate=\"no\"\u003eIMAGE_NAME\u003c/var\u003e:\u003cvar translate=\"no\"\u003eTAG\u003c/var\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eCONTAINER_IMAGE_URL\u003c/var\u003e: the local container image URL, such as `gcr.io/repository/image:tag`.\n - \u003cvar translate=\"no\"\u003ePROJECT_NAME\u003c/var\u003e: the Artifact Registry project name.\n - \u003cvar translate=\"no\"\u003eIMAGE_NAME\u003c/var\u003e: the container image name.\n - \u003cvar translate=\"no\"\u003eTAG\u003c/var\u003e: the container image tag.\n8. Push the new image to the Artifact Registry:\n\n docker image push $REGISTRY_IP/PROJECT_NAME/IMAGE_NAME:TAG\n\n### Artifact Registry in the admin cluster\n\nTo upload container images to the Artifact Registry on the admin cluster, complete\nthe following steps.\n\n1. Ensure you have the modified Docker image with the breaking issues fixed.\n\n2. Transfer the new image to a node that has root access with a root\n `kubeconfig` file to the admin cluster in your air-gapped environment.\n\n3. Export the admin cluster `kubeconfig` file path as an environment variable:\n\n export ADMIN_CLUSTER_KUBECONFIG=\u003cvar translate=\"no\"\u003eKUBECONFIG_FILE_PATH\u003c/var\u003e\n\n Replace \u003cvar translate=\"no\"\u003eKUBECONFIG_FILE_PATH\u003c/var\u003e with the path to the `kubeconfig` file.\n4. Locate the in-cluster Artifact Registry address and set it as the\n \u003cvar translate=\"no\"\u003eREGISTRY_IP\u003c/var\u003e environment variable:\n\n REGISTRY=$(kubectl --kubeconfig $ADMIN_CLUSTER_KUBECONFIG get harborcluster harbor -n harbor-system -o=jsonpath='{.spec.externalURL}')\n\n REGISTRY_IP=${REGISTRY#https://}\n\n5. Ensure the \u003cvar translate=\"no\"\u003eREGISTRY_IP\u003c/var\u003e contains a valid URL, such as\n `10.200.0.36:10443`:\n\n echo ${REGISTRY_IP}\n\n6. Check whether the certificate authority (CA) certificate exists:\n\n ls -al /etc/docker/certs.d/${REGISTRY_IP}/ca.crt\n\n If the certificate does not exist, create and configure it: \n\n mkdir -p /etc/docker/certs.d/${REGISTRY_IP}/\n\n chmod 755 /etc/docker/certs.d/${REGISTRY_IP}/\n\n echo $(kubectl get secret harbor-cert-secret -n istio-system -o jsonpath='{.data.ca\\.crt}' --kubeconfig $ADMIN_CLUSTER_KUBECONFIG) | openssl base64 -A -d \u003e /etc/docker/certs.d/${REGISTRY_IP}/ca.crt\n\n chmod 755 /etc/docker/certs.d/${REGISTRY_IP}/ca.crt\n\n7. Retrieve the credential for accessing the Artifact Registry. Use the following command\n to retrieve the administrator account and password:\n\n ADMIN_PASS=$(kubectl --kubeconfig $ADMIN_CLUSTER_KUBECONFIG \\\n -n harbor-system get secret harbor-admin \\\n -o jsonpath=\"{.data.secret}\" | base64 -d)\n\n8. Log in to the Artifact Registry:\n\n docker login $REGISTRY_IP -u admin -p $ADMIN_PASS\n\n A `Login Succeeded` message prints to verify a successful login\n to the Artifact Registry.\n9. Tag the new image:\n\n docker image tag \u003cvar translate=\"no\"\u003eCONTAINER_IMAGE_URL\u003c/var\u003e \\\n $REGISTRY_IP/\u003cvar translate=\"no\"\u003ePROJECT_NAME\u003c/var\u003e/\u003cvar translate=\"no\"\u003eIMAGE_NAME\u003c/var\u003e:\u003cvar translate=\"no\"\u003eTAG\u003c/var\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eCONTAINER_IMAGE_URL\u003c/var\u003e: the local container image URL, such as `gcr.io/repository/image:tag`.\n - \u003cvar translate=\"no\"\u003ePROJECT_NAME\u003c/var\u003e: the Artifact Registry project name.\n - \u003cvar translate=\"no\"\u003eIMAGE_NAME\u003c/var\u003e: the container image name.\n - \u003cvar translate=\"no\"\u003eTAG\u003c/var\u003e: the container image tag.\n10. Push the new image to the Artifact Registry:\n\n docker image push $REGISTRY_IP/PROJECT_NAME/IMAGE_NAME:TAG"]]
