Stay organized with collections
Save and categorize content based on your preferences.
This page describes the process of uploading a container image to Harbor,
and deploying that image in your GDC Sandbox instance.
Preparation
Follow the instructions in Connect to your instance
to connect to your instance with Linux command line access. You can
connect to your gateway over Remote Desktop, or run sshuttle
on your Linux machine.
Set environment variables that will be used in the following instructions:
exportTENANT_PROJECT=TENANT_PROJECT# Intended deployment project for the container workflow.exportHARBOR_INSTANCE_NAME=HARBOR_INSTANCE_NAME# Harbor Container Registry instance name.exportHARBOR_PROJECT=HARBOR_PROJECT# Container registry project name for your images.exportAO_USER=AO_USER# Your user name in the instance, e.g.: fop-my-user@example.com.exportINSTANCE_URL=${HARBOR_INSTANCE_NAME}-${TENANT_PROJECT}.org-1.zone1.google.gdch.test.
exportDOCKER_CONFIG_PATH=DOCKER_CONFIG_PATH# Path to docker config file e.g.: /root/.docker/config.json.
To create a Harbor registry instance, follow
Create a Harbor registry instance,
or you can use the pre-created Sandbox Harbor instance: the default user-project in GDC Sandbox comes with an already deployed Harbor Instance, user-haas-instance, which can be used for development.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Deploy container workloads\n\nThis page describes the process of uploading a container image to Harbor,\nand deploying that image in your GDC Sandbox instance.\n\nPreparation\n-----------\n\n1. Follow the instructions in [Connect to your instance](/distributed-cloud/sandbox/latest/connect)\n to connect to your instance with Linux command line access. You can\n connect to your gateway over Remote Desktop, or run `sshuttle`\n on your Linux machine.\n\n2. Set environment variables that will be used in the following instructions:\n\n export TENANT_PROJECT=\u003cvar translate=\"no\"\u003eTENANT_PROJECT\u003c/var\u003e # Intended deployment project for the container workflow.\n export HARBOR_INSTANCE_NAME=\u003cvar translate=\"no\"\u003eHARBOR_INSTANCE_NAME\u003c/var\u003e # Harbor Container Registry instance name.\n export HARBOR_PROJECT=\u003cvar translate=\"no\"\u003eHARBOR_PROJECT\u003c/var\u003e # Container registry project name for your images.\n export AO_USER=\u003cvar translate=\"no\"\u003eAO_USER\u003c/var\u003e # Your user name in the instance, e.g.: fop-my-user@example.com.\n export INSTANCE_URL=${HARBOR_INSTANCE_NAME}-${TENANT_PROJECT}.org-1.zone1.google.gdch.test.\n export DOCKER_CONFIG_PATH=\u003cvar translate=\"no\"\u003eDOCKER_CONFIG_PATH\u003c/var\u003e # Path to docker config file e.g.: /root/.docker/config.json.\n\n3. To create a Harbor registry instance, follow\n [Create a Harbor registry instance](/distributed-cloud/hosted/docs/latest/gdch/platform-application/pa-ao-operations/create-harbor-instances#create-a-harbor-registry-instance),\n or you can use the pre-created Sandbox Harbor instance: the default `user-project` in GDC Sandbox comes with an already deployed Harbor Instance, `user-haas-instance`, which can be used for development.\n\n export HARBOR_INSTANCE_NAME=user-haas-instance\n export TENANT_PROJECT=user-project\n export INSTANCE_URL=${HARBOR_INSTANCE_NAME}-${TENANT_PROJECT}.org-1.zone1.google.gdch.test\n\nUpload image to Harbor\n----------------------\n\n1. Create a Harbor project by following\n [Create a Harbor Project](/distributed-cloud/hosted/docs/latest/gdch/platform-application/pa-ao-operations/create-harbor-projects#create-a-harbor-project).\n\n Example: \n\n gdcloud harbor harbor-projects create \u003cvar translate=\"no\"\u003eHARBOR_PROJECT\u003c/var\u003e \\\n --project=\u003cvar translate=\"no\"\u003eTENANT_PROJECT\u003c/var\u003e \\\n --instance=\u003cvar translate=\"no\"\u003eHARBOR_INSTANCE_NAME\u003c/var\u003e \n\n2. Sign-in to Docker. Begin at\n [Sign in to Docker or Helm with CLI secrets](/distributed-cloud/hosted/docs/latest/gdch/platform-application/pa-ao-operations/configure-docker-authentication#sign-in-cli-secrets).\n\n3. Download or build your container image, and follow the\n Google Distributed Cloud air-gapped instructions to [Push an image](/distributed-cloud/hosted/docs/latest/gdch/platform-application/pa-ao-operations/push-image) to push it to Harbor.\n\n For example, here is is a workflow for pulling from Gitlab and pushing\n to Harbor:\n 1. Log in and pull from your Gitlab container registry.\n\n export GITLAB_ID=\u003cvar translate=\"no\"\u003eGITLAB_ID\u003c/var\u003e\n export GITLAB_PROJECT_NAME=\u003cvar translate=\"no\"\u003eGITLAB_PROJECT_NAME\u003c/var\u003e\n export GITLAB_IMAGE_PATH=registry.gitlab.com/\u003cvar translate=\"no\"\u003eGITLAB_ID\u003c/var\u003e/\u003cvar translate=\"no\"\u003eGITLAB_PROJECT_NAME\u003c/var\u003e\n docker login registry.gitlab.com\n docker pull ${GITLAB_IMAGE_PATH}\n\n 2. Push the Gitlab image to Harbor:\n\n export TAG=demo-image\n docker tag ${TAG} ${GITLAB_IMAGE_PATH}\n docker push ${INSTANCE_URL}/${HARBOR_PROJECT}/${TAG}\n\nGrant roles\n-----------\n\nGrant your user the ability to create secrets and deployment.\n\n1. Give the user permission to create secrets by adding the\n `secret-admin` role.\n\n gdcloud projects add-iam-policy-binding PROJECT \\\n --member=\"user:${AO_USER}\" \\\n --role=secret-admin\n\n2. Give the user permission to deploy container workloads by adding the `namespace-admin` role.\n\n gdcloud projects add-iam-policy-binding PROJECT \\\n --member=\"user:${AO_USER}\" \\\n --role=namespace-admin\n\nDeploy container app\n--------------------\n\nContinue at [Create Kubernetes image pull secret](/distributed-cloud/hosted/docs/latest/gdch/platform-application/deploy-container-workloads#create-image-pull-secret) to create a secret and deploy your app."]]