This page describes the process of uploading a container image to Harbor, and deploying that image in your GDC Sandbox instance.
Preparation
Follow the instructions in Connect to your instance to connect to your instance with Linux command line access. You can connect to your gateway over Remote Desktop, or run
sshuttle
on your Linux machine.Ensure the user has
secret-admin
,namespace-admin
,global-pnp-admin
andproject-viewer
roles assigned at the project level.Set environment variables that will be used in the following instructions:
export TENANT_PROJECT=TENANT_PROJECT # Intended deployment project for the container workflow. export HARBOR_INSTANCE_NAME=HARBOR_INSTANCE_NAME # Harbor Container Registry instance name. export HARBOR_PROJECT=HARBOR_PROJECT # Container registry project name for your images. export AO_USER=AO_USER # Your user name in the instance, e.g.: fop-my-user@example.com. export INSTANCE_URL=${HARBOR_INSTANCE_NAME}-${TENANT_PROJECT}.org-1.zone1.google.gdch.test. export DOCKER_CONFIG_PATH=DOCKER_CONFIG_PATH # Path to docker config file e.g.: /root/.docker/config.json.
To create a Harbor registry instance, follow Create a Harbor registry instance, or you can use the pre-created Sandbox Harbor instance: the default
user-project
in GDC Sandbox comes with an already deployed Harbor Instance,user-haas-instance
, which can be used for development.export HARBOR_INSTANCE_NAME=user-haas-instance export TENANT_PROJECT=user-project export INSTANCE_URL=${HARBOR_INSTANCE_NAME}-${TENANT_PROJECT}.org-1.zone1.google.gdch.test
Upload image to Harbor
Create a Harbor project by following Create a Harbor Project.
Example:
gdcloud harbor harbor-projects create HARBOR_PROJECT \ --project=TENANT_PROJECT \ --instance=HARBOR_INSTANCE_NAME
Sign-in to Docker. Begin at Sign in to Docker or Helm with CLI secrets.
Download or build your container image, and follow the Google Distributed Cloud air-gapped instructions to Push an image to push it to Harbor.
For example, here is is a workflow for pulling from Gitlab and pushing to Harbor:
Sign in and pull from your Gitlab container registry.
export GITLAB_ID=GITLAB_ID export GITLAB_PROJECT_NAME=GITLAB_PROJECT_NAME export GITLAB_IMAGE_PATH=registry.gitlab.com/GITLAB_ID/GITLAB_PROJECT_NAME docker login registry.gitlab.com docker pull ${GITLAB_IMAGE_PATH}
Push the Gitlab image to Harbor:
export TAG=demo-image docker tag ${TAG} ${GITLAB_IMAGE_PATH} docker push ${INSTANCE_URL}/${HARBOR_PROJECT}/${TAG}
Deploy container app
Continue at Create Kubernetes image pull secret to create a secret and deploy your app.
Create a network policy
Create a network policy to allow all network traffic to the tenant project:
kubectl --kubeconfig GLOBAL_API_KUBECONFIG -n TENANT_PROJECT \ create -f - <<EOF apiVersion: networking.k8s.io/v1 kind: ProjectNetworkPolicy metadata: annotations: name: allow-all spec: ingress: - from: - ipBlock: cidr: 0.0.0.0/0 podSelector: {} policyTypes: - Ingress EOF
Connect to the application
Export the IP address for the service:
export IP=`kubectl --kubeconfig=${KUBECONFIG} get service ${SERVICE_NAME} \ -n TENANT_PROJECT -o jsonpath='{.status.loadBalancer.ingress[*].ip}'`
To connect from your local machine using
sshuttle
, run the following command to create an SSH tunnel. If you have an existingsshuttle
session that you created when you connected to your instance, you must terminate that session before running the following command:sshuttle -r zone1-org-1-data@GDC_SANDBOX_INSTANCE_NAME --no-latency-control \ --ssh-cmd 'gcloud compute ssh --project PROJECT_NAME --zone ZONE --tunnel-through-iap' \ 10.200.0.0/16 --dns
Test the service by sending a HTTP request http://${IP}`:
curl http://${IP}