The product described by this documentation, Anthos Clusters on AWS (previous generation), is now in maintenance mode. All new installs must use the current generation product, Anthos clusters on AWS.

Using a private image registry

This topic describes how to use GKE on AWS with a private container image repository, such as Container Registry (GCR).

Before you begin

Before you start using GKE on AWS, make sure you have performed the following tasks:

Complete the Prerequisites.

Install a management service.
Create a user cluster.
From your anthos-aws directory, use anthos-gke to switch context to your user cluster.
```
cd anthos-aws
env HTTPS_PROXY=http://localhost:8118 \
  anthos-gke aws clusters get-credentials CLUSTER_NAME
```
Replace CLUSTER_NAME with your user cluster name.
Have a Docker image built and pushed to Container Registry. The examples in this topic use the hello-app container, built with the steps from Deploying a containerized application in the GKE on Google Cloud documentation.

Private Container Registries

A container registry stores and distributes container images. Your GKE on AWS installation can access public images by default.

Check for images on Container Registry

To complete the rest of these steps, you need a container image. Get the name of your container images by performing the following steps:

Configure the Docker command-line tool to authenticate to Container Registry with Google Cloud CLI:
```
gcloud auth configure-docker
```
The Google Cloud CLI registers a credential helper for all Google-supported Docker registries.
Confirm that your Container Registry includes an image with docker images.
```
docker images
```
Docker connects to Container Registry and returns the images available in your Container Registry repository. For example, the response below shows a container image named hello-app in the project-id repository.
```
REPOSITORY                    TAG                 IMAGE ID            CREATED             SIZE
gcr.io/project-id/hello-app   v1                  732f02cea7cb        12 minutes ago      11.5MB
```

If you do not have a container image ready, create one by following the steps at Deploying a containerized application.

Create a Service Account

Your user clusters authenticate using an Identity and Access Management (IAM) service account.

To create a new service account, perform the following steps:

Create an IAM service account with the Google Cloud CLI.
```
gcloud iam service-accounts create account-name
```
Replace account-name with the name of the new Google Cloud service account.
Grant the service account access to Container Registry.
```
gcloud projects add-iam-policy-binding project-id \
  --member serviceAccount:account-name@project-id.iam.gserviceaccount.com \
  --role roles/storage.objectViewer
```
Replace the following:
- project-id with your Google Cloud project
- account-name with your Google Cloud service account name
Download the account's service account key.
```
gcloud iam service-accounts keys create key.json \
  --iam-account account-name@project-id.iam.gserviceaccount.com
```
Replace the following:
- project-id with your Google Cloud project
- account-name with your Google Cloud service account name
Note: The service account key allows access to privileged resources. Protect the key file after downloading it.

You are now ready to configure your user cluster to connect to Container Registry.

Define a Kubernetes Secret

To provide the key to authenticate to Container Registry, save the service account key as a Kubernetes Secret by performing the following steps:

Use kubectl to create the secret.

env HTTPS_PROXY=http://localhost:8118 \
  kubectl create secret docker-registry gcr-secret \
  --docker-server=gcr.io \
  --docker-username=_json_key \
  --docker-email=account-name@project-id.iam.gserviceaccount.com \
  --docker-password="$(cat key.json)"

Replace the following:

project-id with your Google Cloud project
account-name with your Google Cloud service account name

Delete the local copy of your service account key.
```
rm key.json
```

You can now reference this secret in your workloads.

Create a workload with a private image

To use an image from a private container repository with a workload, you set the field spec.imagePullSecrets to your secret name. This field is in different locations for Pods and Deployments.

Creating a Pod

To create a Pod, that can access the container registry, you set the field spec.imagePullSecrets to your secret name.

Create a Pod that specifies spec.imagePullSecrets.

apiVersion: v1
kind: Pod
metadata:
  name: pod-name
spec:
  containers:
  - name: container-name
    image: gcr.io/project-id/hello-app:v1
  imagePullSecrets:
  - name: secret-name

Replace the following:

pod-name with your Pod's name
container-name with the name of the container inside the Pod
project-id with your Google Cloud project
secret-name with the name of your registry secret

For example, to pull the image hello-app, copy the following YAML into a file named hello-pod.yaml.

apiVersion: v1
kind: Pod
metadata:
  name: hello-pod
spec:
  containers:
  - name: hello-container
    image: gcr.io/project-id/hello-app:v1
  imagePullSecrets:
  - name: gcr-secret

Apply the configuration to your cluster with kubectl.

env HTTPS_PROXY=http://localhost:8118 \
  kubectl apply -f hello-pod.yaml

Confirm the pod is running with kubectl get.

env HTTPS_PROXY=http://localhost:8118 \
  kubectl get pod/hello-pod

The response includes one Pod with a status of Running.

NAME        READY   STATUS    RESTARTS   AGE
hello-pod   1/1     Running   0          15s

Creating a Deployment

To use a private repository in a Deployment, you specify the imagePullSecret inside the template.

For example, to create a Deployment, of the hello-app image, create a file named hello-deployment.yaml with the following contents:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: hello-app-deployment
spec:
  selector:
    matchLabels:
      app: products
      department: sales
  replicas: 3
  template:
    metadata:
      labels:
        app: products
        department: sales
    spec:
      containers:
      - name: hello
        image: "gcr.io/project-id/hello-app:v1"
        env:
        - name: "PORT"
          value: "50001"
      imagePullSecrets:
      - name: gcr-secret

Apply the configuration to your cluster with kubectl.

env HTTPS_PROXY=http://localhost:8118 \
  kubectl apply -f hello-deployment.yaml

Confirm your Deployment is running with kubectl pods.

env HTTPS_PROXY=http://localhost:8118 \
  kubectl get pods --selector=app=products

The output contains three Running pods.

NAME                                    READY   STATUS    RESTARTS   AGE
hello-app-deployment-67d9c6d98c-b69f2   1/1     Running   0          14m
hello-app-deployment-67d9c6d98c-d6k5c   1/1     Running   0          14m
hello-app-deployment-67d9c6d98c-p2md5   1/1     Running   0          14m

What's next

Read the Container Registry overview.