Stay organized with collections Save and categorize content based on your preferences.

Deploy a Tomcat workload to a target cluster

After you have migrated a workload from your source platform, you can use the deployment artifacts generated by that process to deploy the migrated workload.

Skaffold can handle the workflow for building, pushing and deploying your application. For more information, see Build and deploy multiple images using Skaffold.

Before you begin

Before deploying your workload, you should have first:

Deploy a workload

To deploy a migrated workload to a target cluster you use the following command:

kubectl apply -f deployment_spec.yaml

Where deployment_spec.yaml is the YAML file that contains the deployment information for your migrated workload. This file is located within the generated artifacts.

Included in the deployment_spec.yaml is the containers property, which specifies the location of the Docker image and registry. This is a mandatory parameter which should list the full path, including the registry name of the images.

For example:

      - image:
        name: quickstart-instance

In this example, the deployment_spec.yaml specifies that the Docker image registry uses the Google Container Registry (GCR).

Before you can deploy a migrated workload to a target cluster, you must ensure that the cluster has read access to the Docker registry. The following sections describe how to enable access to the different types of registries.

Deploy on a target cluster using GCR as the Docker registry

To ensure that a target cluster has access to the Google Container Registry (GCR), create a Kubernetes secret that contains the credentials required to access GCR:

  1. Create a service account for deploying a migration as described in Creating a service account for accessing Container Registry and Cloud Storage.

    This process has you download a JSON key file named m4a-install.json.

  2. Create a Kubernetes secret that contains the credentials required to access GCR:

    kubectl create secret docker-registry gcr-json-key \ --docker-username=_json_key --docker-password="$(cat ~/m4a-install.json)" \


    • docker-registry specifies the name of the Kubernetes secret, gcr-json-key in this example.
    • specifies GCR as the server.
    • docker-username=_json_key specifies that the username is contained in the JSON key file.
    • docker-password specifies to use a password from the JSON key file.
    • docker-email specifies the email address of the service account.
  3. Set the Kubernetes secret by either:

    • Changing the default imagePullSecrets value:

      kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "gcr-json-key"}]}'
    • Editing the deployment_spec.yaml file to add the imagePullSecrets value to the spec.template.spec definition, as shown below.

        - image:
          name: mycontainer-instance
        - hostPath:
            path: /sys/fs/cgroup
            type: Directory
          name: cgroups
        - name: gcr-json-key
  4. Deploy the workload secret, if secrets.yaml exists. A secrets file will exist for Tomcat-based workloads.

    kubectl apply -f secrets.yaml

Apply generated deployment YAML file

Use kubectl to apply the deployment spec to your target cluster, such as a production cluster.


  1. Ensure that the target cluster has read access to the Docker image registry as described above in Ensure the target cluster has read access to the Docker image registry.

  2. Deploy the container:

    kubectl apply -f deployment_spec.yaml
  3. After you complete your validation testing on the migrated workload to ensure that the migrated workload is functioning correctly, you should delete the migration to free up resources. See Deleting a migration for more information.

What's next