To access Google Cloud Platform (GCP) Artifact Registry from a local Kubernetes cluster using a service account key file, you need to follow these steps:
Create a GCP Service Account and Key File
Create a Kubernetes Secret with the Service Account Key
Configure Your Kubernetes Deployment to Use the Secret
Pull Images from Artifact Registry
Step-by-Step Guide
1. Create a GCP Service Account and Key File
Create the Service Account:
Grant the Necessary Roles to the Service Account:
–member=“serviceAccount:my-service-account@<YOUR-PROJECT-ID>.iam.gserviceaccount.com”
–role=“roles/artifactregistry.reader”
Replace <YOUR-PROJECT-ID> with your GCP project ID.
Create and Download the Key File:
–iam-account my-service-account@<YOUR-PROJECT-ID>.iam.gserviceaccount.com
2. Create a Kubernetes Secret with the Service Account Key
Create the Secret:
–docker-server=LOCATION-docker.pkg.dev
–docker-username=_json_key
–docker-password=“$(cat key.json)“
–docker-email=your-email@example.com
Replace:
LOCATION with the location of your Artifact Registry (e.g., us-central1).
your-email@example.com with your email.
3. Configure Your Kubernetes Deployment to Use the Secret
Update your Kubernetes deployment YAML to reference the secret for pulling images.
Update Deployment YAML:
kind: Deployment
metadata:
name: my-app
spec:
replicas: 1
selector:
matchLabels:
app: my-app
template:
metadata:
labels:
app: my-app
spec:
containers:
– name: my-app
image: LOCATION-docker.pkg.dev/PROJECT-ID/REPOSITORY/IMAGE:TAG
ports:
– containerPort: 8080
imagePullSecrets:
– name: gcp-artifact-registry
Replace the placeholders:
LOCATION with your Artifact Registry location (e.g., us-central1).
PROJECT-ID with your GCP project ID.
REPOSITORY with the name of your repository.
IMAGE:TAG with the specific image and tag you want to use.
Apply the Deployment:
4. Verify the Setup
Check the Deployment Status:
Describe a Pod to Verify Image Pull:
Look for the events section to see if the image was pulled successfully.
Summary
By following these steps, you configure your local Kubernetes cluster to authenticate with GCP Artifact Registry using a service account key file. This involves creating a service account and key, storing the key as a Kubernetes secret, and updating your deployments to use the secret for image pulls. This setup ensures secure and efficient access to your container images stored in GCP Artifact Registry.
Refs
https://cloud.google.com/artifact-registry/docs/docker/pushing-and-pulling#key
https://cloud.google.com/artifact-registry/docs/docker/authentication#json-key