How do I add private GCP Google Container Registry (GCR) images in my application?

GCR doesn’t support basic authentication like other registries that conform to the Docker registry spec? How can I add credentials to the Vendor Portal for GCR?

Replicated allows for integration with the Google Container Registry (GCR) through the JSON Key authentication mechanism.

In Google Cloud Platform you must first set up a Service Account with permissions to pull from the GCR repo by giving that account the “Storage Object Viewer” role.

You can then create a JSON key from that Service Account. When prompted for key type, make sure to select “JSON” before creating. After clicking create, a JSON file will be downloaded in your browser. This file will be used in the next step.

Under your application in the Replicated Vendor Portal, you will have the option of adding external registries. Under Username you must specify “_json_key”. Use the contents of the key file, omitting line breaks, in the field Password. Email Address in this case is ignored. Please note that GCR has multiple hostnames which are not interchangeable, so be sure to add the correct one to the Endpoint field.

Once you have added GCR as an external registry you can use the image in your Kubernetes manifests.

I’ll add for removing whitespace from the JSON Key file, jq is quite handy:

cat ~/downloads/replicated-1321312asa.json | jq -r -c -M . | pbcopy  

How should it look on the yaml file?

images:
- source: replicated
  name: api
  tag: v2.28.0

# kind: scheduler-kubernetes
apiVersion: apps/v1
kind: Deployment
spec:
      imagePullSecrets:
      - name: replicatedregistrykey
      containers:
        - name: globekeeper-api
          image: gcr.io/globekeeper-production/api:v2.28.0

Gives me the following error:

Failed to pull registry.replicated.com/globekeeper/api:v2.28.0: API error (404): {"message":"manifest for registry.replicated.com/globekeeper/api:v2.28.0 not found: manifest unknown: Manifest not found"}