Use Artifact Registry as a private registry for workload images
Stay organized with collections
Save and categorize content based on your preferences.
This page describes how to configure a Google Distributed Cloud (software only) for
VMware admin cluster to use Google's
Artifact Registry as the private Docker registry
where you can store workload images. When you configure a private registry to
store workload images, the Google Distributed Cloud system images are also stored in the
private registry when you create or upgrade clusters.
Although Artifact Registry supports several different
authentication methods,
you must use a service account key for authentication to use Artifact Registry as a
private registry. The steps on this page explain how to get the address,
credentials, and CA certificate that the
privateRegistry
section in the admin cluster configuration file requires.
Configure a credentials file
If you haven't configured authentication for the registry, follow the steps
in
Configure authentication to Artifact Registry for Docker
to configure authentication using a service account. You must use a
service account with a JSON key file for authentication.
Create a credentials configuration file, admin-creds.yaml, as shown in
the following example. The username must be "_json_key". You can use any
value for the name field, as long it matches the value you will add to the
privateRegistry.entry field.
In the directory where the JSON key file for the registry's service account
is located, run cat on the key file to output the contents.
Copy the entire JSON key contents and paste it in the password field. Make
sure to surround the JSON key contents with single quotes since the contents
contain double quotes. For example:
Configure privateRegistry in the admin cluster configuration file
To use a private registry, you need to configure the privateRegistry section
when you create the admin cluster. After the cluster is created, you can't
change the privateRegistry.address, but the other settings are mutable and
you can update them if needed.
Run the following command to get the registry address:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["This page describes how to configure a Google Distributed Cloud (software only) for\nVMware admin cluster to use Google's\n[Artifact Registry](/artifact-registry/docs/overview) as the private Docker registry\nwhere you can store workload images. When you configure a private registry to\nstore workload images, the Google Distributed Cloud system images are also stored in the\nprivate registry when you create or upgrade clusters.\n\nAlthough Artifact Registry supports several different\n[authentication methods](/artifact-registry/docs/docker/authentication#methods),\nyou must use a service account key for authentication to use Artifact Registry as a\nprivate registry. The steps on this page explain how to get the address,\ncredentials, and CA certificate that the\n[`privateRegistry`](/kubernetes-engine/distributed-cloud/vmware/docs/how-to/admin-cluster-configuration-file-latest#privateregistry-section)\nsection in the admin cluster configuration file requires.\n\nConfigure a credentials file\n\n1. If you haven't configured authentication for the registry, follow the steps\n in\n [Configure authentication to Artifact Registry for Docker](/artifact-registry/docs/docker/authentication)\n to configure authentication using a service account. You must use a\n service account with a JSON key file for authentication.\n\n2. Create a credentials configuration file, `admin-creds.yaml`, as shown in\n the following example. The `username` must be `\"_json_key\"`. You can use any\n value for the `name` field, as long it matches the value you will add to the\n `privateRegistry.entry` field.\n\n apiVersion: v1\n kind: \"CredentialFile\"\n items:\n - name: \"private-registry-creds\"\n username: \"_json_key\"\n password:\n\n3. In the directory where the JSON key file for the registry's service account\n is located, run `cat` on the key file to output the contents.\n\n4. Copy the entire JSON key contents and paste it in the `password` field. Make\n sure to surround the JSON key contents with single quotes since the contents\n contain double quotes. For example:\n\n apiVersion: v1\n kind: \"CredentialFile\"\n items:\n - name: \"private-registry-creds\"\n username: \"_json_key\"\n password: '{\n \"type\": \"service_account\",\n \"project_id\": \"example-project-12345\",\n \"private_key_id\": \"d2661ccb21e686658c6552cf1e0166b857091b2e\",\n \"private_key\": \"-----BEGIN PRIVATE ... -----END PRIVATE KEY-----\\n\",\n \"client_email\": \"test-537@example-project-12345.iam.gserviceaccount.com\",\n \"client_id\": \"111772984510027821291\",\n \"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\",\n \"token_uri\": \"https://oauth2.googleapis.com/token\",\n \"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\",\n \"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/test-537%40example-project-12345.iam.gserviceaccount.com\",\n \"universe_domain\": \"googleapis.com\"\n }\n '\n\nConfigure `privateRegistry` in the admin cluster configuration file\n\nTo use a private registry, you need to configure the `privateRegistry` section\nwhen you create the admin cluster. After the cluster is created, you can't\nchange the `privateRegistry.address`, but the other settings are mutable and\nyou can update them if needed.\n\n1. Run the following command to get the registry address:\n\n gcloud artifacts repositories describe \u003cvar translate=\"no\"\u003eREGISTRY_NAME\u003c/var\u003e \\\n --project=\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e\n --location=\u003cvar translate=\"no\"\u003eREGION\u003c/var\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eREGISTRY_NAME\u003c/var\u003e: the name of the registry.\n - \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: the ID of the project the registry was created in.\n - \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: the region that the registry was created in, such as `us-west2`.\n\n The output is similar to the following: \n\n Encryption: Google-managed key\n Repository Size: 0.000MB\n cleanupPolicyDryRun: true\n createTime: '2025-01-28T03:27:57.701672Z'\n dockerConfig: {}\n format: DOCKER\n mode: STANDARD_REPOSITORY\n name: projects/example-project-12345/locations/us-west2/repositories/test\n registryUri: us-west2-docker.pkg.dev/example-project-12345/test\n satisfiesPzi: true\n updateTime: '2025-01-28T03:27:57.701672Z'\n vulnerabilityScanningConfig:\n enablementConfig: INHERITED\n enablementState: SCANNING_ACTIVE\n lastEnableTime: '2025-01-28T03:27:49.385246079Z'\n\n Use the `registryUri` value in the output for the `privateRegistry.address`.\n2. Run the following command to extract the CA certificate of the Artifact Registry\n endpoint and save it to a file called `ar-ca.pem`:\n\n true | openssl s_client -connect \u003cvar translate=\"no\"\u003eREGION\u003c/var\u003e-docker.pkg.dev:443 -showcerts 2\u003e/dev/null| sed -ne '/-BEGIN/,/-END/p' \u003e ar-ca.pem\n\n3. Fill in the `privateRegistry` section as follows:\n\n privateRegistry:\n address: \"\u003cvar translate=\"no\"\u003eREGISTRY_ADDRESS\u003c/var\u003e\"\n credentials:\n fileRef:\n path: \"\u003cvar translate=\"no\"\u003eCREDENTIAL_FILE_PATH\u003c/var\u003e\"\n entry: \"private-registry-creds\"\n caCertPath: \"\u003cvar translate=\"no\"\u003eCA_CERT_PATH\u003c/var\u003e\"\n componentAccessServiceAccountKeyPath: \"\u003cvar translate=\"no\"\u003eCOMPONENT_ACCESS_KEY_PATH\u003c/var\u003e\"\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eREGISTRY_ADDRESS\u003c/var\u003e: the `registryUri` value.\n - \u003cvar translate=\"no\"\u003eCREDENTIAL_FILE_PATH\u003c/var\u003e: the full or relative path of the `admin-creds.yaml` file.\n - \u003cvar translate=\"no\"\u003eCA_CERT_PATH\u003c/var\u003e: the full or relative path of the `ar-ca.pem` file.\n - \u003cvar translate=\"no\"\u003eCOMPONENT_ACCESS_KEY_PATH\u003c/var\u003e: the full or relative path of the component access service account key file."]]
