Pull Images from GAR to RKE2

# Pull Images from GAR to RKE2 (Google Artifact Registry) 此文件僅適用於單節點 RKE2 ## Install RKE2 v1.31.2 RKE2的安裝，請參考 Antony 老師的文章([Link](https://hackmd.io/@QI-AN/RKE2-Rancher-Prime-Installation#Install-RKE2-v1312)) #### 指定相關變數 ```bash! SERVICE_ACCOUNT_NAME='gsa-demo' REPOSITORY_ID='gar-demo' LOCATION='asia-east1' ROLE='roles/artifactregistry.reader' # (optional)以下變數，Cloud Shell 在啟動時會自動取得特定值 GOOGLE_CLOUD_PROJECT='project-demo' ``` #### 創建 Google Service Account ```bash! gcloud iam service-accounts create ${SERVICE_ACCOUNT_NAME} ``` #### 產生 Google Service Account Key ```bash! gcloud iam service-accounts keys create key.json --iam-account=${SERVICE_ACCOUNT_NAME}@${GOOGLE_CLOUD_PROJECT}.iam.gserviceaccount.com ``` #### 設定 Service Account 擁有 GAR 的權限 ```bash! # 專案中，所有的 GAR gcloud projects add-iam-policy-binding ${GOOGLE_CLOUD_PROJECT} \ --member=serviceAccount:${SERVICE_ACCOUNT_NAME}@${GOOGLE_CLOUD_PROJECT}.iam.gserviceaccount.com \ --role=${ROLE} # 指定 GAR (符合最小權限原則) gcloud artifacts repositories add-iam-policy-binding ${REPOSITORY_ID} \ --location="${LOCATION}" \ --member="serviceAccount:${SERVICE_ACCOUNT_NAME}@${GOOGLE_CLOUD_PROJECT}.iam.gserviceaccount.com" \ --role="${ROLE}" ``` ### Private Registry Configuration ([Link](https://docs.rke2.io/install/private_registry)) ```bash! cat <<EOF | sudo tee /etc/rancher/rke2/registries.yaml mirrors: "asia-east1-docker.pkg.dev": endpoint: - "https://asia-east1-docker.pkg.dev" configs: "asia-east1-docker.pkg.dev": auth: username: _json_key_base64 password: '$(cat /root/gcp-sa.json | base64 -w 0)' EOF ``` <details> ```bash! export JSON_KEY_BASE64=$(cat /root/gcp-sa.json | base64 -w 0) cat <<EOF | sudo tee /etc/rancher/rke2/registries.yaml.tmpl mirrors: "asia-east1-docker.pkg.dev": endpoint: - "https://asia-east1-docker.pkg.dev" configs: "asia-east1-docker.pkg.dev": auth: username: _json_key_base64 password: ${JSON_KEY_BASE64} EOF envsubst < /etc/rancher/rke2/registries.yaml.tmpl > /etc/rancher/rke2/registries.yaml ``` </details> 重啟 rke2-server ```bash! sudo systemctl restart rke2-server ``` ## 參考資料 https://github.com/rancher/rke2/discussions/6096