For deploying the TIBCO BusinessEvents application to the Kubernetes cluster, you must push the application container image to Google Container Registry.

Alternatively, you can also use VMware Harbor Registry to store and manage application container images for your Enterprise PKS deployment. For details, see Pivotal Docs.

To access container images in the Google Container Registry from an environment other than GCP, set up a secret object (containing the credential information) for Kubernetes. You can use this secret object in Kubernetes object specification (YAML) files for your deployment.

• For TIBCO BusinessEvents application container image that you want to deploy to the Kubernetes cluster, see Containerize TIBCO BusinessEvents Application.

Note: If you build your container image using buildah tool, similar to docker login,tag,push or pull commands same is available with buildah tool.

• Download and install the following CLIs on your system:

  • kubectl cli
  • Google Cloud CLI

1. Retrieve the project ID of the default project of your Google Cloud account.

   Sample gcloud command:

   gcloud config list core/project
   

2. To push the TIBCO BusinessEvents application container image to the Google Container Registry, first tag it with the registry name and then push it. For details, see the Google Container Registry documentation.

   Sample command syntax:

   docker tag <source-image> <hostname>/<project-id>/<image-name>
   
   docker push <hostname>/<project-id>/<image-name>
   

3. Set up the Kubernetes secret object for pulling container images from Google Container Registry.

   1. Create a Google cloud service account and store its key in a JSON file. See the Cloud Identity and Access Management documentation.

      Sample gcloud commands syntax:

      gcloud iam service-accounts create <service-account-name>
      
      gcloud iam service-accounts keys create ~/key.json --iam-account <service-account-name>@<project-id>.iam.gserviceaccount.com
      

   2. Add an IAM policy binding for the defined project and service account. See the Cloud Identity and Access Management documentation.

      Sample gcloud commands syntax:

      gcloud projects add-iam-policy-binding <project-id> --member=serviceAccount:<service-account-name>@<project-id>.iam.gserviceaccount.com --role=<role>
      

   3. Create the Kubernetes secret object by using the JSON file you have just created. See Kubernetes documentation.

      Sample kubectl commands syntax:

      kubectl create secret docker-registry <secret-name> --docker-server=<hostname> --docker-username=_json_key --docker-email=<email_id> --docker-password=<password>
      

      You can add this secret object in Kubernetes configuration (YAML) files of your deployments by using the ImagePullSecrets field.

   4. Add the secret object to the default service account. See Kubernetes Documentation.

      kubectl patch serviceaccount default -p "{\"imagePullSecrets\": [{\"name\": \"<secret-name>\"}]}"
      

We can use either Google Container Registry or VMware Harbor registry.

First create service account for container registry and create secret for pulling image from kubernetes.

Run following commands with google cloud cli on your system,

• Create a GCP service account; format of account is email address

  SA_EMAIL=$(gcloud iam service-accounts --format='value(email)' create k8s-gcr-auth-ro)
  

• Create the json key file and associate it with the service account

  gcloud iam service-accounts keys create k8s-gcr-auth-ro.json --iam-account=$SA_EMAIL
  

• Get the project ID

     PROJECT=$(gcloud config list core/project --format='value(core.project)')
     gcloud projects add-iam-policy-binding $PROJECT --member serviceAccount:$SA_EMAIL --role roles/storage.objectViewer
     SECRETNAME=<secretname>

• Create a secret for pulling docker images

  kubectl patch serviceaccount default -p "{\"imagePullSecrets\": [{\"name\": \"$SECRETNAME\"}]}" .
  kubectl create secret docker-registry $SECRETNAME --docker-server=https://us.gcr.io --docker-username=_json_key --docker-email=<email_id> --docker-password="$(cat k8s-gcr-auth-ro.jso
  

docker tag <image> us.gcr.io/<GCP project ID>/<image>
docker push us.gcr.io/<GCP project ID>/<image>

• Update yaml files with secret in imagePullSecret field.

Download the file for Harbor tile from Pivotal Network and import it in Ops Manager Dashboard. (Refer: harbor-container-registry). It will display a VMware Harbor tile in dashboard.

• Select harbor tile and assign AZs and Networks by selecting network.
• Enter any hostname which you own to use for harbor host.
• Generate RSA Certificate and domain must match the domain name that you used when you specified the hostname for harbor.
• Set password for harbor admin account.
• Select Internal for authentication mode and local file system for container registry storage.
• Change the resource config page if required.

• Download the Root CA Cert from settings section under username.
• Provide the Harbor CA Certificate to OPs Manager by entering contents of CA certificate file into the Trusted Certificates field.

• Create load balancer, firewall rules and DNS entry for Harbor VM.
• Add the <harbor_host_address> in docker daemon.
• To log in to VMware Harbor Registry, perform the following steps.
  • In a web browser, navigate to https://<harbor_host_address>:443.
  • Enter the username admin.
  • Enter the password that you set when you configured Harbor for PKS.
• Create user in harbor registry and provide admin or any required privileges to it.
• Tag and Push the image

docker login <harbor_host_address> -u <username> -p <password>
docker tag <image> <harbor_host_address>/library/<image>
docker push <harbor_host_address>/library/<image>

• How to deploy TIBCO BusinessEvents application is available here