In this post, i will discuss the process to enable content trust in a harbor registry that comes in VMware Tanzu Kubernetes Grid extension bundle.
If you are new to Content Trust, here is a good one to take a look at
Docker Content Trust is based on Notary and you can learn about Notary here
Generally, we need to deploy notary separately and then use that as trust server. But the good part with Harbor is, it comes with notary and hence it eases our life for image signature.
Now, Lets talk about the process to enable image signature in Harbor.
Enable Content Trust in Harbor Registry
- When you install Harbor registry from a TKG extensions bundle, you will get notary installed on
- Check by running below command
$ k get po -n tanzu-system-registry
NAME READY STATUS RESTARTS AGE
harbor-clair-d7c77df59-nlkgn 2/2 Running 0 14d
harbor-core-66fd74d8f6-7gx8c 1/1 Running 0 61d
harbor-database-0 1/1 Running 0 61d
harbor-jobservice-7785c685bf-v4hrq 1/1 Running 2 14d
harbor-notary-server-54c487657d-csgn7 1/1 Running 0 14d
harbor-notary-signer-595568d5cb-7fww8 1/1 Running 0 61d
harbor-portal-7b54446754-jwdlw 1/1 Running 0 61d
harbor-redis-0 1/1 Running 0 14d
harbor-registry-6477f4dd78-252tw 2/2 Running 8 61d
harbor-trivy-0 1/1 Running 0 61d
3. You will also see that the
httpproxy is created for notary.
$ k get proxy -n tanzu-system-registry
NAME FQDN TLS SECRET STATUS STATUS DESCRIPTION
harbor-httpproxy harbor.demo.local harbor-tls valid Valid HTTPProxy
harbor-httpproxy-notary notary.harbor.demo.local harbor-tls valid Valid HTTPProxy
4. Now, Access the Harbor UI and let’s create a project where we want to enable content trust.
5. Provide the project name and lets make it public for testing purpose.
6. Once you click on OK, it will display a success message
7. Click on the project and Click on
8. Select Enable content trust and click on SAVE.
9. So, we have now enabled the content trust for a project and now whatever image repository we create inside this project, can get signature done.
10. Go back to your terminal from where you will run docker commands to push images.
Note: If you have deployed Harbor with self signed certificate, then you need to copy the CA cert into
/etc/docker/certs.d/<FQDN name from step 3>
11. Export the below variables
12. Now, lets tag a busybox image and try to push it.
# Tag image
$ docker tag busybox:latest harbor.demo.local/demo-project/busybox:latest
# Push image
$ docker push harbor.demo.local/demo-project/busybox:latest
The push refers to repository [harbor.demo.local/demo-project/busybox]
latest: digest: sha256:dca71257cd2e72840a21f0323234bb2e33fea6d949fa0f21c5102146f583486b size: 527
Signing and pushing trust metadata
Enter passphrase for root key with ID e8a7dfc:
Enter passphrase for new repository key with ID 77b3350:
Repeat passphrase for new repository key with ID 77b3350:
Finished initializing "harbor.demo.local/demo-project/busybox"
Successfully signed harbor.demo.local/demo-project/busybox:latest
Notice the bold text above.
If you push the image for the first time, You will be asked to enter the root key passphrase. This will be needed every time you push a new image while the
DOCKER_CONTENT_TRUSTflag is set. The root key is generated at:
You should back up the root key somewhere safe.
13. Also, lets validate the Harbor UI
Now, your image is signed.
Few more good things to learn
1 . Inspect the trusted image and see the output. You can see the keys.
$ docker trust inspect --pretty harbor.demo.local/demo-project/busybox:latest
Signatures for harbor.demo.local/demo-project/busybox:latest
SIGNED TAG DIGEST SIGNERS
latest dca71257cd2e72840a21f0323234bb2e33fea6d949fa0f21c5102146f583486b (Repo Admin)
Administrative keys for harbor.demo.local/demo-project/busybox:latest
Repository Key: 77b3350453bd9af27eff59fa0c8aee728b220a4221d526a05c03c05493a763ea
Root Key: ab7860bccc08c74218dfdfcb323ab993135e5b898f1d0cf49fa598fb6149c455
2. You can also revoke the sign.
$ docker trust revoke harbor.demo.local/demo-project/busybox:latest
Enter passphrase for repository key with ID 77b3350:
Successfully deleted signature for harbor.demo.local/demo-project/busybox:latest
You can validate in Harbor UI.