Enabling Content Trust in Harbor Registry that comes with Tanzu Bundle

In this post, i will discuss the process to enable content trust in a harbor registry that comes in VMware Tanzu Kubernetes Grid extension bundle.

Background

If you are new to Content Trust, here is a good one to take a look at

https://docs.docker.com/engine/security/trust/

Docker Content Trust is based on Notary and you can learn about Notary here

https://docs.docker.com/engine/security/trust/

Generally, we need to deploy notary separately and then use that as trust server. But the good part with Harbor is, it comes with notary and hence it eases our life for image signature.

Now, Lets talk about the process to enable image signature in Harbor.

Enable Content Trust in Harbor Registry

  1. When you install Harbor registry from a TKG extensions bundle, you will get notary installed on tanzy-system-registry namespace.
  2. Check by running below command
$ k get po -n tanzu-system-registry
NAME READY STATUS RESTARTS AGE
harbor-clair-d7c77df59-nlkgn 2/2 Running 0 14d
harbor-core-66fd74d8f6-7gx8c 1/1 Running 0 61d
harbor-database-0 1/1 Running 0 61d
harbor-jobservice-7785c685bf-v4hrq 1/1 Running 2 14d
harbor-notary-server-54c487657d-csgn7 1/1 Running 0 14d
harbor-notary-signer-595568d5cb-7fww8 1/1 Running 0 61d

harbor-portal-7b54446754-jwdlw 1/1 Running 0 61d
harbor-redis-0 1/1 Running 0 14d
harbor-registry-6477f4dd78-252tw 2/2 Running 8 61d
harbor-trivy-0 1/1 Running 0 61d

3. You will also see that the httpproxy is created for notary.

$ k get proxy -n tanzu-system-registry
NAME FQDN TLS SECRET STATUS STATUS DESCRIPTION
harbor-httpproxy harbor.demo.local harbor-tls valid Valid HTTPProxy
harbor-httpproxy-notary notary.harbor.demo.local harbor-tls valid Valid HTTPProxy

4. Now, Access the Harbor UI and let’s create a project where we want to enable content trust.

5. Provide the project name and lets make it public for testing purpose.

6. Once you click on OK, it will display a success message

7. Click on the project and Click on Configuration tab

8. Select Enable content trust and click on SAVE.

9. So, we have now enabled the content trust for a project and now whatever image repository we create inside this project, can get signature done.

10. Go back to your terminal from where you will run docker commands to push images.

Note: If you have deployed Harbor with self signed certificate, then you need to copy the CA cert into /etc/docker/certs.d/<FQDN name from step 3>

11. Export the below variables

export DOCKER_CONTENT_TRUST=1
export DOCKER_CONTENT_TRUST_SERVER=https://
notary.harbor.demo.local

12. Now, lets tag a busybox image and try to push it.

# Tag image
$ docker tag busybox:latest harbor.demo.local/demo-project/busybox:latest
# Push image
$ docker push harbor.demo.local/demo-project/busybox:latest
The push refers to repository [harbor.demo.local/demo-project/busybox]
5b8c72934dfc: Pushed
latest: digest: sha256:dca71257cd2e72840a21f0323234bb2e33fea6d949fa0f21c5102146f583486b size: 527
Signing and pushing trust metadata
Enter passphrase for root key with ID e8a7dfc:
Enter passphrase for new repository key with ID 77b3350:
Repeat passphrase for new repository key with ID 77b3350:

Finished initializing "harbor.demo.local/demo-project/busybox"
Successfully signed harbor.demo.local/demo-project/busybox:latest

Notice the bold text above.

If you push the image for the first time, You will be asked to enter the root key passphrase. This will be needed every time you push a new image while the DOCKER_CONTENT_TRUST flag is set. The root key is generated at: /root/.docker/trust/private/*.key.

You should back up the root key somewhere safe.

13. Also, lets validate the Harbor UI

Now, your image is signed.

Few more good things to learn

1 . Inspect the trusted image and see the output. You can see the keys.

$ docker trust inspect --pretty harbor.demo.local/demo-project/busybox:latest
Signatures for harbor.demo.local/demo-project/busybox:latest
SIGNED TAG   DIGEST                                                             SIGNERS
latest dca71257cd2e72840a21f0323234bb2e33fea6d949fa0f21c5102146f583486b (Repo Admin)
Administrative keys for harbor.demo.local/demo-project/busybox:latest
Repository Key:       77b3350453bd9af27eff59fa0c8aee728b220a4221d526a05c03c05493a763ea
Root Key: ab7860bccc08c74218dfdfcb323ab993135e5b898f1d0cf49fa598fb6149c455

2. You can also revoke the sign.

$ docker trust revoke  harbor.demo.local/demo-project/busybox:latest
Enter passphrase for repository key with ID 77b3350:
Successfully deleted signature for harbor.demo.local/demo-project/busybox:latest

You can validate in Harbor UI.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s