Enabling Embedded Harbor Registry in vSphere with Tanzu Supervisor Cluster

Container registries provide Kubernetes operators with a convenient repository for storing and sharing container images. vSphere with Tanzu includes an embedded Harbor Registry that you can enable on the Supervisor Cluster running on vSphere 7. You can also use an external private container registry with Tanzu Kubernetes clusters. My preferred choice so far is the external Harbor registry.

You can enable the embedded Harbor Registry on the Supervisor Cluster to serve as the private container registry for the deployment of vSphere Pods and Tanzu Kubernetes cluster workloads.

In this blog, I will help you with step by step instructions to enable and use the embedded Harbor registry.


  • Supervisor Cluster is enabled and functional
  • Supervisor Cluster is enabled with NSX-T networking
  • Storage Policy is created
  • Administrative permission on vSphere

Enabling/Configuring Embedded Harbor Registry

– Login on vCenter UI using Administrative credentials

– Navigate to Menu – Workload Management

– Select an appropriate Cluster ( In my case there is just one Cluster, but you can have more than one)

– Go to the Configure Option -> Select Image Registry under Namespaces

– Select an appropriate Storage Policy

– Click on OK and the process of enabling Harbor regx`istry will start. You can monitor the tasks in Tasks list and wait for around ~15 mins.

– Once the registry is enabled, You will see several vSphere POD’s created as below

– You will also see the Health status change to Running as shown in screen below

– Now, Our Embedded Harbor registry enablement is completed. Notice the Root certificate option, Download the SSL certificate if you are going to login to the Harbor registry from the CLI. Here, Before I talk about the CLI way to login to the registry, Let’s see how easy it is to login via GUI.

Login via GUI

– Note down the Harbor UI url shown in above screen, open it on your preferred browser.

– Use the credentials that you are using to login to vCenter. Remember, This registry is automatically integrated with vSphere authentication.

– You will notice that the projects are created automatically based on the namespaces you have created on supervisor cluster. This is automatic and you don’t have to take any action.

Note: The embedded Harbor registry provides limited functionality than the external Harbor registry. So, you can decide which method best fits your use case.

Login via CLI

– Now, copy the root certificate of the harbor registry downloaded in the above steps and copy in a directory on your workstation. In my case, I will be using Linux based workstation.

root@dinesh:~# ls -ltr | grep -i root-
-rw-r--r--  1 root root      1497 Nov 23 17:17 root-certificate.txt

– Copy the certificate in an appropriate location

# Create the directory if it does not exists
root@dinesh:~# mkdir -p /etc/docker/certs.d/
root@dinesh:~# cp root-certificate.txt  /etc/docker/certs.d/ca.crt

– Restart the docker service

root@dinesh:~# sudo systemctl restart docker.service

– Now, download and copy the vSphere docker credential helper for linux. Go to the supervisor namespace and open the link to download the helper.

– Select an operating system and click on “Download for Linux” button

– Copy the zip file on your linux workstation in any directory

– Unzip it

root@dinesh:~# unzip vsphere-docker-credential-helper.zip
Archive:  vsphere-docker-credential-helper.zip
   creating: bin/
  inflating: bin/docker-credential-vsphere

– Move the executable to a local bin

root@dinesh:~# mv bin/docker-credential-vsphere /usr/local/bin/docker-credential-vsphere
root@dinesh:~# docker-credential-vsphere
vSphere login manager is responsible for vSphere authentication. It allows vSphere users to securely login and logout to access Harbor images.

  docker-credential-vsphere [command]

Available Commands:
  help        Help about any command
  login       Login into specific harbor server and get authentication
  logout      Logout from Harbor server and erase user token

  -h, --help   help for docker-credential-vsphere

Use "docker-credential-vsphere [command] --help" for more information about a command.

– Now, finally we are ready to login on to the registry via CLI

$ docker-credential-vsphere login <Your Registry IP here>
Username: administrator@vsphere.local
Password: INFO[0017] Fetched username and password
INFO[0017] Fetched auth token
INFO[0017] Saved auth token

Great, So we learned to enable the embedded harbor registry, then we explored different methods to login. You can follow the general docker method to push and pull images.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s