Container registries provide Kubernetes operators with a convenient repository for storing and sharing container images. vSphere with Tanzu includes an embedded Harbor Registry that you can enable on the Supervisor Cluster running on vSphere 7. You can also use an external private container registry with Tanzu Kubernetes clusters. My preferred choice so far is the external Harbor registry.
You can enable the embedded Harbor Registry on the Supervisor Cluster to serve as the private container registry for the deployment of vSphere Pods and Tanzu Kubernetes cluster workloads.
In this blog, I will help you with step by step instructions to enable and use the embedded Harbor registry.
- Supervisor Cluster is enabled and functional
- Supervisor Cluster is enabled with NSX-T networking
- Storage Policy is created
- Administrative permission on vSphere
Enabling/Configuring Embedded Harbor Registry
– Login on vCenter UI using Administrative credentials
– Navigate to Menu – Workload Management
– Select an appropriate Cluster ( In my case there is just one Cluster, but you can have more than one)
– Go to the Configure Option -> Select Image Registry under Namespaces
– Select an appropriate Storage Policy
– Click on OK and the process of enabling Harbor regx`istry will start. You can monitor the tasks in Tasks list and wait for around ~15 mins.
– Once the registry is enabled, You will see several vSphere POD’s created as below
– You will also see the Health status change to Running as shown in screen below
– Now, Our Embedded Harbor registry enablement is completed. Notice the Root certificate option, Download the SSL certificate if you are going to login to the Harbor registry from the CLI. Here, Before I talk about the CLI way to login to the registry, Let’s see how easy it is to login via GUI.
Login via GUI
– Note down the Harbor UI url shown in above screen, open it on your preferred browser.
– Use the credentials that you are using to login to vCenter. Remember, This registry is automatically integrated with vSphere authentication.
– You will notice that the projects are created automatically based on the namespaces you have created on supervisor cluster. This is automatic and you don’t have to take any action.
Note: The embedded Harbor registry provides limited functionality than the external Harbor registry. So, you can decide which method best fits your use case.
Login via CLI
– Now, copy the root certificate of the harbor registry downloaded in the above steps and copy in a directory on your workstation. In my case, I will be using Linux based workstation.
root@dinesh:~# ls -ltr | grep -i root- -rw-r--r-- 1 root root 1497 Nov 23 17:17 root-certificate.txt root@dinesh:~#
– Copy the certificate in an appropriate location
# Create the directory if it does not exists root@dinesh:~# mkdir -p /etc/docker/certs.d/ root@dinesh:~# cp root-certificate.txt /etc/docker/certs.d/ca.crt
– Restart the docker service
root@dinesh:~# sudo systemctl restart docker.service
– Now, download and copy the vSphere docker credential helper for linux. Go to the supervisor namespace and open the link to download the helper.
– Select an operating system and click on “Download for Linux” button
– Copy the zip file on your linux workstation in any directory
– Unzip it
root@dinesh:~# unzip vsphere-docker-credential-helper.zip Archive: vsphere-docker-credential-helper.zip creating: bin/ inflating: bin/docker-credential-vsphere
– Move the executable to a local bin
root@dinesh:~# mv bin/docker-credential-vsphere /usr/local/bin/docker-credential-vsphere root@dinesh:~# docker-credential-vsphere vSphere login manager is responsible for vSphere authentication. It allows vSphere users to securely login and logout to access Harbor images. Usage: docker-credential-vsphere [command] Available Commands: help Help about any command login Login into specific harbor server and get authentication logout Logout from Harbor server and erase user token Flags: -h, --help help for docker-credential-vsphere Use "docker-credential-vsphere [command] --help" for more information about a command.
– Now, finally we are ready to login on to the registry via CLI
$ docker-credential-vsphere login <Your Registry IP here> Username: email@example.com Password: INFO Fetched username and password INFO Fetched auth token INFO Saved auth token
Great, So we learned to enable the embedded harbor registry, then we explored different methods to login. You can follow the general docker method to push and pull images.