Configure Image Relocation with Cloud Native Runtimes

Follow this image relocation procedure if either of the following are true:

  • You do not have access to the VMware Harbor registry.
  • Your security policies require that you access images from a designated private registry.

If you are installing Cloud Native Runtimes using image relocation with a registry that does not have a publicly-rooted certificate, you need to provision your cluster with a self-signed certificate. For information about provisioning a cluster with a self-signed certificate, see How to Set Up a Harbor Registry with Self-Signed Certificates for Tanzu Kubernetes Clusters.


In addition to the prerequsites listed above, you need the following prerequisites:

  • imgpkg. See the CNR Compatibility Matrix for compatible versions. To download imgpkg, see the imgpkg website.
  • To use image relocation with a private registry, set the following environment variables:
    • cnr_registry__server. Where cnr_registry__server is the URI of the registry.
    • cnr_registry__username. Where cnr_registry__username is the username for the registry.
    • cnr_registry__password. Where cnr_registry__password is the password to access the registry.

    Note: The environment variables include two underscore symbols ( _ ).

Relocate Image to Private Registry

To relocate the Cloud Native Runtimes image to a private registry:

  1. Verify that imgpkg was installed. Run:

    imgpkg version
  2. Download cloud-native-runtimes-1.1.x.lock file from the Cloud Native Runtimes release page.

  3. Log in to your registry through Docker or, for other authentication options, such as environment variables, see the imgpkg documentation.

  4. Push the bundle to a registry. Run:

    imgpkg copy --lock cloud-native-runtimes-1.1.x.lock --to-repo LINK-TO-PRIVATE-REPO --lock-output LOCK-OUTPUT


    • LINK-TO-PRIVATE-REPO is the path to the private registry.
    • LOCK-OUTPUT is the name of your lock output file.

    Note: If you do not have the certificates for your private registry, then add --registry-verify-certs=false to the command and to the command in step 4.

    For example:

     $ imgpkg copy –lock cloud-native-runtimes-1.1.0.lock –to-repo my.corp.registry/cnr –lock-output ./relocated.lock –registry-verify-certs=false 

  5. Pull your image. Run:

    imgpkg pull --lock LOCK-OUTPUT -o ./cloud-native-runtimes

    Where LOCK-OUTPUT is the name of your lock output file.

    For example:

    $ imgpkg pull –lock ./relocated.lock -o ./cloud-native-runtimes 

  6. Navigate to the cloud-native-runtimes directory. Run:

    cd cloud-native-runtimes
  7. Mark the file as executable by updating the install script permission. Run:

    chmod +x ./bin/
  8. Follow the steps in Preparing to Create a Service to create a secret for your private registry.
check-circle-line exclamation-circle-line close-line
Scroll to top icon