For enterprise development teams, a private container registry offers a number of advantages: more granular access control, configurable vulnerability scanning and above all, a trusted and “known good” source of images. Harbor is an open source container registry which supports all of these requirements, together with an extensible API and support for multi-tenancy. It can be installed in any Kubernetes cluster with Bitnami’s Harbor Helm chart, which provides an up-to-date and secure Harbor package.
Harbor can be easily configured to automatically replicate container images from the VMware Application Catalog. This allows VMware Application Catalog users to consume images from their private Harbor registry (typically configured behind a firewall or in a DMZ). With this, enterprise users get all the benefits of a private registry, together with access to the latest, most secure and up-to-date container images from the VMware Application Catalog.
This article explains how to configure Harbor to replicate container images from the VMware Application Catalog. It assumes that you have administrator access to a pre-existing installation of Harbor, configured in line with existing enterprise requirements. If you don’t already have Harbor, you can install it using Bitnami’s Harbor Helm chart, and you can learn more about Harbor on its website.
The first step is to configure a registry to host the container images. Follow these steps:
In the resulting dialog, configure the registry endpoint as follows:
Enter the following in the “Access Secret” field. This secret permits read-only access to a demo catalog. If you are using a custom VMware Application Catalog, replace this secret with the JSON key provided to you.
{
"type": "service_account",
"project_id": "sys-2b0109it",
"private_key_id": "c9dc1e9c39fce8cc3e603ef6a9912c3bd7379f2b",
"private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC7H2jwgzFUP0f5\nTZyfzqVVQx3gyGYoqD3bC5SJLWmqeLX2NGh6lS2W9cJOayPYWa29NacGVv9rFXP4\nYT6EAtR5q7qW1GW4LrkWPZSDmuWEy+kwA22fc8y8wZXW19+QG+B7HdB55ewJnnVN\nJhPZ/3df8aAVlE2WMLow3xSHZLXpbU4qir9P3p2oqEwYjeEg70QLUTVwQmc7/qkg\nteqQptWyg3zaU77oYKs5XMPrIvIB6RlbAnBw5T3RZzcn0XJ1whMRiC8/XZG9m2AT\n+u45CBeJgh2+adZVCnoYMSHVAHh3RVpbXGP5Qz8jkYIaKRg1sm1jpIPtMhOMhEVC\nUJ7569HlAgMBAAECggEALCpQdi38213ZQsQZAtX/C2X9PBQImrGE8fmkfBEqJrh5\neCwr+bzShxYn36Llkbeu7GDotHQdsnxchCQNoZJabIJGFrn4bTWn7VIpBrvtTr/j\nILg6bD9kdCu7zjri8yxFOkHR9id4o9eQ553kYxhrKEvLJTS88EU9ePH6Mi+oyPhh\n74LepNk8GJQb09SmBjMFLoSH16U61qk9IWUlcXDICk6N+RVfQQC7o0qNI5wlK+jo\nXoiB2427EKh3ZVxyAU3S4TEIxaWDVmkctAC3VE/OVoE4xcrSdOfeb62AbgbwbDIq\nINpROlV7NpHSkjCb2INemiEiqCijQF8VGEsuxb5JGQKBgQDzBfjSdSLlXgVqRDCa\niu/4UPJEOnYijGChYARUp+II+XYT2wLRDq+bSRjFA8G/GoYdUtsq23wkWcRm2nEw\nzCJthcMlaArMI1DVUmCB9P+vHpl4KibHLyV2zjcVPmvYvOrrsbrezftqbxBdu2DP\nstCla8ubKhVY8/XptTDeq99rKQKBgQDFHUysVaxM4XyEP5enewhJ4L8zE4vjkn36\n/6qGiXdALsRcqUARO3T/96TPdvJM+02lmrwkIYFNS6uZ0XoRh+47P7+gjyokTq/1\nboTubEneeestsdO2+Eb93Bs0k6UlVYduOldWZWvovxAS9qrS17jdCD+jiFvfdPKC\nvEqJO1NEXQKBgESCO3nA0byNO8OQQ49deXasAw/e1yy4HAmCEtZ2mU7kXDgOtoWO\nuUxyV8w6WeTwqjwb/nLfeuiYcbh4/g2+jjoHylKCOQEBN6lbVp9sHKQWYTcx0sq1\n7L7INVkExsxLvYICEWb79FM1ygxSZWFHzG/FqpksTOZNp9ZhYMx08T+5AoGAHJ12\nRgZh7v9E/kXlFDEuMNtpplaOFklr9IYtET7five/FdyUKmxBPe+Lg3q3DinlScc+\nzNf4V2pGzRu15tme4gcNIJfn/EFYFf8nWR1rU9rLI2UPYR6F39CWOnm8ncDe2kep\n6ibrFWy3PqmEfvtGIQBTjL/85mGp2wTOpUFxgxkCgYEAjC+0uhwvjq1CtX07ZzWD\nAvBhgENbeMhgJH39LPwQeN6elMAZuVXOOMjdcUgBhmn+qFdtT8grTTb8aVaMv03w\npb3Ad/h9O02jju1szFauk3bRyOeLgnfbGWfxQr+wLF6QX88OOni2k7AZSsY7c2+B\nJ98NXFP/ONWBctynfAIhzRE=\n-----END PRIVATE KEY-----\n",
"client_email": "ro-tac-demo@sys-2b0109it.iam.gserviceaccount.com",
"client_id": "104362580895171078721",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/ro-tac-demo%40sys-2b0109it.iam.gserviceaccount.com"
}
Here is a screenshot of the configuration dialog:
Click the “Test Connection” button to test the connection to the endpoint. If the test passes, click “OK” to create the registry.
The new registry should appear in the list of registries.
TIP: If you have multiple teams accessing Harbor, you can configure a separate registry for each.
Once the private Harbor registry has been created, the next step is to configure replication between this private Harbor registry and the source catalog. A separate rule is to be configured for each container image that you wish to replicate.
As an example, this article will show you how to replicate the Kafka container image from the VMware Application Catalog to the private Harbor registry. Follow these steps:
In the resulting dialog, configure the replication rule as follows:
Enter the complete path to the source image in the “Source resource filter” field. For example, to replicate the Kafka image, enter the value sys-2b0109it/demo/bitnami/kafka. To replicate the complete catalog, use a wildcard pattern like sys-2b0109it/demo/bitnami/**. You can also obtain this information from the “Container tags” section in the VMware Application Catalog interface.
NOTE: Replicating the complete VMware Application Catalog will take a few hours and consume more than 100 GB of disk space.
Enter a destination namespace (optional) or leave empty for the default.
TIP: Use the “Destination namespace” field in the replication rule dialog to specify different namespaces for replication. This allows different teams to use the same VMware Application Catalog account but have a separate registry for each project, each with its own subset of containers.
Set the “Trigger Mode” to Manual.
Here is a screenshot of the configuration dialog:
Click “Save” to save the replication rule.
TIP: If you plan to synchronize images on a fixed schedule, set the “Trigger Mode” to Scheduled instead and provide a cron string to define the schedule.
The new rule should appear in the list of replication rules.
Repeat this step for every container image that you wish to replicate, modifying the source resource filter path/name as required.
You can now proceed to test the replication, as follows:
The replication process will begin. You will be able to watch the status in the “Executions” list.
To see details on what was replicated, or to stop the process, click the event ID in the “Executions” list. This will transfer you to the event detail page. Click the “Logs” icon to view a detailed log of the replication process, or click the “Stop” button to stop the operation.
You can now begin using the replicated container images from the Harbor registry.
The following example commands demonstrate how to run the replicated Kafka container image from the local Harbor registry. Replace the REGISTRY-ENDPOINT placeholder with the correct endpoint for your Harbor registry.
$ docker login REGISTRY-ENDPOINT/sys-2b0109it/demo/bitnami/kafka
$ docker run --rm REGISTRY-ENDPOINT/sys-2b0109it/demo/bitnami/kafka
To learn more about the topics discussed in this guide, use the links below:
