Consume VMware Tanzu Application Catalog images using a Private Harbor Registry

This section explains how to configure Harbor to replicate container images from the VMware Tanzu Application Catalog (Tanzu Application Catalog).

Harbor can be easily configured to automatically replicate container images from the Tanzu Application Catalog. This allows Tanzu Application Catalog users to consume images from their private Harbor registry (typically configured behind a firewall or in a DMZ). With this, enterprise users get all the benefits of a private registry, together with access to the latest, most secure and up-to-date container images from the Tanzu Application Catalog.

For enterprise development teams, a private container registry offers a number of advantages: more granular access control, configurable vulnerability scanning and above all, a trusted and “known good” source of images. Harbor is an open source container registry which supports all of these requirements, together with an extensible API and support for multi-tenancy. It can be installed in any Kubernetes cluster with Bitnami’s Harbor Helm chart, which provides an up-to-date and secure Harbor package.

What to do first

Ensure:

• You have administrator access to a pre-existing installation of Harbor, configured in line with existing enterprise requirements. If you don’t have Harbor, install it using Bitnami’s Harbor Helm chart. To learn more, see Harbor.

To consume Tanzu Application Catalog images using a Private Harbor Registry, follow the steps as explained in the sections below:

1. Configure a registry
2. Configure replication rules
3. Test the replication process
4. Use the replicated container images

Configure a registry

The first step is to configure a registry to host the container images. Follow these steps:

1. Log in to Harbor with administrator credentials.
2. Navigate to the “Administration > Registries” page.
3. Click “New Endpoint” to create a new registry endpoint.

4. In the resulting dialog, configure the registry endpoint as follows:

   • Set the “Provider” field to google-gcr.
   • Enter a name and description for the registry.
   • Set the “Endpoint URL” to https://gcr.io.

   • Enter a secret in the “Access Secret” field. This secret permits access to a catalog.

     The Configuration dialog box diplays.

     

5. Click “Test Connection” to test the connection to the endpoint. If the test passes, click “OK” to create the registry.

   The new registry should appear in the list of registries.

   

Tip If you have multiple teams accessing Harbor, you can configure a separate registry for each.

Configure replication rules

Once the private Harbor registry has been created, the next step is to configure replication between this private Harbor registry and the source catalog. A separate rule is to be configured for each container image that you wish to replicate.

As an example, this article will show you how to replicate the Kafka container image from the Tanzu Application Catalog to the private Harbor registry. Follow these steps:

1. Log in to Harbor with administrator credentials.
2. Navigate to the “Administration > Replications” page.
3. Click “New Replication Rule” to create a new rule.

4. In the resulting dialog, configure the replication rule as follows:

   • Enter a descriptive name for the rule in the “Name” field, such as kafka.
   • Set the “Replication mode” as Pull-based.
   • Set the source registry to the one created in Step 1.
   • Enter the complete path to the source image in the “Source resource filter” field. For example, to replicate the Kafka image, enter the value sys-2b0109it/MY_REGISTRY/bitnami/kafka. To replicate the complete catalog, use a wildcard pattern like sys-2b0109it/MY_REGISTRY/bitnami/**. You can also obtain this information from the “Container tags” section in the Tanzu Application Catalog interface.

   NOTE /MY_REGISTRY/ is a placeholder. Replace it with the URL of the private registry where your catalog is located.

   

   Note

   Replicating the complete Tanzu Application Catalog will take a few hours and consume more than 100 GB of disk space.

   • Enter specific tags or labels as required (optional, leave empty to replicate all tags and labels).
   • Enter a destination namespace (optional) or leave empty for the default.

   Tip Use the “Destination namespace” field in the replication rule dialog to specify different namespaces for replication. This allows different teams to use the same Tanzu Application Catalog account but have a separate registry for each project, each with its own subset of containers.

   • Set the “Trigger Mode” to Manual.

   • Tick the “Override” checkbox if you want pre-existing images with the same name in the private registry to be overwritten by fresh versions.

     The Configuration dialog box displays.

     

5. Click “Save” to save the replication rule.

Tip If you plan to synchronize images on a fixed schedule, set the “Trigger Mode” to Scheduled instead and provide a cron string to define the schedule.

The new rule should appear in the list of replication rules.

Repeat this step for every container image that you wish to replicate, modifying the source resource filter path or name as required.

Test the replication process

You can now proceed to test the replication, as follows:

1. Log in to Harbor with administrator credentials.
2. Navigate to the “Administration > Replications” page.
3. Select the rule for the container image you wish to replicate. Click “Replicate”.

4. Confirm the replication request.

   The replication process will begin. You will be able to watch the status in the “Executions” list.

   

To view the details on what was replicated, or to stop the process:

1. Click the event ID in the “Executions” list.

   The Event detail page displays.

2. Click the “Logs” icon to view a detailed log of the replication process, or click “Stop” to stop the operation.

   

Use the replicated container images

You can now begin using the replicated container images from the Harbor registry.

The following example commands demonstrate how to run the replicated Kafka container image from the local Harbor registry. Replace the REGISTRY-ENDPOINT placeholder with the correct endpoint for your Harbor registry.

$ docker login REGISTRY-ENDPOINT/bitnami/kafka
$ docker run --rm REGISTRY-ENDPOINT/bitnami/kafka

Useful links

• Harbor
• VMware Tanzu Application Catalog