As a cloud administrator, by setting up replication between an Internet-connected Harbor instance to a Harbor instance that has no Internet connectivity, you can to pull images from different container registries, such as NVIDIA NGC, without making your private AI infrastructure vulnerable.

Prerequisites

Verify that the following prerequisites are in place:

  • A working Harbor instance that has access to the Internet. This harbor instance can be running as a Supervisor Service or as a standalone Harbor instance.

  • A working Harbor instance running as a Supervisor Service to serve as the disconnected instance.

  • Both Harbor instances must be able to reach each other over the network over ports 443 and 80. Notary enablement is not supported.

Procedure

  1. Log in to the Internet-connected Harbor instance as a system administrator.
  2. On the Projects page, click New Project.
  3. In the New Project dialog box, enter a project name and activate Proxy Cache, and click OK.
  4. Navigate to the Administration > Registries page.
  5. Add the NVIDIA NGC container registry.
    1. Click New Endpoint and fill in the following information.
      Setting Value
      Provider Docker Registry
      Name NGC Registry
      Endpoint URL https://nvcr.io
      Access ID $oauthtoken
      Access Secret Your NVIDIA NGC API key
      Verify Remove Cert Selected
    2. Test the connection and click OK.
  6. Create a second endpoint on the same Internet-facing Harbor instance to add the target disconnected Harbor instance.
    1. Click New Endpoint and provide the following information.
      Setting Value
      Provider Harbor
      Name Disconnected Harbor
      Endpoint URL FDQN of the remote Harbor Instance
      Access ID Local user account or AD credentials
      Access Secret Password for the access ID
      Verify Remove Cert Deselected for self-singed certificates. Otherwise, selected.
    2. Test the connection and click OK.
  7. Navigate to Administration > Replications page.
  8. Click New Replication Rule, provide the following information and click Save.
    Setting Value
    Name A name and description for the replication rule
    Replication mode Push-based
    Source resource filter Any desired filters such as tags
    Destination registry Registry that you created in 6.
    Destination Name of the namespace in which to replicate resources.

    If you do not enter a namespace, resources are placed in the same namespace as in the source registry.
    Trigger mode How and when to run the rule
    Bandwidth Network bandwidth for each execution of the replication rule if required
  9. On the machine running the Docker client, to verify the images are available on both the Internet-connected and the disconnected Harbor instances, log in to each registry and run the docker image list command.