For enterprise development teams, a private container registry offers a number of advantages: more granular access control, configurable vulnerability scanning and above all, a trusted and "known good" source of images. Harbor is an open source container registry which supports all of these requirements, together with an extensible API and support for multi-tenancy. It can be installed in any Kubernetes cluster with Bitnami's Harbor Helm chart, which provides an up-to-date and secure Harbor package.

Harbor can be easily configured to automatically replicate container images from the VMware Tanzu Application Catalog. This allows Tanzu Application Catalog users to consume images from their private Harbor registry (typically configured behind a firewall or in a DMZ). With this, enterprise users get all the benefits of a private registry, together with access to the latest, most secure and up-to-date container images from the Tanzu Application Catalog.

Assumptions and prerequisites

This article explains how to configure Harbor to replicate container images from the Tanzu Application Catalog. It assumes that you have administrator access to a pre-existing installation of Harbor, configured in line with existing enterprise requirements. If you don't already have Harbor, you can install it using Bitnami's Harbor Helm chart, and you can learn more about Harbor on its website.

Step 1: Configure a registry

The first step is to configure a registry to host the container images. Follow these steps:

  1. Log in to Harbor with administrator credentials.
  2. Navigate to the "Administration > Registries" page.
  3. Click the "New Endpoint" button to create a new registry endpoint.
  4. In the resulting dialog, configure the registry endpoint as follows:

    • Set the "Provider" field to google-gcr.
    • Enter a name and description for the registry.
    • Set the "Endpoint URL" to
    • Enter the following in the "Access Secret" field. This secret permits read-only access to a demo catalog. If you are using a custom Tanzu Application Catalog, replace this secret with the JSON key provided to you.

      "type": "service_account",
      "project_id": "sys-2b0109it",
      "private_key_id": "c9dc1e9c39fce8cc3e603ef6a9912c3bd7379f2b",
      "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC7H2jwgzFUP0f5\nTZyfzqVVQx3gyGYoqD3bC5SJLWmqeLX2NGh6lS2W9cJOayPYWa29NacGVv9rFXP4\nYT6EAtR5q7qW1GW4LrkWPZSDmuWEy+kwA22fc8y8wZXW19+QG+B7HdB55ewJnnVN\nJhPZ/3df8aAVlE2WMLow3xSHZLXpbU4qir9P3p2oqEwYjeEg70QLUTVwQmc7/qkg\nteqQptWyg3zaU77oYKs5XMPrIvIB6RlbAnBw5T3RZzcn0XJ1whMRiC8/XZG9m2AT\n+u45CBeJgh2+adZVCnoYMSHVAHh3RVpbXGP5Qz8jkYIaKRg1sm1jpIPtMhOMhEVC\nUJ7569HlAgMBAAECggEALCpQdi38213ZQsQZAtX/C2X9PBQImrGE8fmkfBEqJrh5\neCwr+bzShxYn36Llkbeu7GDotHQdsnxchCQNoZJabIJGFrn4bTWn7VIpBrvtTr/j\nILg6bD9kdCu7zjri8yxFOkHR9id4o9eQ553kYxhrKEvLJTS88EU9ePH6Mi+oyPhh\n74LepNk8GJQb09SmBjMFLoSH16U61qk9IWUlcXDICk6N+RVfQQC7o0qNI5wlK+jo\nXoiB2427EKh3ZVxyAU3S4TEIxaWDVmkctAC3VE/OVoE4xcrSdOfeb62AbgbwbDIq\nINpROlV7NpHSkjCb2INemiEiqCijQF8VGEsuxb5JGQKBgQDzBfjSdSLlXgVqRDCa\niu/4UPJEOnYijGChYARUp+II+XYT2wLRDq+bSRjFA8G/GoYdUtsq23wkWcRm2nEw\nzCJthcMlaArMI1DVUmCB9P+vHpl4KibHLyV2zjcVPmvYvOrrsbrezftqbxBdu2DP\nstCla8ubKhVY8/XptTDeq99rKQKBgQDFHUysVaxM4XyEP5enewhJ4L8zE4vjkn36\n/6qGiXdALsRcqUARO3T/96TPdvJM+02lmrwkIYFNS6uZ0XoRh+47P7+gjyokTq/1\nboTubEneeestsdO2+Eb93Bs0k6UlVYduOldWZWvovxAS9qrS17jdCD+jiFvfdPKC\nvEqJO1NEXQKBgESCO3nA0byNO8OQQ49deXasAw/e1yy4HAmCEtZ2mU7kXDgOtoWO\nuUxyV8w6WeTwqjwb/nLfeuiYcbh4/g2+jjoHylKCOQEBN6lbVp9sHKQWYTcx0sq1\n7L7INVkExsxLvYICEWb79FM1ygxSZWFHzG/FqpksTOZNp9ZhYMx08T+5AoGAHJ12\nRgZh7v9E/kXlFDEuMNtpplaOFklr9IYtET7five/FdyUKmxBPe+Lg3q3DinlScc+\nzNf4V2pGzRu15tme4gcNIJfn/EFYFf8nWR1rU9rLI2UPYR6F39CWOnm8ncDe2kep\n6ibrFWy3PqmEfvtGIQBTjL/85mGp2wTOpUFxgxkCgYEAjC+0uhwvjq1CtX07ZzWD\nAvBhgENbeMhgJH39LPwQeN6elMAZuVXOOMjdcUgBhmn+qFdtT8grTTb8aVaMv03w\npb3Ad/h9O02jju1szFauk3bRyOeLgnfbGWfxQr+wLF6QX88OOni2k7AZSsY7c2+B\nJ98NXFP/ONWBctynfAIhzRE=\n-----END PRIVATE KEY-----\n",
      "client_email": "",
      "client_id": "104362580895171078721",
      "auth_uri": "",
      "token_uri": "",
      "auth_provider_x509_cert_url": "",
      "client_x509_cert_url": ""

    Here is a screenshot of the configuration dialog:

    Registry configuration

  5. Click the "Test Connection" button to test the connection to the endpoint. If the test passes, click "OK" to create the registry.

The new registry should appear in the list of registries.

Registry list

TIP: If you have multiple teams accessing Harbor, you can configure a separate registry for each.

Step 2: Configure replication rules

Once the private Harbor registry has been created, the next step is to configure replication between this private Harbor registry and the source catalog. A separate rule is to be configured for each container image that you wish to replicate.

As an example, this article will show you how to replicate the Kafka container image from the Tanzu Application Catalog to the private Harbor registry. Follow these steps:

  1. Log in to Harbor with administrator credentials.
  2. Navigate to the "Administration > Replications" page.
  3. Click the "New Replication Rule" button to create a new rule.
  4. In the resulting dialog, configure the replication rule as follows:

    • Enter a descriptive name for the rule in the "Name" field, such as kafka.
    • Set the "Replication mode" as Pull-based.
    • Set the source registry to the one created in Step 1.
    • Enter the complete path to the source image in the "Source resource filter" field. For example, to replicate the Kafka image, enter the value sys-2b0109it/demo/bitnami/kafka. To replicate the complete catalog, use a wildcard pattern like sys-2b0109it/demo/bitnami/**. You can also obtain this information from the "Container tags" section in the Tanzu Application Catalog interface.

      TAC tags

    NOTE: Replicating the complete Tanzu Application Catalog will take a few hours and consume more than 100 GB of disk space.

    • Enter specific tags or labels as required (optional, leave empty to replicate all tags and labels).
    • Enter a destination namespace (optional) or leave empty for the default.

      TIP: Use the "Destination namespace" field in the replication rule dialog to specify different namespaces for replication. This allows different teams to use the same TAC account but have a separate registry for each project, each with its own subset of containers.

    • Set the "Trigger Mode" to Manual.

    • Tick the "Override" checkbox if you want pre-existing images with the same name in the private registry to be overwritten by fresh versions.

    Here is a screenshot of the configuration dialog:

    Replication configuration

  5. Click "Save" to save the replication rule.

TIP: If you plan to synchronize images on a fixed schedule, set the "Trigger Mode" to Scheduled instead and provide a cron string to define the schedule.

The new rule should appear in the list of replication rules.

Replication rules list

Repeat this step for every container image that you wish to replicate, modifying the source resource filter path/name as required.

Step 3: Test the replication process

You can now proceed to test the replication, as follows:

  1. Log in to Harbor with administrator credentials.
  2. Navigate to the "Administration > Replications" page.
  3. Select the rule for the container image you wish to replicate. Click the "Replicate" button.
  4. Confirm the replication request.

The replication process will begin. You will be able to watch the status in the "Executions" list.

Replication status

To see details on what was replicated, or to stop the process, click the event ID in the "Executions" list. This will transfer you to the event detail page. Click the "Logs" icon to view a detailed log of the replication process, or click the "Stop" button to stop the operation.

Replication logs

Step 4: Use the replicated container images

You can now begin using the replicated container images from the Harbor registry.

The following example commands demonstrate how to run the replicated Kafka container image from the local Harbor registry. Replace the REGISTRY-ENDPOINT placeholder with the correct endpoint for your Harbor registry.

$ docker login REGISTRY-ENDPOINT/sys-2b0109it/demo/bitnami/kafka
$ docker run --rm REGISTRY-ENDPOINT/sys-2b0109it/demo/bitnami/kafka

Useful links

To learn more about the topics discussed in this guide, use the links below:

check-circle-line exclamation-circle-line close-line
Scroll to top icon