Harbor is an open source container registry which is often used as an private source of images for development and production use cases. Some of its key features include configurable vulnerability scanning, fine-grained access control and an extensible API.

Harbor can be easily configured to automatically replicate container images from the VMware Tanzu Application Catalog for Tanzu Advanced. This enables Tanzu Advanced users to access up-to-date, "known good" Tanzu Application Catalog container images and Helm charts with all the security and access control benefits that come with a private registry hosted behind an enterprise firewall.

Assumptions and prerequisites

This article explains how to configure Harbor to replicate container images and Helm charts from the Tanzu Application Catalog for Tanzu Advanced. It assumes that: * You have administrator access to a pre-existing installation of Harbor, configured in line with existing enterprise requirements. If you don't already have Harbor, you can install it using Bitnami's Harbor Helm chart, and you can learn more about Harbor on its website. * You have credentials (consisting of a username and token) for the Tanzu Application Catalog registry.

Step 1: Configure a registry

The first step is to configure a registry to host the container images. Follow these steps:

  1. Log in to Harbor with administrator credentials.
  2. Navigate to the "Administration > Registries" page.
  3. Click the "New Endpoint" button to create a new registry endpoint.
  4. In the resulting dialog, configure the registry endpoint as follows:

    • Set the "Provider" field to Docker Registry.
    • Enter a name and description for the registry.
    • Set the "Endpoint URL" to https://registry.pivotal.io.
    • Enter your Tanzu Application Catalog for Tanzu Advanced username and token in the "Access ID" and "Access Secret" fields respectively.

    Here is a screenshot of the configuration dialog:

    Registry configuration

  5. Click the "Test Connection" button to test the connection to the endpoint. If the test passes, click "OK" to create the registry.

The new registry should appear in the list of registries.

Registry list

Step 2: Configure replication rules

Once the private Harbor registry has been created, the next step is to configure replication between this registry and the source catalog. A separate rule is to be configured for each container image and Helm chart that you wish to replicate.

Configure replication rules for container images

As an example, this article will show you how to replicate the MySQL container image from the Tanzu Application Catalog for Tanzu Advanced to the private Harbor registry. Follow these steps:

  1. Log in to Harbor with administrator credentials.
  2. Navigate to the "Administration > Replications" page.
  3. Click the "New Replication Rule" button to create a new rule.
  4. In the resulting dialog, configure the replication rule as follows:

    • Enter a descriptive name for the rule in the "Name" field, such as mysql-container.
    • Set the "Replication mode" to Pull-based.
    • Set the source registry to the one created in Step 1.
    • Enter the complete path to the source image in the "Source resource filter" field. For example, to replicate the MySQL image, enter the value tac-for-tanzu-advanced/containers/mysql. You can obtain the path from the container's detail page (in the "Digest" section) in the Tanzu Application Catalog interface.

      TAC tags

    • Enter specific tags or labels as required (optional, enter ** to replicate all tags and labels).

    • Set the destination namespace to tac-for-tanzu-advanced/containers/.
    • Set the "Trigger Mode" to Manual.
    • Tick the "Override" checkbox if you want pre-existing images with the same name in the private registry to be overwritten by fresh versions.

    NOTE: It is extremely important to set the destination namespace only to the value tac-for-tanzu-advanced/containers/, so that container references in Helm charts are correctly followed.

    Here is a screenshot of the configuration dialog:

    Replication configuration

  5. Click "Save" to save the replication rule.

TIP: If you plan to synchronize images on a fixed schedule, set the "Trigger Mode" to Scheduled instead and provide a cron string to define the schedule.

The new rule should appear in the list of replication rules.

Replication rules list

Repeat this step for every container image that you wish to replicate, modifying the source resource filter path/name as required.

Configure replication rules for Helm charts

Configuring replication rules for Helm charts is similar, except that the source filter and destination namespace change slightly. As an example, this article will show you how to replicate the MySQL Helm chart from the Tanzu Application Catalog for Tanzu Advanced to the private Harbor registry. Follow these steps:

  1. Log in to Harbor with administrator credentials.
  2. Navigate to the "Administration > Replications" page.
  3. Click the "New Replication Rule" button to create a new rule.
  4. In the resulting dialog, configure the replication rule as follows:

    • Enter a descriptive name for the rule in the "Name" field, such as mysql-chart.
    • Set the "Replication mode" to Pull-based.
    • Set the source registry to the one created in Step 1.
    • Enter the complete path to the source chart in the "Source resource filter" field. For example, to replicate the MySQL Helm chart, enter the value tac-for-tanzu-advanced/charts/mysql. You can obtain the path from the chart's detail page in the Tanzu Application Catalog interface.

      TAC path

    • Enter specific tags or labels as required (optional, enter ** to replicate all tags and labels).

    • Set the destination namespace to tac-for-tanzu-advanced/charts/.
    • Set the "Trigger Mode" to Manual.
    • Tick the "Override" checkbox if you want pre-existing charts with the same name in the private registry to be overwritten by fresh versions.

    NOTE: It is extremely important to set the destination namespace only to the value tac-for-tanzu-advanced/charts/.

    Here is a screenshot of the configuration dialog:

    Replication configuration

  5. Click "Save" to save the replication rule.

The new rule should appear in the list of replication rules.

Replication rules list

Repeat this step for every Helm chart that you wish to replicate, modifying the source resource filter path/name as required.

Step 3: Test the replication process

You can now proceed to test the replication for container images, as follows:

  1. Log in to Harbor with administrator credentials.
  2. Navigate to the "Administration > Replications" page.
  3. Select the rule for the container image you wish to replicate - in this case, the mysql-container rule. Click the "Replicate" button.
  4. Confirm the replication request.

The replication process will begin. You will be able to watch the status in the "Executions" list.

Replication status

To see details on what was replicated, or to stop the process, click the event ID in the "Executions" list. This will transfer you to the event detail page. Click the "Logs" icon to view a detailed log of the replication process, or click the "Stop" button to stop the operation.

Replication logs

Follow the same procedure to replicate Helm charts or other container images.

Step 4: Use the replicated container images and Helm charts

You can now begin using the replicated container images and Helm charts from the Harbor registry.

Use container images

The following example commands demonstrate how to run the replicated MySQL container image from the local Harbor registry. Replace the REGISTRY-ENDPOINT placeholder with the correct endpoint for your Harbor registry.

$ docker login REGISTRY-ENDPOINT/tac-for-tanzu-advanced/containers
$ docker run --rm REGISTRY-ENDPOINT/tac-for-tanzu-advanced/containers/mysql

Use Helm charts

Before deploying a Helm chart replicated from the Tanzu Application Catalog for Tanzu Advanced registry to your local Harbor registry, it is necessary to create a Kubernetes ImagePullSecret for the local Harbor registry. This secret may be set globally or in your namespace.

Here is an example of how to create an ImagePullSecret. Replace the REGISTRY-ENDPOINT placeholder with the correct endpoint for the Harbor registry and the USERNAME and TOKEN placeholders with the credentials for the Harbor registry.

$ export your_registry=REGISTRY-ENDPOINT
$ kubectl create secret docker-registry mysecret \
  --docker-server ${your_registry}/tac-for-tanzu-advanced \
  --docker-username "USERNAME" \
  --docker-password "TOKEN"

Charts can then be deployed either by adding the global.imagePullSecrets[0]=SECRET-NAME parameter to each Helm deployment command, or by configuring the ImagePullSecret globally.

Here is an example of how to deploy the replicated Tanzu Application Catalog Helm chart for MySQL using the ImagePullSecret created earlier:

$ export HELM_EXPERIMENTAL_OCI=1
$ helm registry login ${your_registry}/tac-for-tanzu-advanced/charts
$ helm chart pull ${your_registry}/tac-for-tanzu-advanced/charts/mysql:8.2.1
$ helm chart export ${your_registry}/tac-for-tanzu-advanced/charts/mysql:8.2.1
$ helm install jenkins/ --generate-name --set "global.imagePullSecrets[0]=mysecret" --set global.imageRegistry=${your_registry}

NOTE: By default, the replicated Helm charts include references to the default Tanzu Application Catalog for Tanzu Advanced registry endpoint (registry.pivotal.io). When using the charts from a local Harbor registry, it is necessary to override these default references with the endpoint for the local Harbor registry. The global.imageRegistry parameter in the commands shown above takes care of this requirement.

Useful links

To learn more about the topics discussed in this guide, use the links below:

check-circle-line exclamation-circle-line close-line
Scroll to top icon