Configure your kubeconfig with the image pull secret to connect a Tanzu Kubernetes cluster to a private container registry, either the embedded Harbor Registry or an external private registry.

Each vSphere Namespace on a Supervisor Cluster has a image pull secret that you can use to connect to the embedded Harbor Registry instance. To do this, configure the image pull secret with the name of the vSphere Namespace where the target Tanzu Kubernetes cluster is provisioned or will be provisioned.


You can use this procedure to connect Tanzu Kubernetes clusters to the embedded Harbor Registry.
Note: This task assumes you are using a Linux client.


  1. Connect to the Supervisor Cluster. See Connect to the Supervisor Cluster as a vCenter Single Sign-On User.
  2. Switch context to the vSphere Namespace where the target Tanzu Kubernetes cluster is provisioned.
    kubectl config use-context vsphere-namespace
    For example:
    kubectl config use-context tkgs-cluster-ns
  3. Get the image pull secret for the vSphere Namespace and store it in a file.
    kubectl get secret -n <vsphere-namespace> <vsphere-namespace>-default-image-pull-secret -o yaml > <path>/image-pull-secret.yaml
    For example:
    kubectl get secret -n tkgs-cluster-ns tkgs-cluster-ns-default-image-pull-secret -o yaml > tanzu/image-pull-secret.yaml
  4. Open the image-pull-secret.yaml file with a text editor. Verify and make the following changes as necessary. Save and close the file when you are done.
    • OPTIONAL: Change the value for name to something meaningful, such as harbor-registry-secret or private-registry-secret.
    • REQUIRED: Change the value for namespace to match an appropriate Kubernetes namespace in the cluster, such as default.
      Note: To configure the image pull secret, you must specify a Kubernetes namespace. If the Tanzu Kubernetes cluster already exists, switch context to it and run kubectl get namespaces to list available Kubernetes namespaces. If necessary create the target namespace before proceeding. If the Tanzu Kubernetes cluster does not exist, you can use the default namespace.
    For example:
    apiVersion: v1
      .dockerconfigjson: ewoJCQkJImF1dGhzJUV2s1ZVZwWVFuWmp...
    kind: Secret
      creationTimestamp: "2020-11-12T02:41:08Z"
      - apiVersion: v1
      name: harbor-registry-secret   #Verify and change if desired
      namespace: default           #Enter an appropriate Kubernetes namespace
      - apiVersion:
      resourceVersion: "675868"
      selfLink: /api/v1/namespaces/tkgs-cluster-ns/secrets/tkgs-cluster-ns-default-image-pull-secret
      uid: 66606b41-7363-4b74-a3f2-4436f83f
  5. Create a kubeconfig file that can be used to access the Tanzu Kubernetes cluster.
    Replace <vsphere-namespace> with the name of the vSphere Namespace where the target Tanzu Kubernetes cluster is provisioned. Replace <cluster-name> with the name of the Tanzu Kubernetes cluster.
    kubectl get secret -n <vsphere-namespace> <cluster-name>-kubeconfig -o jsonpath='{.data.value}' | base64 -d > <path>/cluster-kubeconfig
    For example:
     kubectl get secret -n tkgs-cluster-ns tkgs-cluster-5-kubeconfig -o jsonpath='{.data.value}' | base64 -d > tanzu/cluster-kubeconfig
  6. Create the Registry Service secret in the Tanzu Kubernetes cluster. Reference the image pull secret file that you saved and updated locally.
    kubectl --kubeconfig=<path>/cluster-kubeconfig apply -f <path>/image-pull-secret.yaml
    For example:
    kubectl --kubeconfig=tanzu/cluster-kubeconfig apply -f tanzu/image-pull-secret.yaml
    You should see that the Registry Service secret is successfully created.
    secret/harbor-registry-secret created