You can use the embedded Harbor Registry to serve as the private container registry for images that you deploy to Tanzu Kubernetes clusters provisioned by the Tanzu Kubernetes Grid Service.

vSphere with Tanzu embeds a Harbor Registry instance that you can enable on the Supervisor Cluster and use to deploy container-based workloads to Tanzu Kubernetes clusters.

Once the embedded Harbor Registry is enabled on the Supervisor Cluster, the Tanzu Kubernetes Grid Service will install onto the Tanzu Kubernetes cluster nodes the root CA certificate for the registry instance. This certificate is installed on both new clusters and on existing clusters (by way of a reconciliation loop). From there you can run images on the cluster by specifying the private registry in the workload YAML.

Private Registry Workflow for Tanzu Kubernetes Clusters

Use the following workflow to securely access the private registry from Tanzu Kubernetes cluster nodes and pull container images.
Step Action Instructions
1 Enable the embedded Harbor Registry on the Supervisor Cluster. Enable the Embedded Harbor Registry on the Supervisor Cluster
2 Configure the kubeconfig for each cluster with the Registry Service Secret. Configure a Tanzu Kubernetes Cluster with the Image Pull Secret for the Embedded Harbor Registry
3 Configure the workload YAML to specify the private container registry. Configure a Tanzu Kubernetes Cluster with the Image Pull Secret for the Embedded Harbor Registry
Note: To push images to the embedded Harbor Registry, configure a Docker client and install the vSphere Docker Credential Helper. For guidance, see Configure a Docker Client with the Embedded Harbor Registry Certificate and Push Images to the Embedded Harbor Registry.