Checkout how to install and configure Harbor as a Supervisor Service. You can then use Harbor as a registry for workloads running on Tanzu Kubernetes Grid clusters and vSphere Pods. Harbor requires Contour as ingress controller, therefore you first install the Contour Supervisor Service then you install Harbor.

Install Harbor as a Supervisor Service

You install Harbor as a Supervisor Service trough the Workload Managementt option in the vSphere Client.


  • Verify that you have upgraded to vCenter Server 8.0a or higher. Contour and Harbor Supervisor Services are supported with vCenter Server 8.0a and higher.
  • Verify that you have the Manage Supervisor Services privilege on the vCenter Server system where you add the services.
  • Install Contour as a Supervisor Service on the same Supervisor where you want to install Harbor. See Install Contour as a Supervisor Service in vSphere with Tanzu.
  • Designate and FQDN for accessing the Harbor admin UI.


  1. Go to the Harbor Versions section of the Supervisor-Services repository and download the following files:
    • The Harbor service definition, the link is named Harbor vX.X.X.. For example Harbor 2.5.3
    • The Harbor configuration file, the link named values for vX.X.X. For example values 2.5.3
    The resulting files look like this:
    • harbor.yml
    • harbor-data-values.yml
  2. In the vSphere Client go to Workload Management , and select Services.
  3. Deploy the Harbor operator by clicking Add New Service and uploading the harbor.yml service definition. .
    A window shoting the deployment of the Harbor operator
    Once the Harbor operator is deployed, it appears in the Services tab: A window showing how Harbor and Contour operators look like after they are deployed
  4. Now that the Harbor operator is deployed, you can install the Supervisor Service on the same Supervisor where Contour runs .
    1. Open the harbor-data-values.yml file and edit the properties as required.
      Property Value Description
        https: 443
      FQDN Change to the FQDN that you have designated to access the Harbor admin UI.
        tlsSecretLabels: {"managed-by": "vmware-vRegistry"}
      Note: Do not change
      This value is required for the TKG integration to work.
      harborAdminPassword: Harbor12345
      Optionally change The Harbor password that is used during installation. You can change it through the Harbor admin UI, once the service is installed.
      secretKey: 0123456789ABCDEF
      String of 16 characters The secret key used for encryption. Must be a string of 16 chars.
        password: change-it
      A secure password An initial password used for the Postgres database.
        secret: change-it
        xsrfKey: 0123456789ABCDEF0123456789ABCDEF
        replicas: 1
        secret: change-it
        secret: change-it
      Strings for the secrets and a 32 character XSRF key string Change to setup your own secrets.
            storageClass: "insert-storage-class-name-here"
            subPath: ""
            accessMode: ReadWriteOnce
            size: 10Gi
            storageClass: "insert-storage-class-name-here"
            subPath: ""
            accessMode: ReadWriteOnce
            size: 1Gi
            storageClass: "insert-storage-class-name-here"
            subPath: ""
            accessMode: ReadWriteOnce
            size: 1Gi
            storageClass: "insert-storage-class-name-here"
            subPath: ""
            accessMode: ReadWriteOnce
            size: 1Gi
            storageClass: "insert-storage-class-name-here"
            subPath: ""
            accessMode: ReadWriteOnce
            size: 5Gi
      Storage class name

      The storage policies that will be used as storage classes for provisioning PVCs , in the Harbor registry, job service, database, and so on.

      Set each of the properties to existing storage policies that are available in your environment. Change the storage policy name to a valid storage class name by replacing all the upper case letters with lower case letters as well, as replace all of "_" symbols and spaces with a dash, "-". For example, modify Harbor Storage Policy to harbor-storage-policy.

        ipFamilies: ["IPv4"]
      Note: Do not change
      IPv6 is not supported.
    2. Go back to Workload Management > Services and in the Harbor service card, select Actions > Install on Supervisors.
    3. Select the Supervisor where Contour runs and in YAML Service Config copy and paste the contents of the modified harbor-data-values.yml file.
    4. Click OK.
      Once the installation begins, you can track it by clicking the Supervisors field on the Harbor service card. It might take a few seconds until the number next to Supervisors increments. The service is in Configuring state until the desired state is reached. When the desired state is reached, the state of the service changes to Running.


You can view the vSphere Namespace and vSphere Pods created for Harbor from the Hosts and Cluster view. A view of the Harbor namespace with all the containing vSphere Pods

Map the Harbor FQDN to the Envoy Ingress IP Address

After Harbor is installed successfully, include a record of the Harbor FQDN mapping to the Envoy ingress IP address in an external DNS server that is configured with the Supervisor.

Tanzu Kubernetes Grid clusters, vSphere Pods, and the Supervisor must be able to resolve the Harbor FQDN to be able to pull images from the registry.

To locate the Envoy ingress IP address, navigate to the Contour namespace, select Network and select Services:

The screenshot shows the Envoy IP address.

Establishing Trust with the Harbor Supervisor Service

Once Harbor is installed, you must configure trust between the Supervisor and Harbor to use it as registry for vSphere Pods. Tanzu Kubernetes Grid clusters that are on the same Supervisor as Harbor have trust established with Harbor automatically. To use Harbor as a registry for Tanzu Kubernetes Grid clusters that run on different Supervisors, you must configure trust between Harbor and these Tanzu Kubernetes Grid clusters.

Establish Trust Between Harbor and Supervisor

To establish trust between Harbor and the Supervisor:
  1. Extract the Harbor CA from the Harbor UI or by using the TLS secret on the Supervisor control plane. You can get the Harbor ca.cert in the Harbor admin UI at Administration > Configuration > Registry Root Certificate > Download.
  2. Add the Harbor CA to the image-fetcher-ca-bundle ConfigMap in the kube-system namespace. You must be logged in with a vCenter Single Sign-on administrative account and have permission to edit the image-fetcher-ca-bundle.
    1. Configure the KUBE_EDITOR environment variable as described here:
    2. Edit the ConfigMap using the following command:
      kubectl edit configmap image-fetcher-ca-bundle -n kube-system
    3. Append the contents of the Harbor ca.cert file to the ConfigMap beneath the existing Supervisor certificate. Make sure not to change the Supervisor certificate.
      apiVersion: v1
        ca-bundle: |-
          -----BEGIN CERTIFICATE-----
          -----END CERTIFICATE-----
          -----BEGIN CERTIFICATE-----
          -----END CERTIFICATE-----    
      kind: ConfigMap
        creationTimestamp: "2023-03-15T14:28:34Z"
        name: image-fetcher-ca-bundle
        namespace: kube-system
        resourceVersion: "713"
        uid: 6b7611a0-25fa-40f7-b4f5-e2a13bd0afe3
    4. Save the edits made to the file. As a result kubectl reports:
      configmap/image-fetcher-ca-bundle edited

Establishing Trust Between Harbor and Tanzu Kubernetes Grid Cluster Running on Different Supervisors than Harbor

Tanzu Kubernetes Grid clusters running on Supervisors different than the one where Harbor is installed must have network connectivity with Harbor. These Tanzu Kubernetes Grid clusters must be able to resolve the Harbor FQDN.

To establish trust between Harbor and the Tanzu Kubernetes Grid clusters, extract the Harbor CA from the Harbor UI or by using the TLS secret on the Supervisor control plane, then follow the steps listed at Integrate a TKG 2 Cluster with a Private Container Registry.