You can use an external container registry with TKG cluster pods.

Private Container Registry Use Case

Container registries provide a critical function for Kubernetes deployments, serving as a centralized repository for storing and sharing container images. The most commonly used public container registry is Docker Hub. There are many private container registry offerings. VMware Harbor is an open-source, cloud native, private container registry that ships with Supervisor.

Private Container Registry Configuration

To use a private registry with a TKG cluster, configure the TKG cluster with one or more self-signed certificates to serve private registry content over HTTPS. In the cluster spec, include a trust section with the additionalTrustedCAs field pair. You can define any number of self-signed certificates that the TKG cluster should trust. This functionality lets you easily define a list of certificates, and update those certificates should they need rotation.

Trust Fields for Private Container Registry Certificates

Add a certificate entry (base64-encoded string of a PEM-encoded public certificate) to the additionalTrustedCAs section in the TKG cluster spec.

Table 1. Trust Fields for Private Registries
Field Description
trust Section marker. Accepts no data.
additionalTrustedCAs Section marker. Includes a array of certificates with name and data for each.
name The name of the TLS certificate.
data The double base64-encoded string of a PEM encoded public certificate stored in plain text.
Note: Double base64-encoding is required. If the contents of the data map value are not double base6-encoded, the resulting PEM file cannot be processed.

v1alpha3 API Example

The following example demonstrates how to create a TKG 2 cluster with a private registry certificate. Refer to the v1alpha3 Example: TKC with Custom Network for the complete specification.
Note: To edit an existing cluster and add the private registry certificate fields, use the kubectl edit method as described here: Configure a Text Editor for Kubectl. 
apiVersion: run.tanzu.vmware.com/v1alpha3
kind: TanzuKubernetesCluster
metadata:
  name: tkg2-private-registry
  namespace: tkg2-cluster-ns
spec:
  topology:
    controlPlane:
      ...
    nodePools:
    - name: worker
      ...
  settings:
    network:
      ...
      trust:
        additionalTrustedCAs:
          - name: CompanyInternalCA-1
            data: LS0tLS1C...LS0tCg==
          - name: CompanyInternalCA-2
            data: MTLtMT1C...MT0tPg==

v1beta1 API Example

The following example demonstrates how to create a TKG cluster with a private registry certificate using the v1beta1 API. Refer to the trust variable description in the Cluster v1beta1 API specification.
Note: To edit an existing cluster and add the private registry certificate fields, use the kubectl edit method as described here: Configure a Text Editor for Kubectl. 
spec:
  clusterNetwork:
    pods:
      ...
    serviceDomain: 
    services:
      ...
  topology:
    class: tanzukubernetescluster
    controlPlane:
      ...
    variables:
    - name: storageClass
      value: tkg2-storage-profile
    - name: trust
      value:
        additionalTrustedCAs:
        - name: additional-ca-1

Managing Private Container Registry Certificates

To rotate a certificate, the VI Admin or DevOps Engineer changes the contents of the certificate in the TKG cluster specification and applies that configuration to trigger a rolling update of the cluster.

To remove a certificate from the list of certificates, delete it and apply the updated spec, triggering a rolling update.