Harbor Registry

Using a Harbor registry, you can host container images in a local, private Docker registry. Harbor is an extension of the basic Docker registry that implements access controls, identity management, and a graphical interface. Using imagePullSecrets, Kubernetes resources can connect to a Harbor Registry to retrieve container images on other systems.

This chapter contains the following topic:

Using Harbor Registry in Tenant Clusters

Follow these steps to create a new tenant cluster with access to the Harbor registry:

Procedure

Step 1

Obtain the Ingress Root CA Certificate from the Kubernetes UI in one of the following ways:

  • Follow the steps in the Ingress CA section.

  • Run the following command on the tenant cluster where Harbor registry is installed.

    kubectl get secrets -n ccp ccp-ingress-default-cert -o jsonpath='{.data.tls\.crt}' | base64 --decode
You can view the Harbor endpoint at https://<LOAD_BALANCER_IP>:443 of the cluster where it is installed.
Step 2

Create a new tenant cluster.

For more information, see Creating Clusters on vSphere.
Step 3

In the Node Configuration screen, copy and paste the Root CA certificate obtained in Step 1.

Adding CA certificates to the Root CA is the only supported method of enabling secure registries in Cisco Container Platform tenant clusters.
Note 
Do not enable Harbor in the Harbor Registry screen.
Step 4

Get the admin password of Harbor registry.

The admin password of Harbor registry is randomly generated by the Harbor operator and stored in a Kubernetes secret.

Run the following command on the master node of the tenant cluster to get the admin password of the Harbor registry from the Kubernetes secret.

$ kubectl get secret ccp-harbor-cr -n=ccp -o jsonpath='{.data.admin-password}' | base64 -d
Note 
We recommend that you change the admin password of the harbor registry after logging into the harbor GUI the first time.
Step 5

After tenant cluster creation, create an SSH connection to one of the VMs in the cluster and login to the Harbor registry with the admin password from Step 4. 

docker login -u admin -p ***** 
 https://<LOAD_BALANCER_IP>:443

Using Harbor Chartmuseum in Tenant Clusters

You can configure tenant clusters to pull and push helm charts from and to a Harbor chartmuseum on a tenant.

Procedure

Step 1

Add the helm repository to the tenant that you want to use for accessing the Chartmuseum:

  1. Obtain the Ingress Root CA Certificate (ca-file), TLS Certificate (cert-file), and TLS Key (key-file), from the Kubernetes dashboard in one of the following ways:

    • Use the steps in the Ingress CA section.

    • Alternatively, on the tenant cluster where Harbor registry is installed, run the following commands: 

         kubectl get secrets -n ccp ccp-ingress-default-cert -o jsonpath='{.data.ca\.crt}' | base64 --decode
   kubectl get secrets -n ccp ccp-ingress-default-cert -o jsonpath='{.data.tls\.crt}' | base64 --decode
   kubectl get secrets -n ccp ccp-ingress-default-cert -o jsonpath='{.data.tls\.key}' | base64 --decode

  2. Save the ca-file, cert-file, and key-file files on your computer.

  3. Add the helm repository. 

     helm repo add --ca-file <ca file> --cert-file <cert file> --key-file <key file> --username <username> --password <password> <repo name> https://<LOAD_BALANCER_IP_OF_HARBOR_TENANT>/chartrepo/<library_name>
    Note 

    • For ca-file, cert-file, and key-file, use the output from Step 1.

    • For username and password, use the same credentials that you use to access the Harbor registry.

    • For repo-name, use the name of the helm repository that you have chosen.

    • For library_name, use the name of the project as displayed on the Harbor UI. The default project name is library.

  4. Verify if the helm repository is added successfully. 

    helm repo list
Step 2

If you want to use the CLI to upload or download helm charts, follow these steps:

  1. To push a helm chart to the Chartmuseum helm repository:

    Run the following command on the tenant cluster from where you want to upload the helm chart. 
          helm push <chart name>.tgz --ca-file <ca file> --cert-file <cert file> --key-file <key file> --username <username> --password <password> <repo name>

  2. To pull a helm chart from the Chartmuseum helm repository:

    Run the following command on the tenant cluster from where you want to download and install the helm chart: 
          helm repo update
      helm install <helm-release-name> --ca-file <ca file> --cert-file <cert file> --key-file <key file> --username=<username> --password=<password> --version <chart version> <repo name>/<chart name>
Step 3

If you want to use the Harbor endpoint to upload, view, or download helm charts, follow these steps:

  1. In the left pane of the Harbor UI, click Projects, and then click on your project name.

    Note 
    The default project name is Library.

  2. Click the Helm Charts tab.

  3. To push the helm chart to the Harbor endpoint, click UPLOAD.

  4. To view the available helm charts, click an existing chart name, and then click on the version of the chart that you want to view.

  5. To pull the helm chart from a Harbor endpoint, click DOWNLOAD.

You can scroll down to the end of the page for instructions on helm add and helm install.