Add Harbor Image Registry Pull Secret to Kubernetes / OpenShift
I now have Harbor image registry configured.. How can I pull images from Harbor registry on Kubernetes / OpenShift with a pull secret?. Harbor is a CNCF certified project which aids in storage of OCI images and Helm charts. As Harbor provides authentication system and RBAC, you’ll likely have to add a pull secret for a user or robot account in your Kubernetes or OpenShift Cluster.
Step 1: Login to Harbor on Workstation with docker / podman
Start by logging in to your Harbor registry from Docker CLI or Podman CLI. If your registry is on a custom port, e.g 5000, then your URL will be like myregistry.example.com:5000.
If your Harbor registry is not secure. Add it to the list of insecure registries.
### Podman ###
$ sudo vim /etc/containers/registries.conf
...
[registries.insecure]
registries = ['myregistry.example.com']
### Docker ###
$ sudo vim /etc/docker/daemon.json
{
"insecure-registries" : ["myregistry.example.com"]
}
## Restart docker
sudo systemctl restart docker
docker info
Docker Login:
$ docker login myregistry.example.com
Username: jkmutai
Password:
Login Succeeded!Podman Login:
$ docker login myregistry.example.com
Username: jkmutai
Password:
Login Succeeded!Docker will store your registry access information under ~/.docker/config.json.
cat ~/.docker/config.json
While Podman stores then under /run/user/UserID/containers/auth.json
cat /run/user/`id -u`/containers/auth.jsonYou may need to copy the access credentials in json format to the server with kubectl or oc command.
Step 2: Add Harbor registry Secret to Kubernetes / OpenShift
Next we need to add the access details for Harbor registry as secret in Kubernetes/OpenShift.
kubectl create secret generic harbor-registry-secret \
--from-file=.dockerconfigjson=./harbor-k8s.json \
--type=kubernetes.io/dockerconfigjson \
-n demoWhere:
- ./harbor-k8s.json is the path to your Docker/Podman json file. Change it accordingly.
- demo is the name of the namespace where the secret is to be created
Confirm secret creation:
$ oc get secrets harbor-registry-secret
NAME TYPE DATA AGE
harbor-registry-secret kubernetes.io/dockerconfigjson 1 30sIf you ever want to decrypt added secret to confirm values, you can use the command:
kubectl get secret harbor-registry-secret --output="jsonpath={.data.\.dockerconfigjson}" | base64 --decodeStep 3: Confirm you can deploy Application from image in Harbor registry
Upload an image to Harbor registry – You’ll need to first create a project in harbor.
$ podman pull docker.io/jmutai/kuard-amd64:blue
$ podman tag docker.io/jmutai/kuard-amd64:blue myregistry.example.com/myproject/kuard-amd64:blue
$ docker push myregistry.example.com/myproject/kuard-amd64:blue
Getting image source signatures
Copying blob bcf2f368fe23 done
Copying blob 656e9c47289e done
Copying config 1db936caa6 done
Writing manifest to image destination
Storing signatures
Where:
- myregistry.example.com is harbor registry URL
- myproject is the project the added user has access to
Create a Pod deployment manifest for Kubernetes.
$ vim kuard-pod-health.yaml
---
apiVersion: v1
kind: Pod
metadata:
name: kuard
spec:
imagePullSecrets:
- name: harbor-registry-secret
containers:
- name: kuard
image: myregistry.example.com/myproject/kuard-amd64:blue
ports:
- containerPort: 8080
name: http
protocol: TCP
resources:
requests:
cpu: "500m"
memory: "128Mi"
limits:
cpu: "500m"
memory: "256Mi"
Create a Pod.
$ kubectl apply -f kuard-pod-health.yaml -n <namespace>
pod/kuard createdConfirm deployment was successful.
$ kubectl get pod -n <namespace>
NAME READY STATUS RESTARTS AGE
kuard 1/1 Running 0 2m18sIf the pod is not created, check events to understand why.
kubectl describe pod <podname> <namespace>More guides on Image registries:
Install Harbor Image Registry on Kubernetes / OpenShift with Helm Chart
How To Allow Insecure Registries in OpenShift / OKD 4.x Cluster
Configure Active Directory (AD) Authentication for Harbor Registry
How To Integrate Harbor Registry With LDAP for user Authentication
