Add Harbor Image Registry Pull Secret to Kubernetes / OpenShift

Posted on 135 views

I now have Harbor image registry configured.. How can I pull images from Harbor registry on Kubernetes / OpenShift with a pull secret?. Harbor is a CNCF certified project which aids in storage of OCI images and Helm charts. As Harbor provides authentication system and RBAC, you’ll likely have to add a pull secret for a user or robot account in your Kubernetes or OpenShift Cluster.

Step 1: Login to Harbor on Workstation with docker / podman

Start by logging in to your Harbor registry from Docker CLI or Podman CLI. If your registry is on a custom port, e.g 5000, then your URL will be like myregistry.example.com:5000.

If your Harbor registry is not secure. Add it to the list of insecure registries.

--- Podman ---
$ sudo vim /etc/containers/registries.conf
...
[registries.insecure]
registries = ['myregistry.example.com']

--- Docker ---
$ sudo vim /etc/docker/daemon.json

  "insecure-registries" : ["myregistry.example.com"]

$ sudo systemctl restart docker
$ docker info

Docker Login:

$ docker login myregistry.example.com
Username: jkmutai
Password:
Login Succeeded!

Podman Login:

$ docker login myregistry.example.com
Username: jkmutai
Password:
Login Succeeded!

Docker will store your registry access information under ~/.docker/config.json.

$ cat ~/.docker/config.json

While Podman stores then under /run/user/UserID/containers/auth.json

$ cat /run/user/`id -u`/containers/auth.json

You may need to copy the access credentials in json format to the server with kubectl or oc command.

Step 2: Add Harbor registry Secret to Kubernetes / OpenShift

Next we need to add the access details for Harbor registry as secret in Kubernetes/OpenShift.

kubectl create secret generic harbor-registry-secret \
    --from-file=.dockerconfigjson=./harbor-k8s.json \
    --type=kubernetes.io/dockerconfigjson \
    -n demo

Where:

  • ./harbor-k8s.json is the path to your Docker/Podman json file. Change it accordingly.
  • demo is the name of the namespace where the secret is to be created

Confirm secret creation:

$ oc get secrets harbor-registry-secret
NAME                     TYPE                             DATA   AGE
harbor-registry-secret   kubernetes.io/dockerconfigjson   1      30s

If you ever want to decrypt added secret to confirm values, you can use the command:

kubectl get secret harbor-registry-secret \
  --output="jsonpath=.data.\.dockerconfigjson" | base64 --decode

Step 3: Confirm you can deploy Application from image in Harbor registry

Upload an image to Harbor registry – You’ll need to first create a project in harbor.

$ podman pull docker.io/jmutai/kuard-amd64:blue
$ podman tag docker.io/jmutai/kuard-amd64:blue myregistry.example.com/myproject/kuard-amd64:blue
$ docker push myregistry.example.com/myproject/kuard-amd64:blue
Getting image source signatures
Copying blob bcf2f368fe23 done
Copying blob 656e9c47289e done
Copying config 1db936caa6 done
Writing manifest to image destination
Storing signatures

Where:

  • myregistry.example.com is harbor registry URL
  • myproject is the project the added user has access to

Create a Pod deployment manifest for Kubernetes.

$ vim kuard-pod-health.yaml
---
apiVersion: v1
kind: Pod
metadata:
  name: kuard
spec:
  imagePullSecrets:
  - name: harbor-registry-secret
  containers:
    - name: kuard
      image: myregistry.example.com/myproject/kuard-amd64:blue
      ports:
        - containerPort: 8080
          name: http
          protocol: TCP
      resources:
        requests:
          cpu: "500m"
          memory: "128Mi"
        limits:
          cpu: "500m"
          memory: "256Mi"

Create a Pod.

$ kubectl apply -f kuard-pod-health.yaml -n 
pod/kuard created

Confirm deployment was successful.

$ kubectl get pod -n 
NAME                          READY   STATUS    RESTARTS   AGE
kuard                         1/1     Running   0          2m18s

If the pod is not created, check events to understand why.

$ kubectl describe pod  
coffee

Gravatar Image
A systems engineer with excellent skills in systems administration, cloud computing, systems deployment, virtualization, containers, and a certified ethical hacker.