You can support us by downloading this article as PDF from the Link below. Download the guide as PDF

I now have Harbor image registry configured.. How can I pull images from Harbor registry on Kubernetes / OpenShift with a pull secret?. Harbor is a CNCF certified project which aids in storage of OCI images and Helm charts. As Harbor provides authentication system and RBAC, you’ll likely have to add a pull secret for a user or robot account in your Kubernetes or OpenShift Cluster.

Step 1: Login to Harbor on Workstation with docker / podman

Start by logging in to your Harbor registry from Docker CLI or Podman CLI. If your registry is on a custom port, e.g 5000, then your URL will be like myregistry.example.com:5000.

If your Harbor registry is not secure. Add it to the list of insecure registries.

--- Podman ---
$ sudo vim /etc/containers/registries.conf
...
[registries.insecure]
registries = ['myregistry.example.com']

--- Docker ---
$ sudo vim /etc/docker/daemon.json
{
  "insecure-registries" : ["myregistry.example.com"]
}
$ sudo systemctl restart docker
$ docker info

Docker Login:

$ docker login myregistry.example.com
Username: jkmutai
Password:
Login Succeeded!

Podman Login:

$ docker login myregistry.example.com
Username: jkmutai
Password:
Login Succeeded!

Docker will store your registry access information under ~/.docker/config.json.

$ cat ~/.docker/config.json

While Podman stores then under /run/user/UserID/containers/auth.json

$ cat /run/user/`id -u`/containers/auth.json

You may need to copy the access credentials in json format to the server with kubectl or oc command.

Step 2: Add Harbor registry Secret to Kubernetes / OpenShift

Next we need to add the access details for Harbor registry as secret in Kubernetes/OpenShift.

kubectl create secret generic harbor-registry-secret \
    --from-file=.dockerconfigjson=./harbor-k8s.json \
    --type=kubernetes.io/dockerconfigjson \
    -n demo

Where:

  • ./harbor-k8s.json is the path to your Docker/Podman json file. Change it accordingly.
  • demo is the name of the namespace where the secret is to be created

Confirm secret creation:

$ oc get secrets harbor-registry-secret
NAME                     TYPE                             DATA   AGE
harbor-registry-secret   kubernetes.io/dockerconfigjson   1      30s

If you ever want to decrypt added secret to confirm values, you can use the command:

kubectl get secret harbor-registry-secret \
  --output="jsonpath={.data.\.dockerconfigjson}" | base64 --decode

Step 3: Confirm you can deploy Application from image in Harbor registry

Upload an image to Harbor registry – You’ll need to first create a project in harbor.

$ podman pull docker.io/jmutai/kuard-amd64:blue
$ podman tag docker.io/jmutai/kuard-amd64:blue myregistry.example.com/myproject/kuard-amd64:blue
$ docker push myregistry.example.com/myproject/kuard-amd64:blue
Getting image source signatures
Copying blob bcf2f368fe23 done
Copying blob 656e9c47289e done
Copying config 1db936caa6 done
Writing manifest to image destination
Storing signatures

Where:

  • myregistry.example.com is harbor registry URL
  • myproject is the project the added user has access to

Create a Pod deployment manifest for Kubernetes.

$ vim kuard-pod-health.yaml
---
apiVersion: v1
kind: Pod
metadata:
  name: kuard
spec:
  imagePullSecrets:
  - name: harbor-registry-secret
  containers:
    - name: kuard
      image: myregistry.example.com/myproject/kuard-amd64:blue
      ports:
        - containerPort: 8080
          name: http
          protocol: TCP
      resources:
        requests:
          cpu: "500m"
          memory: "128Mi"
        limits:
          cpu: "500m"
          memory: "256Mi"

Create a Pod.

$ kubectl apply -f kuard-pod-health.yaml -n <namespace>
pod/kuard created

Confirm deployment was successful.

$ kubectl get pod -n <namespace>
NAME                          READY   STATUS    RESTARTS   AGE
kuard                         1/1     Running   0          2m18s

If the pod is not created, check events to understand why.

$ kubectl describe pod <podname> <namespace>

More guides on Image registries:

Install Harbor Image Registry on Kubernetes / OpenShift with Helm Chart

How To Allow Insecure Registries in OpenShift / OKD 4.x Cluster

Configure Active Directory (AD) Authentication for Harbor Registry

How To Integrate Harbor Registry With LDAP for user Authentication

You can support us by downloading this article as PDF from the Link below. Download the guide as PDF