I now have Harbor image registry configured.. How can I pull images from Harbor registry on Kubernetes / OpenShift with a pull secret?. Harbor is a CNCF certified project which aids in storage of OCI images and Helm charts. As Harbor provides authentication system and RBAC, you’ll likely have to add a pull secret for a user or robot account in your Kubernetes or OpenShift Cluster.
Step 1: Login to Harbor on Workstation with docker / podman
Start by logging in to your Harbor registry from Docker CLI or Podman CLI. If your registry is on a custom port, e.g 5000, then your URL will be like myregistry.example.com:5000.
If your Harbor registry is not secure. Add it to the list of insecure registries.
### Podman ###
$ sudo vim /etc/containers/registries.conf
...
[registries.insecure]
registries = ['myregistry.example.com']
### Docker ###
$ sudo vim /etc/docker/daemon.json
{
"insecure-registries" : ["myregistry.example.com"]
}
## Restart docker
sudo systemctl restart docker
docker info
Docker Login:
$ docker login myregistry.example.com
Username: jkmutai
Password:
Login Succeeded!
Podman Login:
$ docker login myregistry.example.com
Username: jkmutai
Password:
Login Succeeded!
Docker will store your registry access information under ~/.docker/config.json.
cat ~/.docker/config.json
While Podman stores then under /run/user/UserID/containers/auth.json
cat /run/user/`id -u`/containers/auth.json
You may need to copy the access credentials in json format to the server with kubectl or oc command.
Step 2: Add Harbor registry Secret to Kubernetes / OpenShift
Next we need to add the access details for Harbor registry as secret in Kubernetes/OpenShift.
kubectl create secret generic harbor-registry-secret \
--from-file=.dockerconfigjson=./harbor-k8s.json \
--type=kubernetes.io/dockerconfigjson \
-n demo
Where:
- ./harbor-k8s.json is the path to your Docker/Podman json file. Change it accordingly.
- demo is the name of the namespace where the secret is to be created
Confirm secret creation:
$ oc get secrets harbor-registry-secret
NAME TYPE DATA AGE
harbor-registry-secret kubernetes.io/dockerconfigjson 1 30s
If you ever want to decrypt added secret to confirm values, you can use the command:
kubectl get secret harbor-registry-secret --output="jsonpath={.data.\.dockerconfigjson}" | base64 --decode
Step 3: Confirm you can deploy Application from image in Harbor registry
Upload an image to Harbor registry – You’ll need to first create a project in harbor.
$ podman pull docker.io/jmutai/kuard-amd64:blue
$ podman tag docker.io/jmutai/kuard-amd64:blue myregistry.example.com/myproject/kuard-amd64:blue
$ docker push myregistry.example.com/myproject/kuard-amd64:blue
Getting image source signatures
Copying blob bcf2f368fe23 done
Copying blob 656e9c47289e done
Copying config 1db936caa6 done
Writing manifest to image destination
Storing signatures
Where:
- myregistry.example.com is harbor registry URL
- myproject is the project the added user has access to
Create a Pod deployment manifest for Kubernetes.
$ vim kuard-pod-health.yaml
---
apiVersion: v1
kind: Pod
metadata:
name: kuard
spec:
imagePullSecrets:
- name: harbor-registry-secret
containers:
- name: kuard
image: myregistry.example.com/myproject/kuard-amd64:blue
ports:
- containerPort: 8080
name: http
protocol: TCP
resources:
requests:
cpu: "500m"
memory: "128Mi"
limits:
cpu: "500m"
memory: "256Mi"
Create a Pod.
$ kubectl apply -f kuard-pod-health.yaml -n <namespace>
pod/kuard created
Confirm deployment was successful.
$ kubectl get pod -n <namespace>
NAME READY STATUS RESTARTS AGE
kuard 1/1 Running 0 2m18s
If the pod is not created, check events to understand why.
kubectl describe pod <podname> <namespace>
More guides on Image registries:
Install Harbor Image Registry on Kubernetes / OpenShift with Helm Chart
How To Allow Insecure Registries in OpenShift / OKD 4.x Cluster
Configure Active Directory (AD) Authentication for Harbor Registry
How To Integrate Harbor Registry With LDAP for user Authentication
To all who go through these steps and encounter an error with Step 2 secret creation, it appears that for some releases it doesn’t like the shortcut HOME symbol “~” and fails to find the Docker json file.
The workaround that worked for me is to replace the “~” with “$(echo ~) to swap in your absolute path programmatically.
Typo correction: replace “~” with “$(echo ~)”