Search This Blog

Tuesday, 24 September 2019

Basic VMware Harbor Registry usage for Pivotal Container Service (PKS)

VMware Harbor Registry is an enterprise-class registry server that stores and distributes container images. Harbor allows you to store and manage images for use with Enterprise Pivotal Container Service (Enterprise PKS).

In this simple example we show what you need at a minimum to get an image on Harbor deployed onto your PKS cluster. First we need the following to be able to run this basic demo

Required Steps

1. PKS installed with Harbor Registry tile added as shown below

2. VMware Harbor Registry integrated with Enterprise PKS as per the link below. The most important step is the one as follows "Import the CA Certificate Used to Sign the Harbor Certificate and Key to BOSH". You must complete that prior to creating a PKS cluster

3. A PKS cluster created. You must have completed step #2 before you create the cluster

$ pks cluster oranges

Name:                     oranges
Plan Name:                small
UUID:                     21998d0d-b9f8-437c-850c-6ee0ed33d781
Last Action:              CREATE
Last Action State:        succeeded
Last Action Description:  Instance provisioning completed
Kubernetes Master Host:
Kubernetes Master Port:   8443
Worker Nodes:             4
Kubernetes Master IP(s):
Network Profile Name:

4. Docker Desktop Installed on your local machine


1. First let's log into Harbor and create a new project. Make sure you record your username and password you have assigned for the project. In this example I make the project public.


  • Project Name: cto_apj
  • Username: pas
  • Password: ****

2. Next in order to be able to connect to our registry from our local laptop we will need to install

The VMware Harbor registry isn't running on a public domain, and is using a self-signed certificate. So we need to access this registry with self-signed certificates from my mac osx clients given I am using Docker for Mac. This link shows how to add the self signed certificate to Linux and Mac clients

You can download the self signed cert from Pivotal Ops Manager as sown below

With all that in place a command as follows is all I need to run

$ sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ca.crt

3. Now lets login to the registry using a command as follows

$ docker login -u pas
Login Succeeded

4. Now I have an image sitting on Docker Hub itself so let's tag that and then deploy that to our VMware Harbor registry as shown below

 $ docker tag pasapples/customer-api:latest
 $ docker push

5. Now lets create a new secret for accessing the container registry

$ kubectl create secret docker-registry regcred --docker-username=pas --docker-password=****

6. Now let's deploy this image to our PKS cluster using a deployment YAML file as follows


apiVersion: extensions/v1beta1
kind: Deployment
  name: customer-api
  replicas: 1
        app: customer-api
        - name: customer-api
            - containerPort: 8080

apiVersion: v1
kind: Service
  name: customer-api-service
    name: customer-api-service
    - port: 80
      targetPort: 8080
      protocol: TCP
    app: customer-api
  type: LoadBalancer

7. Deploy as follows

$ kubectl create -f customer-api.yaml

8. You should see the POD and SERVICE running as follows

$ kubectl get pods | grep customer-api
customer-api-7b8fcd5778-czh46                    1/1     Running   0          58s

$ kubectl get svc | grep customer-api
customer-api-service            LoadBalancer   80:31156/TCP 

More Information

PKS Release Notes 1.4

VMware Harbor Registry

No comments: