Configuring the Application Image Registry

This topic describes how to configure certain container image registries to store the application images for Tanzu Application Service for Kubernetes.

Follow instructions for one of the registry types below:

VMware Harbor Registry

Creating a Harbor Project and User Account

These instructions use PLACEHOLDER-HARBOR-FQDN to refer to the fully qualified domain name for the Harbor installation.

  1. Navigate to https://PLACEHOLDER-HARBOR-FQDN/ in your browser and log in with your administrative credentials.

  2. Create a new user named tas-app-images-push-pull. You will need to submit a password for the user you create.

  3. Create a new private project named tas-app-images.

Next, add the tas-app-images-push-pull user to the tas-app-images project:

  1. Click on the tas-app-images entry in the Projects list and then select the Members tab.

  2. Click on the “+ USER” button to open the New Member dialog box.

  3. In the Name field on the dialog box, enter tas-app-images-push-pull.

  4. In the Role field, select the Master option.

  5. Click the OK button on the dialog box to finish adding the user to the project.

For more information on the Master role, see the Managing Users topic in the Harbor documentation.

Retrieving the Harbor CA Certificate from Ops Manager

If you have deployed Harbor using the Ops Manager tile, retrieve the CA certificate or self-signed certificate from the tile configuration:

  1. Log into Ops Manager as an administrative user and navigate to the Installation Dashboard.

  2. Click on the VMware Harbor Registry tile.

  3. Navigate to the Certificate configuration pane and scroll down to the Certificate Authority (CA) field.

If there is a PEM-encoded certificate value present in the CA field, use it as the certificate authority value in the configuration file section below.

If instead there is no value present in the CA field, the certificate for the Harbor installation was likely issued from the Ops Manager root CA certificate. Retrieve that root CA certificate as follows:

  1. In the Ops Manager user interface, dropdown with your user name in the upper-right corner, click on Settings.

  2. In the Settings page, click on the Advanced Options pane.

  3. In the Advanced Options pane, click on the DOWNLOAD ROOT CA CERT button to download the Ops Manager root CA certificate.

Use this root CA certificate as the certificate authority in the configuration file section below.

If you did not use the Ops Manager tile to deploy your Harbor installation, contact the administrator for the installation to obtain the CA certificate that issued the Harbor certificate.

Creating the Configuration File

To configure Tanzu Application Service for Kubernetes with these values for the application image registry:

  1. Change into the configuration-values directory you created earlier.

  2. Create a file named app-registry-values.yml in that directory with the contents below, replacing the placeholder values with:

    • the Harbor fully qualified domain name,
    • the password you submitted for the tas-app-images-push-pull user, and
    • the CA certificate or self-signed certificate for Harbor you retrieved above.

    Make sure that each line of the CA certificate value is indented four spaces, to match the BEGIN CERTIFICATE and END CERTIFICATE lines below.

#@data/values
---
app_registry:
  hostname: "PLACEHOLDER-HARBOR-FQDN"
  repository: "PLACEHOLDER-HARBOR-FQDN/tas-app-images"
  username: "tas-app-images-push-pull"
  password: "PLACEHOLDER-APP-REGISTRY-PASSWORD"
  ca: |
    -----BEGIN CERTIFICATE-----
    PLACEHOLDER-CA-CERTIFICATE-CONTENTS
    (make sure each line is indented four spaces)
    -----END CERTIFICATE-----

Note: You may choose different project and user names in the Harbor configuration procedure above as long as you use the same names in the configuration file.

Once you have created this file, proceed to the Installing Tanzu Application Service for Kubernetes topic.

Google Container Registry

Creating a Service Account for GCR

These steps require that you have the Google Cloud CLI, gcloud, installed and configured to target your Google Cloud Platform (GCP) project.

  1. Obtain the ID of your current GCP project:

    $ GCP_PROJECT_ID=$(gcloud config get-value core/project)

  2. Create a service account in your current project:

    $ gcloud iam service-accounts create tas-app-images-push-pull

  3. Grant this service account storage.admin privileges so that it can push and pull images from GCR:

    $ gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
    --member serviceAccount:tas-app-images-push-pull@${GCP_PROJECT_ID}.iam.gserviceaccount.com \
    --role roles/storage.admin

  4. Create a private authentication key for this service account and store it in a local file named gcr-storage-admin.json:

    $ gcloud iam service-accounts keys create \
    --iam-account "tas-app-images-push-pull@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    gcr-storage-admin.json

Creating the Configuration File

To configure Tanzu Application Service for Kubernetes with these values for the application image registry:

  1. Change into the configuration-values directory you created earlier.

  2. Create a file named app-registry-values.yml in that directory with the contents below, replacing the placeholder value with the contents of the gcr-storage-admin.json authentication key file you created above. Note that the contents of that file should be indented 4 spaces.

#@data/values
---
app_registry:
  hostname: gcr.io
  repository: "gcr.io/$GCP_PROJECT_ID/tas-app-images"
  username: "_json_key"
  password: |
    {
      PLACEHOLDER-CONTENTS-OF-SERVICE-ACCOUNT-JSON-KEY
    }

Once you have created this file, proceed to the Installing Tanzu Application Service for Kubernetes topic.

Dockerhub

To use Dockerhub as a registry for app images, you must first have a user account at Dockerhub.

Creating the Configuration File

To configure Tanzu Application Service for Kubernetes with these values for the application image registry:

  1. Change into the configuration-values directory you created earlier.

  2. Create a file named app-registry-values.yml in that directory with the contents below, replacing the placeholder values with the username and password of your Dockerhub account. Note that the repository is also the same as the username.

#@data/values
---
app_registry:
  hostname: https://index.docker.io/v1/
  repository: "PLACEHOLDER-USERNAME"
  username: "PLACEHOLDER-USERNAME"
  password: "PLACEHOLDER-PASSWORD"

Once you have created this file, proceed to the Installing Tanzu Application Service for Kubernetes topic.