Configuring Your App Image Registry

This topic describes how to configure Tanzu Application Service for Kubernetes (TAS for Kubernetes) to access container image registries, and how to create and configure a new private registry for TAS for Kubernetes.

Overview

TAS for Kubernetes pulls system component container images from the VMware Tanzu Network container registry, and retains those images in a private container image registry.

Before you begin this procedure, ensure that you have created a private container image registry. VMware recommends that you use a VMware Harbor registry as your container image registry.

To use a VMware Harbor registry as your container image registry, complete the procedures in Use Harbor as Your Application Image Registry below.

To use a different registry as your container image registry, complete the procedures in Use a Different Image Registry below.

Use Harbor as Your Application Image Registry

To use a VMware Harbor registry as your container image registry:

• Create a Harbor Project and User Account
• Configure the Harbor Project
• Retrieve the Harbor CA Certificate
• Configure the App Image Registry

Create a Harbor Project and User Account

Harbor requires that your create a Harbor project before pushing container images to Harbor.

To create a Harbor project for your TAS for Kubernetes container images:

1. Open your browser and navigate to your Harbor registry.

   https://HARBOR-FQDN/
   

   Where HARBOR-FQDN is the fully qualified domain name for your Harbor installation.

2. Log in with your Harbor administrative credentials.

3. Create a new Harbor user named tas-app-images-push-pull. You must provide a username and password to create the account. For more information, see Create a new user in the Harbor documentation.

4. Create a new Harbor project named tas-app-images. For more information, see Create a new private project in the Harbor documentation.

Note: If you specify custom project and user names in the Harbor configuration procedure above, use the same project and user names when configuring the values.yml file. For more information, see Configure the App Image Registry below.

Configure the Harbor Project

To grant your Harbor user account permissions to your Harbor project:

1. Open your Harbor registry in a browser, and open the Projects list.

2. Click the tas-app-images project in the Projects list, and select the Members tab.

3. Click the + USER button to open the New Member dialog box.

4. In the Name field, enter tas-app-images-push-pull.

5. In the Role field, select the Master option.

6. Click OK to add the user to your Harbor project.

For more information on the Harbor Master role, see Managing Users in the Harbor documentation.

Retrieve the Harbor CA Certificate

TAS for Kubernetes must use your Harbor registry’s CA certificate or self-signed certificate to access the registry.

Note: If you did not use the Ops Manager tile to deploy your Harbor installation, contact your Harbor installation administrator to obtain the CA certificate that issued the Harbor certificate.

To retrieve the CA certificate or self-signed certificate from an Ops Manager-deployed Harbor tile:

1. Log in to Ops Manager as an administrative user and navigate to the Installation Dashboard.

2. Click the VMware Harbor Registry tile.

3. Navigate to the Certificate configuration pane and scroll down to the Certificate Authority (CA) field.

4. Copy the CA certificate:

   • If the Certificate Authority (CA) field contains a PEM-encoded certificate value, copy this value.
   • If the Certificate Authority (CA) field is blank, the certificate for the Harbor installation was likely issued from the Ops Manager root CA certificate.
     To download the Ops Manager root CA certificate:
     1. In the upper upper-right corner of the Ops Manager user interface, click the drop-down with your user name.
     2. Click Settings.
     3. In the Settings page, click Advanced Options.
     4. In the Advanced Options pane, click the DOWNLOAD ROOT CA CERT button.

5. Use the retrieved CA certificate as the certificate authority value when configuring TAS for Kubernetes. For more information, see Create the Harbor Image Registry Configuration File below.

Configure the App Image Registry

To configure TAS for Kubernetes to use your private container image registry:

1. Change directory into the configuration-values directory you created earlier, and open the values.yml file in the configuration-values directory.

2. Populate the app_registry section of the file with the following:

   app_registry:
     ca: |
       -----BEGIN CERTIFICATE-----
       CA-CERTIFICATE-CONTENT
       -----END CERTIFICATE-----
     hostname: "HARBOR-FQDN"
     repository_prefix: "HARBOR-FQDN/tas-app-images"
     username: "tas-app-images-push-pull"
     password: "APP-REGISTRY-PASSWORD"
   

   Where:

   • HARBOR-FQDN is the fully qualified domain name for your Harbor installation.
   • APP-REGISTRY-PASSWORD is the password you submitted for the tas-app-images-push-pull user.
   • CA-CERTIFICATE-CONTENT is the CA certificate or self-signed certificate for your Harbor registry. Ensure each line of the CA certificate value is indented four spaces, matching the indentation of the BEGIN CERTIFICATE and END CERTIFICATE lines above.

3. Save the file.

Use a Different Image Registry

In addition to supporting a VMware Harbor registry as a container image registry, TAS for Kubernetes also supports using other container image registries.

To use Google Container Registry (GCR), Docker Hub, or another registry as your TAS for Kubernetes container image registry:

1. Change directory into the configuration-values directory you created earlier.
2. Open the values.yml file.

3. Populate the app_registry section with the following:

   app_registry:
     ca: ""
     hostname: "HOST-FQDN"
     repository_prefix: "REPOSITORY"
     username: "APP-REGISTRY-USERNAME"
     password: "APP-REGISTRY-PASSWORD"
   

   Where:

   • HOST-FQDN is the fully qualified domain name for your registry.
   • REPOSITORY is the full URL for the TAS for Kubernetes project within your registry.
   • APP-REGISTRY-USERNAME is the username for an account with access to the TAS for Kubernetes project within your registry.
   • APP-REGISTRY-PASSWORD is the password for the specified account.

4. (Optional) To specify a CA certificate for the registry, replace the empty ca: property with the following:

     ca: |
       -----BEGIN CERTIFICATE-----
       CA-CERTIFICATE-CONTENT
       -----END CERTIFICATE-----
   

   Where CA-CERTIFICATE-CONTENT is the CA certificate or self-signed certificate for your registry. Ensure each line of the CA certificate value is indented four spaces, matching the indentation of the BEGIN CERTIFICATE and END CERTIFICATE lines above.
   Specifying a CA certificate is required if your registry does not have a certificate signed by a trusted authority.

5. Save the file.

Next Steps

After you complete this procedure, proceed to Configuring System Image Registry.