Configure a Private Registry for Tanzu Kubernetes Clusters

Configure a Private Registry for Tanzu Kubernetes Clusters

September 22, 2021 1 By Eric Shanks

A really common task after deploying a Kubernetes cluster is to configure it to use a container registry where the container images are stored. A Tanzu Kubernetes Cluster (TKC) is no exception to this rule. vSphere 7 with Tanzu comes with an embedded harbor registry that can be used, but in many cases you all ready have your own container registry and so you’d like to continue using that instead.

Trust the Registry Certificate

A container registry should be configured to use a TLS certificate to prevent logins from being sent over clear text. If your container registry uses a publicly trusted certificate then your work is done. However, if you’re using an internal certificate authority to mint your certificates, then your Kubernetes nodes will need to be configured to trust this certificate chain.

To configure the trust, we’ll apply a TkgServiceConfiguration to the Supervisor cluster. Doing so will trigger a rolling update to the cluster until all of the nodes have the new configuration. This TkgServiceConfiguration will need a base64 encoded string of the PEM encoded certificate.

To create a base64 encoded string you can run:

base64 -i [certificatename.crt]Code language: CSS (css)

A sample configuration is shown below. You will notice that you can include more than one certificate. Remember to include your internal RootCA in the list.

apiVersion: run.tanzu.vmware.com/v1alpha1
kind: TkgServiceConfiguration
metadata:
  name: tkg-service-configuration
spec:
  defaultCNI: antrea
  trust:
    additionalTrustedCAs:
      - name: HollowCA
        data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNyR......
      - name: second-cert-name
        data: base64-encoded string of a PEM encoded public cert 2Code language: PHP (php)

Once you’ve created a yaml file from the template above and placed your base64 encoded certificate string into it, you’ll need to switch to the Supervisor cluster’s context and apply it. Login to your Supervisor cluster context.

Then apply the configuration.

kubectl apply -f [tkgconfig_file.yaml]Code language: CSS (css)

Deploy Containers from the Private Registry

After the TKGServiceConfiguration has been applied to the supervisor cluster, the Tanzu Kubernetes Clusters should start to update. The update process consists of replacing all the existing nodes with new nodes that have the appropriate TKGServiceConfigurations that we just applied.

After the clusters have updated you can start to deploy your containers using the private registry.

Login to the Tanzu Kubernetes Cluster (TKC) if you haven’t already, and then switch your Kubernetes context to this TKC. Deploy a pod from an image located in the registry and you should be able to successfully download the image.