WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud
  • Tanzu
    • Application Modernization
    • Tanzu services
    • Tanzu Community Edition
    • Tanzu Kubernetes Grid
    • vSphere with Tanzu
  • Home Lab
  • Nested Virtualization
  • Apple
You are here: Home / Cloud Native / Admin account for embedded Harbor registry in vSphere with Kubernetes

Admin account for embedded Harbor registry in vSphere with Kubernetes

06.09.2020 by William Lam // 3 Comments

After setting up a vSphere with Kubernetes Cluster, customers have the option of enabling a built-in private container registry that can be used with the Supervisor Cluster. This private container registry uses the popular Opensource Harbor solution which is also a Cloud Native Computing Foundation (CNCF) project.


Although this is a convenient capability, one thing to be aware of is that the embedded Harbor registry is limited in functionality compared to a standalone Harbor deployment and this is by design. When logging into Harbor with your vCenter SSO user, you will be able to do perform basic operations such as pushing and pulling images from this registry. For customers that require additional functionality from Harbor, it is recommended that you setup an external Harbor instance which can also be used as a common registry for both the Supervisor Cluster as well any Tanzu Kubernetes Grid (TKG) Clusters that you may provision.

With that said, I have heard from a few folks who were interested in accessing the Harbor UI using the "admin" account, mostly from an exploration standpoint. The admin credentials for Harbor are dynamically generated each time the service is enabled and it is stored as a K8s secret within the Supervisor Cluster. This means the admin password is unique for each environment and the instructions below will show you how to obtain the credentials.

UPDATE (12/16/20) - I was informed by Engineering the ability to read K8s secrets was actually a bug and this has since been fixed in the latest release of vSphere with Tanzu. If you need the harbor credentials, you will need to directly login to the Supervisor Cluster from the VCSA (instructions have been updated below) to retrieve this information.

Disclaimer: This is not officially supported by VMware and the behaviors described below could change in the future without notice.

Step 1 - SSH to the VCSA and then run the following script to retrieve the Supervisor Cluster Control Plane VM credentials:

/usr/lib/vmware-wcp/decryptK8Pwd.py

Step 2 - SSH to the IP Address using root username and the password provided from the previous command

Step 3 - Retrieve the Embedded Harbor Namespace and Pod ID by running the following command:

HARBOR_NAMESPACE=$(kubectl get ns | grep registry- | awk '{print $1}')
HARBOR_POD_ID=$(echo $HARBOR_NAMESPACE | sed 's/.*-//')

Step 4 - Extract the encoded string for both the Harbor username and password by running the following command:

echo "Harbor Username Secret: $(kubectl -n ${HARBOR_NAMESPACE} get secret "harbor-${HARBOR_POD_ID}-controller-registry" --template={{.data.harborAdminUsername}})"
echo "Harbor Password Secret: $(kubectl -n ${HARBOR_NAMESPACE} get secret "harbor-${HARBOR_POD_ID}-controller-registry" --template={{.data.harborAdminPassword}})"

Note: For completeness sake, the example above shows both the encoded password and username strings but the default username for Harbor is admin.

Step 5 - Finally, once you have extracted the encoded username and password value, you will need to decode the obfuscated string. The string is stored as a base64 encoding and it has been "double" encoded, so you will need to decode the secret twice using any base64 tool or online website like https://www.base64decode.net/

If you are on a MacOS or Linux system which has the base64 utility, you can run the following one-liner which will automatically extract the username/password string and then double decode so you get the final plain text string:

echo "Harbor Username: $(kubectl -n ${HARBOR_NAMESPACE} get secret "harbor-${HARBOR_POD_ID}-controller-registry" --template={{.data.harborAdminUsername}} | base64 --decode | base64 --decode)"
echo "Harbor Password: $(kubectl -n ${HARBOR_NAMESPACE} get secret "harbor-${HARBOR_POD_ID}-controller-registry" --template={{.data.harborAdminPassword}} | base64 --decode | base64 --decode)"

With the decoded credentials, you can now login to the embedded Harbor instance using the admin account.

More from my site

  • Packer reference for VMware Harbor Virtual Appliance
  • How to configure Knative and containerd in VMware Event Broker Appliance (VEBA) to use a private registry?
  • How to create a kubernetes service account for vSphere with Tanzu?
  • Is vSphere with Kubernetes available for evaluation? 
  • Setup custom login banner when logging into a vSphere with Kubernetes Cluster

Categories // Cloud Native, VMware Tanzu, vSphere 7.0 Tags // Harbor, vSphere with Kubernetes

Comments

  1. cy says

    07/24/2020 at 8:15 pm

    Seems to be not working for vSphere 7.0.0.10400 with error
    Error from server (Forbidden): secrets "harbor-583910481-controller-registry" is forbidden: User "sso:*protected email*" cannot get resource "secrets" in API group "" in the namespace "vmware-system-registry-583910481"

    Reply
  2. Francisco Manso says

    07/30/2020 at 6:21 pm

    Same problem here, I am trying to add permissions to the harbor namespace and I get this error:
    User is not authorized to perform the operation in namespace 'vmware-system-registry-336529239' with reserved prefix(es): 'vmware-system'.

    Reply
  3. Jon says

    04/28/2021 at 10:00 pm

    Thanks William - worked fine for me, but you do have some double-hyphens converted to 'long hyphens' in your code (I hate the way text editors do this), changing the – back to -- works fine.

    Reply

Thanks for the comment! Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Author

William Lam is a Senior Staff Solution Architect working in the VMware Cloud team within the Cloud Infrastructure Business Group (CIBG) at VMware. He focuses on Cloud Native technologies, Automation, Integration and Operation for the VMware Cloud based Software Defined Datacenters (SDDC)

Connect

  • Email
  • GitHub
  • LinkedIn
  • RSS
  • Twitter
  • Vimeo

Recent

  • Changing the default HTTP(s) Reverse Proxy Ports on ESXi 8.0 03/22/2023
  • Quick Tip - How to download ESXi ISO image for all releases including patch updates? 03/15/2023
  • SSD with multiple NVMe namespaces for VMware Homelab 03/14/2023
  • Is my vSphere Cluster managed by vSphere Lifecycle Manager (vLCM) as a Desired Image or Baseline? 03/10/2023
  • Interesting VMware Homelab Kits for 2023 03/08/2023

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2023

 

Loading Comments...