After setting up a vSphere with Kubernetes Cluster, customers have the option of enabling a built-in private container registry that can be used with the Supervisor Cluster. This private container registry uses the popular Opensource Harbor solution which is also a Cloud Native Computing Foundation (CNCF) project.
Although this is a convenient capability, one thing to be aware of is that the embedded Harbor registry is limited in functionality compared to a standalone Harbor deployment and this is by design. When logging into Harbor with your vCenter SSO user, you will be able to do perform basic operations such as pushing and pulling images from this registry. For customers that require additional functionality from Harbor, it is recommended that you setup an external Harbor instance which can also be used as a common registry for both the Supervisor Cluster as well any Tanzu Kubernetes Grid (TKG) Clusters that you may provision.
With that said, I have heard from a few folks who were interested in accessing the Harbor UI using the "admin" account, mostly from an exploration standpoint. The admin credentials for Harbor are dynamically generated each time the service is enabled and it is stored as a K8s secret within the Supervisor Cluster. This means the admin password is unique for each environment and the instructions below will show you how to obtain the credentials.
UPDATE (12/16/20) - I was informed by Engineering the ability to read K8s secrets was actually a bug and this has since been fixed in the latest release of vSphere with Tanzu. If you need the harbor credentials, you will need to directly login to the Supervisor Cluster from the VCSA (instructions have been updated below) to retrieve this information.
Disclaimer: This is not officially supported by VMware and the behaviors described below could change in the future without notice.
Step 1 - SSH to the VCSA and then run the following script to retrieve the Supervisor Cluster Control Plane VM credentials:
/usr/lib/vmware-wcp/decryptK8Pwd.py
Step 2 - SSH to the IP Address using root username and the password provided from the previous command
Step 3 - Retrieve the Embedded Harbor Namespace and Pod ID by running the following command:
HARBOR_NAMESPACE=$(kubectl get ns | grep registry- | awk '{print $1}')
HARBOR_POD_ID=$(echo $HARBOR_NAMESPACE | sed 's/.*-//')
Step 4 - Extract the encoded string for both the Harbor username and password by running the following command:
echo "Harbor Username Secret: $(kubectl -n ${HARBOR_NAMESPACE} get secret "harbor-${HARBOR_POD_ID}-controller-registry" --template={{.data.harborAdminUsername}})"
echo "Harbor Password Secret: $(kubectl -n ${HARBOR_NAMESPACE} get secret "harbor-${HARBOR_POD_ID}-controller-registry" --template={{.data.harborAdminPassword}})"
Note: For completeness sake, the example above shows both the encoded password and username strings but the default username for Harbor is admin.
Step 5 - Finally, once you have extracted the encoded username and password value, you will need to decode the obfuscated string. The string is stored as a base64 encoding and it has been "double" encoded, so you will need to decode the secret twice using any base64 tool or online website like https://www.base64decode.net/
If you are on a MacOS or Linux system which has the base64 utility, you can run the following one-liner which will automatically extract the username/password string and then double decode so you get the final plain text string:
echo "Harbor Username: $(kubectl -n ${HARBOR_NAMESPACE} get secret "harbor-${HARBOR_POD_ID}-controller-registry" --template={{.data.harborAdminUsername}} | base64 --decode | base64 --decode)"
echo "Harbor Password: $(kubectl -n ${HARBOR_NAMESPACE} get secret "harbor-${HARBOR_POD_ID}-controller-registry" --template={{.data.harborAdminPassword}} | base64 --decode | base64 --decode)"
With the decoded credentials, you can now login to the embedded Harbor instance using the admin account.
cy says
Seems to be not working for vSphere 7.0.0.10400 with error
Error from server (Forbidden): secrets "harbor-583910481-controller-registry" is forbidden: User "sso:*protected email*" cannot get resource "secrets" in API group "" in the namespace "vmware-system-registry-583910481"
Francisco Manso says
Same problem here, I am trying to add permissions to the harbor namespace and I get this error:
User is not authorized to perform the operation in namespace 'vmware-system-registry-336529239' with reserved prefix(es): 'vmware-system'.
Jon says
Thanks William - worked fine for me, but you do have some double-hyphens converted to 'long hyphens' in your code (I hate the way text editors do this), changing the – back to -- works fine.