Using the Harbor Connector Proxy in K8S Workload
In a Kubernetes cluster, when using container registry clients to access the Harbor Registry, it is often necessary to configure the Registry authentication information for the client. This requires distributing the authentication information to the workload orchestrators, thereby increasing the risk of credential leakage.
The Harbor Connector provides a secretless way to access the Registry through its proxy capability, allowing ordinary users to access the Registry without having contact with authentication information, thus maximizing credential security.
Currently, there are various container registry clients available in the community for accessing the Harbor Registry. This document will introduce how to utilize the proxy capabilities of the Harbor Connector in Kubernetes workloads and explain its general configuration logic.
If you already have a preliminary understanding, you can directly refer to more specific cases:
- Using Harbor Connector to Build Images in K8S Job
- Using Harbor Connector to Build Images in Tekton Pipeline
Utilizing Harbor Connector Proxy Capability
The Harbor Connector supports two proxy modes:
- Forward Proxy - Recommended for most cases. Less intrusive to client configurations and easier to use.
- Reverse Proxy - Requires modifying the target image address and additional client configuration.
Forward Proxy
Using Forward Proxy involves the following aspects:
- Setting proxy environment variables for the client
- Configuring the client to support insecure registries (if required)
Mount the built-in configurations through the Connectors CSI Driver:
Most container registry clients support reading proxy settings from environment variables (http_proxy, https_proxy, no_proxy). You can configure them in two ways:
Note: Some clients require specifying proxy settings in their configuration files.
Since the forward proxy intercepts and re-signs TLS traffic (MITM), clients must be configured to trust the proxy's certificate or allow insecure connections. Refer to your CLI documentation for details, or see the Harbor ConnectorClass Forward Proxy for default configurations provided by the ConnectorClass.
Reverse Proxy
Using the Harbor Connector proxy capability mainly involves the following three aspects:
- Modifying the target image address to the proxied image repository address
- Configuring the authentication information required to access the proxy
- Configuring the client CLI to support pushing to insecure registries
Next, we will elaborate on the specific meaning of each item.
- Modifying the target image address to the proxied image repository address
Example: harbor.example.com/test/abc:v1 → c-harbor-connector.default.svc.local/namespaces/harbor-connector-ns/connectors/harbor-connector-name/test/abc:v1
- Configuring the authentication information required to access the proxy
The authentication information required to access the proxy can be configured through the config.json file.
The Harbor ConnectorClass provides an out-of-the-box configuration that can be mounted through connector-csi.
For the configuration information of the Harbor ConnectorClass, please refer to Harbor ConnectorClass Configuration.
- Configuring the client CLI to support pushing to insecure registries
Since the proxy service provided by the connector uses HTTP protocol, it is necessary to configure insecure-registries on the client. Different clients have different configuration methods:
buildkitd can specify this through buildkitd.toml. The Harbor ConnectorClass provides an out-of-the-box configuration for buildkitd, which can be mounted through connector-csi.
Certain tools may support specifying directly in the command line, in which case the corresponding parameters can be fixed in the script.
For example:
buildahspecifies--tls-verify=falsein the command line to support insecure registry.kospecifies--insecure-registryin the command line to support insecure registry.