This page describes how to sign in to Docker or Helm using the Managed Harbor Service (MHS) credential helper or CLI secrets.
To provide flexibility, Google Distributed Cloud (GDC) air-gapped provides two methods to authenticate with Docker and Helm from your Harbor registry instance. The first method is using the Managed Harbor Service (MHS) credential helper and your GDC identity to sign in to the Docker or Helm CLI. After authenticating with GDC, you can sign in to the Docker client and perform Docker operations, without having to create or manage separate CLI secrets in Harbor.
The second method is using CLI secrets. After you authenticate using Identity-Aware Proxy (IAP) and sign in to the Harbor interface for the first time, use the Docker or Helm CLI to access Harbor. The Docker and Helm CLIs cannot handle redirection for IAP, so Harbor provides a CLI secret to use when signing in from Docker or Helm. This method is only available when Harbor uses IAP authentication.
Before you begin
To configure Docker and Helm authentication for Harbor registry instances, you must have the following:
- The MHS credential helper
docker-credential-mhs
installed in the environment. The credential helper is included by default in the gdcloud CLI bundle. For more information, see gdcloud CLI overview. - The necessary identity and access role. Ask your Organization IAM Admin to grant you the Harbor Instance Viewer (
harbor-instance-viewer
) role.
Sign in to Docker with your GDC identity
Use the MHS credential helper with your GDC identity to sign into the Docker CLI. To authenticate with Docker, follow these steps:
Sign in to the Management API server with GDC CLI by following the instructions in Sign in.
Configure Docker to use the MHS credential helper
docker-credential-mhs
:TENANT_PROJECT=
PROJECT_NAME HARBOR_INSTANCE_NAME=HARBOR_INSTANCE_NAME REGISTRY=$(kubectl get harborinstance $HARBOR_INSTANCE_NAME -n $TENANT_PROJECT -o jsonpath='{.status.url}' | sed s#https://##) docker-credential-mhs configure-docker --registries=${REGISTRY}Replace the following:
PROJECT_NAME
: the name of your tenant project. This is the same project name you provided when creating your Harbor instance.HARBOR_INSTANCE_NAME
: the name of the Harbor instance that is created in Create Harbor registry instances.
Follow the instructions in Configure Docker to trust the Harbor root CA.
Optional: Verify that the credential helper is successfully configured by verifying the
mhs
entry is added to~/.docker/config.json
:cat
DOCKER_CONFIG_PATH Replace
DOCKER_CONFIG_PATH
with the path to your docker config file. For example,~/.docker/config.json.
The output is similar to the following:
{ "auths": { "10.200.0.1": { "auth": "YWRtaW46YWRtaW4=" }, "10.200.16.5:10443": { "auth": "YWRtaW46ZEROVVJCVWE1a1FBcE4xQQ==" } }, "credHelpers": { "asia.gcr.io": "gcloud", "eu.gcr.io": "gcloud", "gcr.io": "gcloud", "marketplace.gcr.io": "gcloud", "myinstance-e2e-test-user.org-1.zone1.google.gdch.test": "mhs", "staging-k8s.gcr.io": "gcloud", "us-central1-docker.pkg.dev": "gcloud", "us.gcr.io": "gcloud" } }
This example shows a successful output of
"myinstance-e2e-test-user.org-1.zone1.google.gdch.test": "mhs"
.Configure the tenant project in
gdcloud
:TENANT_PROJECT=
PROJECT_NAME gdcloud config set project $TENANT_PROJECTThe following output is shown:
Updated property [core/project].
Perform Docker operations, such as an image push or pull:
TENANT_PROJECT=
PROJECT_NAME HARBOR_INSTANCE_NAME=HARBOR_INSTANCE_NAME REGISTRY=$(kubectl get harborinstance $HARBOR_INSTANCE_NAME -n $TENANT_PROJECT -o jsonpath='{.status.url}' | sed s#https://##) # Push image docker pull nginx docker tag nginx ${REGISTRY}/library/nginx:latest docker push ${REGISTRY}/library/nginx:latest # Pull image docker pull ${REGISTRY}/library/nginx:latestA successful output is similar to the following:
# Push image root@gpc-adhoc-70846130vm-bootstrapper-zone1:~# docker push ${REGISTRY}/library/nginx:latest The push refers to repository [myinstance-e2e-test-user.org-1.zone1.google.gdch.test/library/nginx] e4e9e9ad93c2: Pushed 6ac729401225: Pushed 8ce189049cb5: Pushed 296af1bd2844: Pushed 63d7ce983cd5: Pushed b33db0c3c3a8: Pushed 98b5f35ea9d3: Pushed latest: digest: sha256:7ba542bde95e6523a4b126f610553e3657b8108bc3175596ee7e911ae1219bfc size: 1778 # Pull image root@gpc-adhoc-70846130vm-bootstrapper-zone1:~# docker pull ${REGISTRY}/library/nginx:latest latest: Pulling from library/nginx Digest: sha256:7ba542bde95e6523a4b126f610553e3657b8108bc3175596ee7e911ae1219bfc Status: Image is up to date for myinstance-e2e-test-user.org-1.zone1.google.gdch.test/library/nginx:latest
If the operation is unsuccessful, you might see the following output:
E1025 19:21:39.322290 1273587 get.go:24] failed to get user name: user is not logged in or login expired, please login again
In this case, the GDC authentication session has expired and you must sign in to GDC again. For more information, see Sign in.
Sign into Helm with your GDC identity
Use the MHS credential helper with your GDC identity to sign into the Helm CLI.
To authenticate with Helm, follow these steps:
After authenticating with GDC, retrieve your user credentials from the credential helper:
echo $REGISTRY | docker-credential-mhs get
The output is similar to the following:
{"Username":"tokenreview$fop-infrastructure-operator@example.com","Secret":"STS-Bearer-3q2o6mBKk44Gzi4105vyiSnXMuixtnm-RnyxSgJtnYkNbGV7drpwgIuftinAXVlo0Im9kgoGmc2WcZTSjE-vh2a71Su7YjB6qIAjAQ5ABkY03AHNfkHhRZzxthumDIVAd08wm2weit3_NpMPgOnf9qMblds_Q0PAWk2OhpodBpCfyl3LWZpIZBaNVgtg-TB_7fjpEDOm-_Q5VYABScOgZFP_bw"}
Sign in to the Helm CLI with the credentials. When prompted to enter the credentials, use the credentials returned by the credential helper.
helm registry login $REGISTRY Username: tokenreview$fop-infrastructure-operator@example.com Password: STS-Bearer-3q2o6mBKk44Gzi4105vyiSnXMuixtnm-RnyxSgJtnYkNbGV7drpwgIuftinAXVlo0Im9kgoGmc2WcZTSjE-vh2a71Su7YjB6qIAjAQ5ABkY03AHNfkHhRZzxthumDIVAd08wm2weit3_NpMPgOnf9qMblds_Q0PAWk2OhpodBpCfyl3LWZpIZBaNVgtg-TB_7fjpEDOm-_Q5VYABScOgZFP_bw
A successful output for this operation looks like the following:
Login Succeeded
Sign in to Docker or Helm with CLI secrets
To sign in to Docker or Helm with CLI secrets, follow these steps:
- Sign in to Harbor with an IAP user account.
- Click your username and select User Profile.
- To copy the CLI secret associated with your account, click Copy.
Optional: To display buttons for automatically generating or manually creating a new CLI secret, click the
ellipses in your user profile.If you generated a new CLI secret, click
Copy to copy it.You can now use your CLI secret as the password when signing in to Harbor from the Docker or Helm CLI:
docker login -u USERNAME -p CLI_SECRET HARBOR_INSTANCE_URL
Replace the following:
USERNAME
: the Harbor account usernameCLI_SECRET
: the generated CLI secret.HARBOR_INSTANCE_URL
: the URL of the Harbor instance.