tencent cloud

Overview

When you migrate a container cluster in the customer IDC to TCR, you can also migrate the external container image hosting service to TCR for hosting. After the external image repositories are migrated to TCR, it can not only reduce the O&M costs of building and maintaining the image repository, but also provide professional and stable cloud hosting services and technical supports. In addition, you can use the container service in Tencent Cloud, enjoying a consistent cloud container experience, and use the container clusters to pull images via the private network, reducing the cost of using public network bandwidth.

Harbor is an open source enterprise-class Docker Registry project of VMware. Based on the open source Docker distribution capability, Harbor extends capabilities such as RBAC, secure image scanning, and image synchronization. At present, it has become the preference of creating container image hosting and distribution services. This document describes how to synchronize a container image or Helm Chart in Harbor that is built on the IDC or the cloud server to the TCR Enterprise Edition.

Prerequisites

To synchronize data in the external Harbor to a TCR Enterprise Edition instance, you need to confirm and complete the following preparations first:

• You have built the Harbor service with V1.8.0 and later versions.
• The external Harbor can access TCR through a private line, public network, or VPC.
• You have purchased instances in the region of the cloud container cluster or in an adjacent region.
• If you are using a sub-account, you must have granted the sub-account the permission to push TCR and Helm Chart to corresponding instance. For more information, see Example of Authorization Solution of the Enterprise Edition. We recommend that you grant the full TCR access permissions to the sub-account used for synchronization configuration.

Directions

Configuring access to the TCR Enterprise Edition instance for Harbor

Based on the actual network of Harbor, you can select access via Tencent Cloud VPC or access via public network to configure access to the TCR Enterprise Edition instance.

Creating an access credential for the TCR Enterprise Edition instance

You can create and manage multiple access credentials in TCR Enterprise Edition. We recommend that you create an independent access credential for data synchronization and delete it in time after the data synchronization to avoid the leakage of the instance’s access permission.

1. Log in to the TCR console and select Instance on the left sidebar.
2. On the “Instance List” page, select an instance for data synchronization to go to its details page.
3. Select the Access Credential tab and click Create at the top of the instance list.
4. In the pop-up Create Access Credential window, perform the following steps:
   1. In the “Create Access Credential” section, enter the usage description of the credential and click Next. For example, “Dedicated for data synchronization of external Harbor”.
   2. In the “Save Access Credential” section, click Save Access Credential to download the credential. Please save the access credential properly. You will not be able to get it again.
      After the access credential is created, you can view it in the Access Credential tab. Please disable and delete the access credential in time after the data synchronization.

Configuring the synchronization repository and rule of Harbor

You can add a third party Registry and configure the data replication rules in Harbor. This document takes Harbor V2.1.2 as an example.

1. Log in to Harbor console with an admin account. You can view and perform Administration.
2. Select Administration > Registries on the left sidebar to go to the Registries page.
3. On the Registries page, click NEW ENDPOINT. Refer to the following information to add a TCR Enterprise Edition instance.
   • Provider: select “tencent-tcr”.
   • Name: custom the endpoint name for the synchronization such as tencent-tcr.
   • Description: the description of the synchronization endpoint.
   • Endpoint URL: the access domain name of the TCR Enterprise Edition instance, for example https://harbor-sync.tencentcloudcr.com.
   • Access ID: enter the SecretId obtained from Access Keys > Manage API Key.
   • Access Secret: enter the SecretKey obtained from Access Key > Manage API Key.
   • Verify Remote Cert: keep the default setting.
4. Click TEST CONNECTION.
   • If “Connection tested successfully” is displayed, the current Harbor can access the TCR Enterprise Edition instance normally.
   • If “Failed to ping endpoint” is displayed, make sure that you have configured access to the TCR Enterprise Edition instance for the external Harbor.
5. Click OK to create the registry endpoint.

Note：

If the Harbor is an earlier version, there is no "tencent-tcr" option for the Provider. Please select "Docker Registry" for Provider when creating a registry endpoint. For Access ID and Access Password, respectively enter the Login Username and Login password of the long-term access credential of the image repository obtained in Instance > Access Credential page. In this case, the namespace cannot be automatically created in the TCR.

6. Select Administration > Replications on the left sidebar and click NEW REPLICATION RULE. Refer to the following information to create the rule.
   • Name: the rule name. You can enter a name based on the actual usage scenario.
   • Description: the rule description.
   • Replication mode: defaults to Push-based. Only when “tencent-tcr” is selected for Provider and the version of Harbor is V2.1.2 or later, you can select Pull-based. Push-based means to synchronize the new image in the Harbor to the TCR, while Pull-based means to synchronize the new image in the TCR to the Harbor.
   • Source resource filter: you can filter resources to synchronize. If you do not set a filter, all container images and Helm Chart resources in the Harbor are selected by default.
   • Destination registry: select the repository endpoint created in Step 3.
   • Destination namespace: specify the destination namespace. If it is left empty, the resources will be put under the same namespace as the source. The default setting is recommended.
   • Trigger Mode: defaults to Manual. If you need automatic synchronization for the newly pushed container image or Helm Chart, please select “Event Based”. We recommend that you do not select “Delete remote resources when locally deleted”.
   • Override: defaults to override the resources at the destination if a resource with the same name exists.

Triggering synchronization and viewing the synchronization log

If you select Event Based for the Trigger Mode, when container images and Helm Chart are pushed to the Harbor, they will be automatically synchronized to the TCR Enterprise Edition instance. You can select the replication rule to view the synchronization log, and access the TCR Enterprise Edition instance console to check whether synchronization is successful. This document takes the example of manually pushing the container image nginx:latest to the Harbor and triggering the synchronization.

1. Push the container image and view it in Harbor.
   Use the docker client to push the local container image nginx:latest to Harbor, and then log in to the Harbor console to view the pushed image.
2. View the synchronization record and progress.
   Select Administration > Replications on the left sidebar and select the replication rule created in Step 6 to view the replication task of the rule.
3. View the synchronized image in TCR console.
   Log in to the TCR console and select Image Repository on the left sidebar. In the Image Repository page, select the instance used for synchronizing with the Harbor to view the successfully synchronized container image.