Enabling Content Trust in Harbor Registry that comes with Tanzu Bundle

Dinesh Tripathi- blogging at mappslearning.com

4 min readSep 8, 2021

In this post, i will discuss the process to enable content trust in a harbor registry that comes in VMware Tanzu Kubernetes Grid extension bundle.

Background

If you are new to Content Trust, here is a good one to take a look at

Content trust in Docker

When transferring data among networked systems, trust is a central concern. In particular, when communicating over an…

docs.docker.com

Docker Content Trust is based on Notary and you can learn about Notary here

GitHub - notaryproject/notary: Notary is a project that allows anyone to have trust over arbitrary…

The Notary project has officially been accepted in to the Cloud Native Computing Foundation (CNCF). It has moved to…

github.com

Generally, we need to deploy notary separately and then use that as trust server. But the good part with Harbor is, it comes with notary and hence it eases our life for image signature.

Now, Lets talk about the process to enable image signature in Harbor.

Enable Content Trust in Harbor Registry

When you install Harbor registry from a TKG extensions bundle, you will get notary installed on tanzy-system-registry namespace.
Check by running below command

$ k get po -n tanzu-system-registry
NAME                                    READY   STATUS    RESTARTS   AGE
harbor-clair-d7c77df59-nlkgn            2/2     Running   0       14d
harbor-core-66fd74d8f6-7gx8c            1/1     Running   0       61d
harbor-database-0                       1/1     Running   0          61d
harbor-jobservice-7785c685bf-v4hrq      1/1     Running   2          14d
harbor-notary-server-54c487657d-csgn7   1/1     Running   0          14d
harbor-notary-signer-595568d5cb-7fww8   1/1     Running   0          61d
harbor-portal-7b54446754-jwdlw          1/1     Running   0          61d
harbor-redis-0                          1/1     Running   0          14d
harbor-registry-6477f4dd78-252tw        2/2     Running   8          61d
harbor-trivy-0                          1/1     Running   0          61d

3. You will also see that the httpproxy is created for notary.

$ k get proxy -n tanzu-system-registry
NAME                      FQDN                       TLS SECRET   STATUS   STATUS DESCRIPTION
harbor-httpproxy          harbor.demo.local          harbor-tls   valid    Valid HTTPProxy
harbor-httpproxy-notary   notary.harbor.demo.local   harbor-tls   valid    Valid HTTPProxy

4. Now, Access the Harbor UI and let’s create a project where we want to enable content trust.

5. Provide the project name and lets make it public for testing purpose.

6. Once you click on OK, it will display a success message

7. Click on the project and Click on Configuration tab

8. Select Enable content trust and click on SAVE.

9. So, we have now enabled the content trust for a project and now whatever image repository we create inside this project, can get signature done.

10. Go back to your terminal from where you will run docker commands to push images.

Note: If you have deployed Harbor with self signed certificate, then you need to copy the CA cert into /etc/docker/certs.d/<FQDN name from step 3>

11. Export the below variables

export DOCKER_CONTENT_TRUST=1
export DOCKER_CONTENT_TRUST_SERVER=https://notary.harbor.demo.local

12. Now, lets tag a busybox image and try to push it.

# Tag image
$ docker tag busybox:latest harbor.demo.local/demo-project/busybox:latest# Push image$ docker push harbor.demo.local/demo-project/busybox:latest
The push refers to repository [harbor.demo.local/demo-project/busybox]
5b8c72934dfc: Pushed
latest: digest: sha256:dca71257cd2e72840a21f0323234bb2e33fea6d949fa0f21c5102146f583486b size: 527
Signing and pushing trust metadata
Enter passphrase for root key with ID e8a7dfc:
Enter passphrase for new repository key with ID 77b3350:
Repeat passphrase for new repository key with ID 77b3350:
Finished initializing "harbor.demo.local/demo-project/busybox"
Successfully signed harbor.demo.local/demo-project/busybox:latest

Notice the bold text above.

If you push the image for the first time, You will be asked to enter the root key passphrase. This will be needed every time you push a new image while the DOCKER_CONTENT_TRUST flag is set. The root key is generated at: /root/.docker/trust/private/*.key.
You should back up the root key somewhere safe.

13. Also, lets validate the Harbor UI

Now, your image is signed.

Few more good things to learn

1 . Inspect the trusted image and see the output. You can see the keys.

$ docker trust inspect --pretty harbor.demo.local/demo-project/busybox:latestSignatures for harbor.demo.local/demo-project/busybox:latestSIGNED TAG   DIGEST                                                             SIGNERS
latest       dca71257cd2e72840a21f0323234bb2e33fea6d949fa0f21c5102146f583486b   (Repo Admin)Administrative keys for harbor.demo.local/demo-project/busybox:latestRepository Key:       77b3350453bd9af27eff59fa0c8aee728b220a4221d526a05c03c05493a763ea
  Root Key:     ab7860bccc08c74218dfdfcb323ab993135e5b898f1d0cf49fa598fb6149c455

2. You can also revoke the sign.

$ docker trust revoke  harbor.demo.local/demo-project/busybox:latest
Enter passphrase for repository key with ID 77b3350:
Successfully deleted signature for harbor.demo.local/demo-project/busybox:latest

You can validate in Harbor UI.