Virtual Elephant
TKG Learning Series

Harbor Repository for Tanzu BYOH

Creating a Harbor Repository for Internet-Restricted Tanzu BYOH Environments

VMware provides documentation for preparing a Harbor repository that can be leveraged to install both Tanzu Kubernetes Grid management and workload clusters. The official documentation is available here.

In my efforts to leverage the Tanzu BYOH bits within an internet-restricted environment, I found several caveats to the above documentation. These steps should be followed if you are building clusters within similar conditions.

As of October 2022, the TKG v1.6 documentation has an issue with several of the packages that need to be downloaded leveraging the script the official documentation has you run as part of Step 3. During Step 2, you generate a list of all of the packages upstream that need to be downloaded and placed on your local Harbor repository. There are two packages that have the wrong syntax that need to be modified in the images-copy-list file you created. The following commands will update each occurrence the capabilities and tkg-storageclass packages are referenced in the file.


bootstrap$ sed -i 's/copy -i\/tkg\/packages\/capabilities:v0.25.0-23-g6288c751_vmware.1/copy -b\/tkg\/packages\/capabilities:v0.25.0-23-g6288c751_vmware.1/g' images-copy-list
bootstrap$ sed -i 's/copy -i\/tkg\/packages\/tkg-storageclass:v0.25.0-23-g6288c751_vmware.1/copy -b\/tkg\/packages\/tkg-storageclass:v0.25.0-23-g6288c751_vmware.1/g' images-copy-list

Additional Packages Required for Kubernetes

In addition to the packages the official documentation has you download and copy into the local Harbor repository, the following additional packages should be included as well.
  • kube-rbac-proxy
  • byoh-bundle-ubuntu_20.04.1_x84-64_k8s
  • cluster-api-byoh-controller
bootstrap$ imgpkg copy -i --to-repo --registry-ca-cert-path /usr/local/share/ca-certificates/
bootstrap$ imgpkg copy -i --to-repo --registry-ca-cert-path /usr/local/share/ca-certificates/
bootstrap$ imgpkg copy -i --to-repo --registry-ca-cert-path /usr/local/share/ca-certificates/
The Antrea CNI container also needs to be uploaded to the Harbor repository, but it also needs to be pulled locally and have its tags changed so that it can be pushed to the local Harbor repository.
bootstrap$ docker pull antrea/antrea-ubuntu:latest
bootstrap$ docker tag antrea/antrea-ubuntu:latest
bootstrap$ docker push -a