You can store, secure, and distribute your container images in Google Distributed Cloud air-gapped appliance by organizing them into Harbor projects inside the preconfigured tear-harbor instance. In Harbor, a project serves as a logical unit to group related artifacts, manage your images, and apply specific policies, access controls, and replication rules.
Because this single system registry is already deployed and managed for you in the tear project, you don't install, upgrade, or maintain your own registry infrastructure. This pre-managed registry eliminates cluster-level deployment tasks so that you can focus directly on managing application namespaces, defining access controls, and scanning your workloads for vulnerabilities.
Before you begin
Before you begin, make sure you meet the following requirements:
- Recommended knowledge: Make sure you are familiar with the concepts and architecture covered in Managed Harbor Service overview. Understanding that Harbor is a shared resource hosted in the tear project is essential, as all project management tasks must target this specific system project.
Initialize your Harbor identity: You must sign into the Harbor UI at least once before you attempt to create projects in the console. The initial login initializes your identity with the Harbor registry. For more information see Get the Harbor instance URL and Initialize your Harbor identity.
Required IAM role
To create Harbor projects and manage image namespaces on the Google Distributed Cloud (GDC) air-gapped appliance, you must have the correct permissions within the tear project to access the tear-harbor instance:
- Harbor Project Creator (
harbor-project-creator): Create, get, and watch permissions for Harbor project custom resource within thetear-harborinstance. This role lets you to define new image namespaces and establish security boundaries for your containerized applications.
To request access, contact your Project IAM Admin.
Get the Harbor instance URL
To sign in to the Harbor UI or use the CLI to manage images, you need the external endpoint (URL) of the registry instance:
Using the gdcloud CLI, get the get the Harbor instance URL:
gdcloud harbor instances describe tear-harbor --project tearUse the Harbor instance URL for both to access to the Harbor UI through your browser and for establishing client trust authentication. The following is an example output, which typically contains the
externalEndpointfield:externalEndpoint: https://harbor.tear.example.com
If you don't have CLI access, contact your Infrastructure Operator for support.
Initialize your Harbor identity
Sign in to the Harbor UI at least once to synchronize your identity. This initial login registers your user profile in the Harbor database so the system recognizes your permissions:
- In a browser, navigate to the registry URL.
- Sign in using your GDC credentials.
Create a Harbor project
Create a Harbor project using the GDC console or the gdcloud CLI.
Console
In the GDC console, follow these steps:
- Click the Harbor Container Registry link in the CI/CD section in the navigation menu.
- Click Create a Harbor project.
- Enter the name of the project.
- Optional: Vulnerability scanning is enabled by default. To disable automatic vulnerability scanning for Harbor projects, click the Enable vulnerability scanning for the project toggle. For more information, see Scan for vulnerabilities.
- Click Create.
- A confirmation message appears stating your project is created successfully.
- After your Harbor project is created, sign in to the Harbor UI to confirm that you can view the Harbor project.
CLI
Create the Harbor project:
gdcloud harbor harbor-projects create HARBOR_PROJECT \
--project=PROJECT \
--instance=tear-harbor
Replace the following:
HARBOR_PROJECT: the name of the Harbor project to create.PROJECT: the name of the GDC project.