Harbor instances use Transport Layer Security (TLS) certificates issued by your organization's trusted root Certificate Authority (CA). This encrypts the connection between your Docker client and Harbor registry to secure images from unauthorized access.
Before you begin
You must perform these steps before managing your container images:
- Install Docker if it is not already installed by following the instructions at https://docs.docker.com/engine/install/ubuntu/. Docker is included in Cloud Shell.
- Docker requires privileged access to interact with registries. On Linux or Windows, add the user that you use to run Docker commands to the Docker security group. This step is not required on macOS since Docker Desktop runs on a virtual machine as the root user. - For Linux, add the user: - sudo usermod -a -G docker USER
- For Windows: - net localgroup docker-users DOMAIN\USER /add- Replace - USERwith the username you want to add.
 
Configure Docker to trust Harbor Root CA
You must configure your local Docker client to trust your organization's root CA when using the Docker client to communicate with the Harbor instance.
To configure the Docker client to trust the root CA, request the .crt file of
the root CA from your organization administrator, and copy the organization root
CA to:
/etc/docker/certs.d/HARBOR_INSTANCE_URL/ca.crt
Replace HARBOR_INSTANCE_URL with the URL of your Harbor instance. For
example, harbor-1.org-1.zone1.google.gdc.test.
This command allows your Docker client to establish a HTTPS connection with the Harbor instance.
Alternatively, use the gdcloud CLI to sign in to the organization, generate and use the kubeconfig file for the management API server, and copy the trust bundle in the cluster. For more information, see Fetch GDC trust bundles.
  export REGISTRY=HARBOR_INSTANCE_URL
  mkdir -p /etc/docker/certs.d/${REGISTRY} && echo $(kubectl get secret trust-store-global-root-ext -n platform -o
  jsonpath='{.data.ca\.crt}') | openssl base64 -A -d >
  /etc/docker/certs.d/${REGISTRY}/ca.crt
Replace HARBOR_INSTANCE_URL with the URL of your Harbor instance. For
example, harbor-1.org-1.zone1.google.gdc.test.
If the configuration is unsuccessful, you see the following error message:
Error response from daemon: Get "https://<HARBOR_INSTANCE_URL>": x509: certificate signed by unknown authority
Repeat the steps to solve this issue, and escalate to GDC engineering if necessary.