Configure Docker to trust Harbor root CA

Harbor instances use Transport Layer Security (TLS) certificates issued by your organization's trusted root Certificate Authority (CA). This encrypts the connection between your Docker client and Harbor registry to secure images from unauthorized access. For more information, see Bootstrap web certificates for organizations.

Before you begin

You must perform these steps before managing your container images:

1. Install Docker if it is not already installed by following the instructions at https://docs.docker.com/engine/install/ubuntu/. Docker is included in Cloud Shell.

2. Docker requires privileged access to interact with registries. On Linux or Windows, add the user that you use to run Docker commands to the Docker security group. This step is not required on macOS since Docker Desktop runs on a virtual machine as the root user.

   1. For Linux, add the user:

        sudo usermod -a -G docker USER
      

   2. For Windows:

        net localgroup docker-users DOMAIN\USER /add
      

      Replace USER with the username you want to add.

Configure Docker to trust Harbor Root CA

You must configure your local Docker client to trust your organization's root CA when using the Docker client to communicate with the Harbor instance.

To configure the Docker client to trust the root CA, request the .crt file of the root CA from your organization administrator, and copy the organization root CA to:

/etc/docker/certs.d/HARBOR_INSTANCE_URL/ca.crt

Replace HARBOR_INSTANCE_URL with the URL of your Harbor instance. For example, harbor-1.org-1.zone1.google.gdc.test.

This command allows your Docker client to establish a HTTPS connection with the Harbor instance.

Alternatively, use the gdcloud CLI to sign in to any user cluster in the organization, and copy the web CA saved in the cluster:

  export REGISTRY=HARBOR_INSTANCE_URL
  mkdir -p /etc/docker/certs.d/${REGISTRY} && \echo $(kubectl get secret org-web-ca -n istio-system -o
  jsonpath='{.data.ca\.crt}') | openssl base64 -A -d >
  /etc/docker/certs.d/${REGISTRY}/ca.crt

Replace HARBOR_INSTANCE_URL with the URL of your Harbor instance. For example, harbor-1.org-1.zone1.google.gdc.test.

If the configuration is unsuccessful, you see the following error message:

Error response from daemon: Get "https://<HARBOR_INSTANCE_URL>": x509: certificate signed by unknown authority

Repeat the steps to solve this issue, and escalate to GDC engineering if necessary.