Get admin password of the Embedded Harbor Registry on the Supervisor Cluster

Harbor UI Admin
This post was published 3 years 4 months 2 days ago, so the post may be outdated.

After enabling Workload Management in vCenter as part of vSphere with Tanzu, you can easily enable the Embedded Harbor Registry on the Supervisor Cluster.

Bear in mind that this however requires NSX-T in your environment, as the Harbor pods are running directly on your ESXi hosts which act as your Kubernetes workers. There the pods run via vSphere Pods, using CRX runtime which has the NSX-T dependency.

The Embedded Harbor Registry is automated and you can use your normal SSO credentials to access the WebUI with restricted feature-set due to permissions. So usually you don’t require to login as admin and adjust settings there.

If you, for whatever reasons, want to use admin credentials to login into the Harbor instance as an full admin, this might be helpful for you. Also noteworthy that the password is automatically rotated and will change after certain amount of time.

Disclaimer: Notice, that this is most likely not supported and you could make things worse when manually applying changes in the Harbor registry. You continue on your own risk.

Get Harbor admin credentials

Getting those credentials is essentially really easy and only requires a few steps.

1. Access Supervisor Cluster

Follow the steps:

  1. Connect to your vCenter via SSH
  2. Run /usr/lib/vmware-wcp/decryptK8Pwd.py to get IP and credentials to access the Supervisor Cluster. (The IP shown is the virtual, shared IP of the Kubernetes cluster)
  3. SSH to the Kubernetes cluster with the details shown in previous step. You can simply use vCenter as your jumphost: ssh root@SVC_IP and then enter the password as shown.

2. Get credentials

When logged into the Supervisor Cluster, where the Management Kubernetes cluster runs in, you can proceed.

Let’s get the specific harbor ID, which might be different in each setup. For the lazy people under us, here’s a quick one-liner:

HARBOR_ID=$(kubectl get ns | grep -oE "vmware-system-registry-([0-9]*)" | awk -F'-' '{ print $4 }')

To get the username: (shown for completeness, it’s admin by default)

kubectl get secret -n vmware-system-registry-${HARBOR_ID} harbor-${HARBOR_ID}-controller-registry -o jsonpath='{.data.harborAdminUsername}' | base64 -d | base64 -d && echo
admin

To get the password:

kubectl get secret -n vmware-system-registry-${HARBOR_ID} harbor-${HARBOR_ID}-controller-registry -o jsonpath='{.data.harborAdminPassword}' | base64 -d | base64 -d && echo
h*5mvmC@pA5oL^CJ

Then you can use these credentials to login in the Harbor UI as admin.

Patrik Kernstock

May I introduce my self? I am Patrik Kernstock, 25 years old, perfectionist, born in Austria and living in Ireland, Cork. Me explained in short: Tech- and security enthusiast, series & movies junky. Interesting in Linux, Container-stuff and many software solutions by Microsoft, Veeam and VMware.

5 1 vote
Article Rating
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
newest
oldest most voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x