Harbor Image Replication with AWS ECR using Vault-injected Kubernetes Secrets

[rmrj]

Hi,

I'm setting up image replication between AWS ECR and a Harbor registry (v2.9.1-5cbb1b01) deployed via Helm charts.

Instead of using the Harbor UI for proxy caching, I want to leverage Vault for secure management and injection of ECR credentials through Kubernetes secrets.

Here's the plan:

1. Store ECR credentials securely in Vault.
2. Dynamically fetch these credentials from Vault at runtime.
3. Make the fetched credentials available as Kubernetes secrets.
4. Configure Harbor to use these secrets for image replication with AWS ECR.
5. My question:

How can I configure Harbor to work with this setup?

I've reviewed the Harbor Helm chart code (https://github.com/kubeshop/helm-charts) but haven't found a way to define AWS ECR registry details.

Guidance Needed:

Can Harbor be configured to consume credentials from Kubernetes secrets for image replication?
Are there any alternative approaches to achieve this scenario using Helm charts?

Thanks,
Rama

[ianseyer]

I would setup your external registry and replication jobs via terraform: https://registry.terraform.io/providers/goharbor/harbor/latest/docs/resources/registry