VMware Harbor Registry
Overview
This post will briefly go through how to deploy (using Helm), configure and use VMware Harbor registry in Kubernetes.
Quick introduction to Harbor
Harbor is an open source registry that secures artifacts with policies and role-based access control, ensures images are scanned and free from vulnerabilities, and signs images as trusted. Harbor, a CNCF Graduated project, delivers compliance, performance, and interoperability to help you consistently and securely manage artifacts across cloud native compute platforms like Kubernetes and Docker. link
I use myself Harbor in many of my own projects, including the images I make for my Hugo blogsite (this).
Deploy Harbor with Helm
Add helm chart:
1helm repo add harbor https://helm.goharbor.io
2helm fetch harbor/harbor --untar
Before you perform the default helm install of Harbor you want to grab the helm values for the Harbor charts so you can edit some settings to match your environment:
1helm show values harbor/harbor > harbor.values.yaml
The default values you get from the above command includes all available parameter which can be a bit daunting to go through. In the values file I use I have only picked the parameters I needed to set, here:
1expose:
2 type: ingress
3 tls:
4 enabled: true
5 certSource: secret
6 secret:
7 secretName: "harbor-tls-prod" # certificates you have created with Cert-Manager
8 notarySecretName: "notary-tls-prod" # certificates you have created with Cert-Manager
9 ingress:
10 hosts:
11 core: registry.example.com
12 notary: notary.example.com
13 annotations:
14 kubernetes.io/ingress.class: "avi-lb"
15 ako.vmware.com/enable-tls: "true"
16externalURL: https://registry.example.com
17harborAdminPassword: "PASSWORD"
18persistence:
19 enabled: true
20 # Setting it to "keep" to avoid removing PVCs during a helm delete
21 # operation. Leaving it empty will delete PVCs after the chart deleted
22 # (this does not apply for PVCs that are created for internal database
23 # and redis components, i.e. they are never deleted automatically)
24 resourcePolicy: "keep"
25 persistentVolumeClaim:
26 registry:
27 # Use the existing PVC which must be created manually before bound,
28 # and specify the "subPath" if the PVC is shared with other components
29 existingClaim: ""
30 # Specify the "storageClass" used to provision the volume. Or the default
31 # StorageClass will be used (the default).
32 # Set it to "-" to disable dynamic provisioning
33 storageClass: "nfs-client"
34 subPath: ""
35 accessMode: ReadWriteOnce
36 size: 50Gi
37 annotations: {}
38 database:
39 existingClaim: ""
40 storageClass: "nfs-client"
41 subPath: "postgres-storage"
42 accessMode: ReadWriteOnce
43 size: 1Gi
44 annotations: {}
45
46portal:
47 tls:
48 existingSecret: harbor-tls-prod
When you have edited the values file its time to install:
1helm install -f harbor.values.yaml harbor-deployment harbor/harbor -n harbor
Explanation: "-f" is telling helm to read the values from the specified file after, then the name of your helm installation (here harbor-deployment) then the helm repo and finally the namespace you want it deployed in. A couple of seconds later you should be able to log in to the GUI of Harbor through your webbrowser if everything has been set up right, Ingress, pvc, secrets.
Certificate
You can either use Cert-manager as explained here or bring your own ca signed certificates.
Harbor GUI
To log in to the GUI for the first time open your browser and point it to the externalURL you gave it in your values file and the corresponding harborAdminPassword you defined. From there on you create users and projects and start exploring Harbor.
Users:
Projects:
Docker images
To push your images to Harbor execute the following commands:
1docker login registry.example.com #log in with the user/password you have created in the GUI
2docker tag image-name:tag registry.example.com/project/image-name:tag
3docker push registry.example.com/project/image-name:tag