# Installing Secure Harbor Registry

1. You have EKS Cluster available.
2. You've installed prerequisties CLIs (see [README](./README.md))
3. Download and install following Tanzu Software from [TanzuNet](https://network.pivotal.io)
    - Cluster Essentials for VMware Tanzu
    - VMware Tanzu Application Platform

#### Download Tanzu softwares

In [None]:
pivnet login --api-token=$API_TOKEN
export PRODUCT_DOWNLOAD_DIR=$HOME/Downloads/tanzu-products
mkdir $PRODUCT_DOWNLOAD_DIR
pivnet download-product-files --product-slug='tanzu-cluster-essentials' --release-version='1.0.0' --product-file-id=1105820 --download-dir=$PRODUCT_DOWNLOAD_DIR --accept-eula
pivnet download-product-files --product-slug='tanzu-application-platform' --release-version='1.0.1-build.6' --product-file-id=1114446 --download-dir=$PRODUCT_DOWNLOAD_DIR --accept-eula

#### Install Tanzu CLIs and Plugins

In [None]:
mkdir $HOME/tanzu
tar -xvf $PRODUCT_DOWNLOAD_DIR/tanzu-framework-darwin-amd64.tar -C $HOME/tanzu
export TANZU_CLI_NO_INIT=true
cd $HOME/tanzu
install cli/core/v0.10.0/tanzu-core-darwin_amd64 /usr/local/bin/tanzu
tanzu version

In [None]:
tanzu plugin install --local cli all
tanzu plugin list

#### Install Cluster Essentials
- This will install Carvel Tooling (Kapp and SecretGen Controller) on the EKS Cluster. Note: make sure to configure your system environment with `export TANZU_NET_USER=YourTanzuNetID && export TANZU_NET_PASSWORD=YourTanzuNetPassword`

In [None]:
mkdir $HOME/tanzu-cluster-essentials
tar -xvf $PRODUCT_DOWNLOAD_DIR/tanzu-cluster-essentials-darwin-amd64-1.0.0.tgz -C $HOME/tanzu-cluster-essentials
export INSTALL_BUNDLE=registry.tanzu.vmware.com/tanzu-cluster-essentials/cluster-essentials-bundle@sha256:82dfaf70656b54dcba0d4def85ccae1578ff27054e7533d08320244af7fb0343
export INSTALL_REGISTRY_HOSTNAME=registry.tanzu.vmware.com
export INSTALL_REGISTRY_USERNAME=$TANZU_NET_USER
export INSTALL_REGISTRY_PASSWORD=$TANZU_NET_PASSWORD
cd $HOME/tanzu-cluster-essentials
./install.sh
kapp ls -A

#### Install TAP Package Repository
- This will install TAP Package Repository, which we will use to install CertManager & Contour Packages

In [None]:
kubectl create ns tap-install
tanzu secret registry add tap-registry \
  --username ${INSTALL_REGISTRY_USERNAME} --password ${INSTALL_REGISTRY_PASSWORD} \
  --server ${INSTALL_REGISTRY_HOSTNAME} \
  --export-to-all-namespaces --yes --namespace tap-install
tanzu package repository add tanzu-tap-repository \
  --url registry.tanzu.vmware.com/tanzu-application-platform/tap-packages:1.0.0 \
  --namespace tap-install  

- Wait for TAP Package Repository to Reconcile successfully

In [None]:
tanzu package repository list --namespace tap-install

#### Install Certmanager Package

In [None]:
cat <<EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cert-manager-tap-install-cluster-admin-role
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cert-manager-tap-install-cluster-admin-role-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-tap-install-cluster-admin-role
subjects:
- kind: ServiceAccount
  name: cert-manager-tap-install-sa
  namespace: tap-install
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: cert-manager-tap-install-sa
  namespace: tap-install
EOF

cat <<EOF | kubectl apply -f -
apiVersion: packaging.carvel.dev/v1alpha1
kind: PackageInstall
metadata:
  name: cert-manager
  namespace: tap-install
spec:
  serviceAccountName: cert-manager-tap-install-sa
  packageRef:
    refName: cert-manager.tanzu.vmware.com
    versionSelection:
      constraints: "1.5.3+tap.1"
      prereleases: {}
EOF

- Validate Certmanager packaged installed successfully.

In [None]:
kapp inspect -a cert-manager-ctrl -n tap-install

#### Install Contour Package

In [None]:
cat <<EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: contour-tap-install-cluster-admin-role
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: contour-tap-install-cluster-admin-role-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: contour-tap-install-cluster-admin-role
subjects:
- kind: ServiceAccount
  name: contour-tap-install-sa
  namespace: tap-install
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: contour-tap-install-sa
  namespace: tap-install
EOF

cat <<EOF | kubectl apply -f -
apiVersion: packaging.carvel.dev/v1alpha1
kind: PackageInstall
metadata:
  name: contour
  namespace: tap-install
spec:
  serviceAccountName: contour-tap-install-sa
  packageRef:
    refName: contour.tanzu.vmware.com
    versionSelection:
      constraints: "1.18.2+tap.1"
      prereleases: {}
  values:
  - secretRef:
      name: contour-values
---
apiVersion: v1
kind: Secret
metadata:
  name: contour-values
  namespace: tap-install
stringData:
  values.yaml: |
    envoy:
      service:
        type: LoadBalancer
    infrastructure_provider: aws
EOF

- Validate Contour packaged installed successfully.

In [None]:
kapp inspect -a contour-ctrl -n tap-install

#### Install Harbor using Bitnami repo
- Note: Change following variables below with your accessable domain. 
    - externalURL: https://harbor.aws.tanzuapps.org
    - core: harbor.aws.tanzuapps.org
    - notary: notary.harbor.aws.tanzuapps.org

In [None]:
cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-http01-issuer
spec:
  acme:
    privateKeySecretRef:
      name: letsencrypt
    server: https://acme-v02.api.letsencrypt.org/directory
    solvers:
    - http01:
        ingress:
          class: contour
EOF

helm repo add bitnami https://charts.bitnami.com/bitnami
cat <<EOF >harbor-values.yml
# Configuration file of Harbor

# Uncomment external_url if you want to enable external proxy
# And when it enabled the hostname will no longer used
externalURL: https://harbor.aws.tanzuapps.org

service.type: Ingress

ingress:
  enabled: true
  hosts:
    core: harbor.aws.tanzuapps.org
    notary: notary.harbor.aws.tanzuapps.org
  annotations:
    ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    cert-manager.io/cluster-issuer: "letsencrypt-http01-issuer"
    kubernetes.io/tls-acme: "true"
    kubernetes.io/ingress.class: "contour"

persistence:
  persistentVolumeClaim:
    registry:
      size: 50Gi
EOF

kubectl create ns harbor
helm install harbor bitnami/harbor --version 11.2.2 --namespace harbor -f harbor-values.yml

- Register your domain with Route53 or others based on record below....

In [None]:
kubectl get ing -n harbor