Skip to content
This repository has been archived by the owner on Jan 14, 2020. It is now read-only.

Using Harbor with Kubernetes

Jump to bottom
shoenisch edited this page Apr 18, 2017 · 4 revisions

Here's how to set up VMware Harbor to work with a Kubernetes cluster running on Photon Platform. Harbor is a local registry that stores, protects, and distributes Docker images.

Harbor includes such enterprise features as a web administrative interface, role-based access control, image replication, and Lightwave authentication.

On Photon Platform, Harbor can be deployed on Kubernetes. First, deploy a Harbor cluster. The admin password must contain at least an uppercase letter, a lowercase letter, and a digit.

photon service create --type HARBOR \
       --master-ip <HARBOR-STATIC-IP> \
       --dns <DNS-IP> --gateway <GATEWAY-IP> --netmask <NETMASK> \
       --ssh-key ~/.ssh/id_rsa.pub --admin-password password

Here's an example:

photon service create --type HARBOR 
     --master-ip 198.51.100.22 
     --dns 192.0.2.1 --gateway 192.0.2.77 --netmask 255.255.0.0 
     --ssh-key ~/.ssh/id_rsa.pub --admin-password Secret1!

Second, find the self-signed CA certificate used by Harbor. The photon service cert-to-file command can loate the self-signed CA certificate. Here's the output of the command's help:

photon service cert-to-file --help
NAME:
photon service cert-to-file - Save the CA Certificate to a file 
with the specified path if the certificate exists
USAGE:
photon service cert-to-file cluster-id file_path
DESCRIPTION:
If a cluster has a CA certificate, this extracts it and saves
it to a file. If the specified file path doesn't exist, it will create
a new file with the specified pathThis is useful when using using Harbor,
which uses a self-signed CA certificate. You can extract the CA certificate
with this command, and use it as input when creating a Kubernetes cluster.

And here's an example:

photon service cert-to-file 9c246b84-8362-37e4-af58-35da7332e926 /home/photon/harbor.cert

Third, create a Kubernetes cluster that refers to the Harbor certificate with the registry-ca-cert option:

photon service create --namen my-cluster --type KUBERNETES \
       --master-ip <HARBOR-STATIC-IP> \
       --etcd1 <ETCD-STATIC-IP> \
       --worker_count 5
       --vm_flavor cluster-master-vm
       --dns <DNS-IP> --gateway <GATEWAY-IP> --netmask <NETMASK> \
       --container-network 10.2.0.0/16 \
       --ssh-key ~/.ssh/id_rsa.pub \
       --registry-ca-cert /home/photon/harbor.cert

Here's an example:

photon service create --name kube-cluster1 --type KUBERNETES 
     --master-ip 198.51.100.22 
     --etcd1 198.51.100.75 
     --worker_count 5
     --vm_flavor cluster-master-vm
     --dns 192.0.2.1 --gateway 192.0.2.77 --netmask 255.255.0.0 
     --container-network 10.2.0.0/16 
     --ssh-key ~/.ssh/id_rsa.pub 
     --registry-ca-cert /home/photon/harbor.cert

Finally, you should set up Docker to use the Harbor registry securely. To pull and push images from your workstation or virtual machine, you must first configure Docker. Here's an example of how to do so on a Linux VM running the Docker daemon:

  • Make sure the option "-insecure-registry" is not present.
  • Copy the ca.crt file from Harbor (see above) to /etc/docker/certs.d/, where is the IP address of your Harbor registry.

Then log into Docker:

docker login -u admin -p <admin_passowrd> http://203.0.113.20

Tag and push your images:

docker tag frontend 203.0.113.56/library/frontend
docker push 203.0.113.56/library/frontend

For instructions on how to set up Docker on a Mac, see the Docker documentation.

Home | Download Photon Controller | Quick Start Guide | VMware on GitHub

Clone this wiki locally