Harbor is an open source trusted cloud native registry project that stores, signs, and scans content. Harbor extends the open source Docker Distribution by adding the functionalities usually required by users such as security, identity and management.
This Harbor Package integrates open source Harbor 2.2.2. See docs for Harbor 2.2.2.
The following configuration values can be set to customize the harbor installation.
Value | Required/Optional | Default | Description |
---|---|---|---|
namespace |
Optional | harbor | The namespace in which to deploy Harbor. |
Run the following command and check all configuration values for Harbor Package in harbor.tce.vmware.com-values.yaml
.
tanzu package configure harbor.tce.vmware.com
The Harbor package requires use of Contour for ingress and cert-manager for certificate generation.
-
Install cert-manager Package
tanzu package install cert-manager.tce.vmware.com
-
Install Contour Package
If your workload cluster supports Service type LoadBalancer, simply execute this command:
tanzu package install contour.tce.vmware.com
If your workload cluster doesn't support Service type LoadBalancer, use NodePort with hostPorts enabled instead by following these steps:
- Run
tanzu package configure contour.tce.vmware.com
to get the configuration values yamlcontour.tce.vmware.com-values.yaml
for Contour Package - Set
envoy.service.type: NodePort
andenvoy.hostPorts.enable: true
incontour.tce.vmware.com-values.yaml
- Run
tanzu package install contour.tce.vmware.com --config contour.tce.vmware.com-values.yaml
- Run
-
Configure Harbor Package
Run
tanzu package configure harbor.tce.vmware.com
to get the configuration values yamlharbor.tce.vmware.com-values.yaml
for Harbor Package.Optionally get the helper script for configuring Harbor:
image_url=$(kubectl get package harbor.tce.vmware.com.2.2.2-vmware.1 -o jsonpath='{.spec.template.spec.fetch[0].imgpkgBundle.image}') imgpkg pull -b $image_url -o /tmp/harbor-package cp /tmp/harbor-package/config/scripts/generate-passwords.sh .
Specify the mandatory passwords and secrets in
harbor.tce.vmware.com-values.yaml
, or runbash generate-passwords.sh harbor.tce.vmware.com-values.yaml
to generate them automatically. This step is needed only once.Specify other Harbor configuration (e.g. admin password, hostname, persistence setting, etc.) in
harbor.tce.vmware.com-values.yaml
.NOTE: If the default storageClass in the Workload Cluster, or the specified storageClass in
harbor.tce.vmware.com-values.yaml
supports the accessMode ReadWriteMany, make sure to update the accessMode fromReadWriteOnce
toReadWriteMany
inharbor.tce.vmware.com-values.yaml
. VMware vSphere 7 with vSAN 7 File Service enabled supports accessMode ReadWriteMany but vSphere 6.7u3 does not. If you are using vSphere 7 without vSAN File Service enabled, or you are using vSphere 6.7u3, use the default accessModeReadWriteOnce
. -
Install Harbor Package
tanzu package install harbor.tce.vmware.com --config harbor.tce.vmware.com-values.yaml
The Harbor UI is exposed via the Envoy service load balancer that is running in the Contour Package. To allow users to connect to the Harbor UI, you must map the address of the Envoy service load balancer to the hostname of the Harbor service, for example harbor.yourdomain.com
.
-
Obtain the address of the Envoy service load balancer.
kubectl get svc envoy -n tanzu-system-ingress -o jsonpath='{.status.loadBalancer.ingress[0]}'
On vSphere without NSX Advanced Load Balancer (ALB), the Envoy service is exposed via NodePort instead of LoadBalancer, so the above output will be empty, and you can use the IP address of any worker node in the workload cluster instead. On Amazon EC2, it has a FQDN similar to
a82ebae93a6fe42cd66d9e145e4fb292-1299077984.us-west-2.elb.amazonaws.com
. On vSphere with NSX ALB and Azure, the Envoy service has a Load Balancer IP address similar to20.54.226.44
. -
Map the address of the Envoy service load balancer to the hostname of the Harbor service.
-
vSphere: If you deployed Harbor on a workload cluster that is running on vSphere, you must add an IP to hostname mapping in
/etc/hosts
or add correspondingA
records in your DNS server. For example, if the IP address is10.93.9.100
, add the following to/etc/hosts
:10.93.9.100 harbor.yourdomain.com notary.harbor.yourdomain.com
On Windows machines, the equivalent to
/etc/hosts/
isC:\Windows\System32\Drivers\etc\hosts
. -
Amazon EC2 or Azure: If you deployed Harbor on a workload cluster that is running on Amazon EC2 or Azure, you must create two DNS
CNAME
records (on Amazon EC2) or two DNSA
records (on Azure) for the Harbor hostnames on a DNS server on the Internet.- One record for the Harbor hostname, for example,
harbor.yourdomain.com
, that you configured inharbor.tce.vmware.com-values.yaml
, that points to the FQDN or IP of the Envoy service load balancer. - Another record for the Notary service that is running in Harbor, for example,
notary.harbor.yourdomain.com
, that points to the FQDN or IP of the Envoy service load balancer.
- One record for the Harbor hostname, for example,
-
Users can now connect to the Harbor UI by navigating to https://harbor.yourdomain.com
in a Web browser and log in as user admin
with the harborAdminPassword
that you configured in harbor.tce.vmware.com-values.yaml
.
-
If Harbor uses a self-signed certificate, download the Harbor CA certificate from
https://harbor.yourdomain.com/api/v2.0/systeminfo/getcert
, and install it on your local machine, so Docker can trust this CA certificate.- On Linux, save the certificate as
/etc/docker/certs.d/harbor.yourdomain.com/ca.crt
. - On macOS, follow this procedure.
- On Windows, right-click the certificate file and select Install Certificate.
- On Linux, save the certificate as
-
Log in to the Harbor registry with the user
admin
. When prompted, enter theharborAdminPassword
that you set when you deployed the Harbor Extension on the workload cluster.docker login harbor.yourdomain.com -u admin
-
Tag an existing image that you have already pulled locally, for example
nginx:1.7.9
.docker tag nginx:1.7.9 harbor.yourdomain.com/library/nginx:1.7.9
-
Push the image to the Harbor registry.
docker push harbor.yourdomain.com/library/nginx:1.7.9
-
Now you can pull the image from the Harbor registry on any machine where the Harbor CA certificate is installed.
docker pull harbor.yourdomain.com/library/nginx:1.7.9