Install the Harbor Registry

Introduction

Harbor is an open source registry that secures artifacts with policies and role-based access control, ensures images are scanned and free from vulnerabilities, and signs images as trusted. Harbor, a CNCF Graduated project, delivers compliance, performance, and interoperability to help you consistently and securely manage artifacts across cloud native compute platforms like Kubernetes and Docker.

Prerequisite

Before deploying Harbor on the workload cluster, some prerequisite has to be installed either on the admin workstation or in the target workload cluster.

On the admin station

Install the Tanzu packages tools, using this page

KaaS Tooling – Tanzu packages

On the cluster

Deploy an ingress controller like Contour, the below practical sheet can be used :
- KaaS – Ingress Controller – Contour
Create a storageClass for the persistance volume that will store the datas
- PersistentVolume StorageClass Creation

Installation

Retrieve the version to install.

Use the VERSION column to choose the version to install, note the version chosen because it will be required in next step.

# tanzu package available list harbor.tanzu.vmware.com -A

- Retrieving package versions for harbor.tanzu.vmware.com... I0317 08:27:16.668749  337306 request.go:665] Waited for 1.034223411s due to client-side throttling, not priority and fairness, request: GET:https://100.101.250.3:6443/apis/flowcontrol.apiserver.k8s.io/v1beta1?timeout=32s
- Retrieving package versions for harbor.tanzu.vmware.com...
  NAME                     VERSION               RELEASED-AT                    NAMESPACE
  harbor.tanzu.vmware.com  2.2.3+vmware.1-tkg.1  2021-07-07 18:00:00 +0000 UTC  packages
  harbor.tanzu.vmware.com  2.2.3+vmware.1-tkg.2  2021-07-07 18:00:00 +0000 UTC  packages
  harbor.tanzu.vmware.com  2.3.3+vmware.1-tkg.1  2021-09-28 06:05:00 +0000 UTC  packages

Generate the config file

Before doing the installation, it is required to fill a configuration file, the options in the config file can be slightly different between versions.

To generate the config file according to the version you selected, use the command on the right by replacing PACKAGE-VERSION by the selected version.

Example :

Harbor use different passwords for databases, component communication and so on. It is possible to set the password manually in the configuration file or it is also possible to use a script that will generate random passwords directly in the configuration file.

If you want to use the script please use the command on the right, if you want to set the password manually in the file you can go directly to the next step.

Replace PACKAGE-VERSION by your version (same path as the precedent step)

Example :

Fill the harbor-data-values

Please find below the table that explain the most important options to fill in the file.

Parameter	Description	Example
`hostname`	Full DNS name of the service. It will be the name use to access the registry. The name has to be resolved through DNS on the clusters. For testing purpose you can use nip.io names to simplify the tests.	harbor.100.10000.10.4.nip.io or registry.mydomain.com
tlsCertificate.tls.crt tlsCertificate.tls.key tlsCertificate.ca.crt	These three parameters are used to provide certificates for the service. If nothing is provided a certificate will be automatically generated. The default certificate is not trusted by any authority, so it will be necessary to declare this certificate on the workloads clusters that want to use this registry. See the Section to know how to do that
`enableContourHttpProxy`	If Contour is used an ingress controller set this parameter to true to use the new Contour object httpProxy instead of Ingress. If another Ingress controller is used set this parameter to false	true or false
`harborAdminPassword`	The default admin user password used to connect to the Harbor UI
`persistence.persistentVolumeClaim.registry.storageClass`	Name of the storage class to use to store de registry files and have persistence. This storageclass must exist before Harbor installation (see prerequisite section). If the parameter is not filled the default storageClass will be used.	silver
`persistence.persistentVolumeClaim.registry.size`	Size of the persistent volume	10Gi
`persistence.persistentVolumeClaim.database.storageClass`	Name of the storage class to use to store de database files and have persistence. This storageclass must exist before Harbor installation (see prerequisite section). If the parameter is not filled the default storageClass will be used.
`persistence.persistentVolumeClaim.registry.size`	Size of the persistent volume
`persistence.persistentVolumeClaim.redis.storageClass`	Name of the storage class to use to store de redis files and have persistence. This storageclass must exist before Harbor installation (see prerequisite section). If the parameter is not filled the default storageClass will be used.
`persistence.persistentVolumeClaim.redis.size`	Size of the persistent volume
`persistence.persistentVolumeClaim.trivy.storageClass`	Name of the storage class to use to store de trivy files and have persistence. This storageclass must exist before Harbor installation (see prerequisite section). If the parameter is not filled the default storageClass will be used.
`persistence.persistentVolumeClaim.trive.size`	Size of the persistent volume
`secretKey` `database.password` `core.secret` `core.xsrfKey` `jobservice.secret` `registry.secret`	Password to set manually or with script (see above sections)

Install Harbor

Use the following command by replacing the VERSION and NAMESPACE

Example :

Annex : Add Custom Certificate to Workload Cluster

To use a registry on a Kubernetes cluster, the registry need to use https and the certificate has to be validated by a trusted authority.

If the installed registry instance use a custom CA that it is not validated by a trusted authority, it is required to add the certificate of the custom authority or the registry certificate itself to the workload clusters.

For all future clusters deployed

When using ytt templates provided in KaaS Standard – Deploy workload cluster

If you use the template provided, you just have to create a file in the template folder named tkg-custom-ca.pem and then use normally the template as describe in the KaaS Standard – Deploy workload cluster page.

When using custom yaml definition for your Cluster API Objects

Add the certificate & the preKubeadmCommands in KubeadmControlPlane object in your custom yaml definition. It will add the certificate on all your control plane nodes that will be deployed.

spec:
  kubeadmConfigSpec:
    files:
     - content: |
          -----BEGIN CERTIFICATE-----
          MIIFazCCA1OgAwIBAgIQMfZy08muvIVKdZVDz7/rYzANBgkqhkiG9w0BAQsFADBI
          [...]
          yiDghW7antzYL9S1CC8sVgVOwFJwfFXpdiir35mQlySG301V4FsRV+Z0cFp4Ni0=
          -----END CERTIFICATE-----
        owner: root:root
        permissions: "0644"
        path: /etc/ssl/certs/tkg-custom-ca.pem
    preKubeadmCommands:
      - '! which rehash_ca_certificates.sh 2>/dev/null || rehash_ca_certificates.sh'
      - '! which update-ca-certificates 2>/dev/null || (mv /etc/ssl/certs/tkg-custom-ca.pem /usr/local/share/ca-certificates/tkg-custom-ca.crt && update-ca-certificates)'

Add the certificate & the preKubeadmCommands in KubeAdmConfigTemplate object in your custom yaml definition. It will add the certificate on all your worker nodes that will be deployed.

spec:
  template:
    spec:
      files:
        - content: |
             -----BEGIN CERTIFICATE-----
             MIIFazCCA1OgAwIBAgIQMfZy08muvIVKdZVDz7/rYzANBgkqhkiG9w0BAQsFADBI
             [...]
             yiDghW7antzYL9S1CC8sVgVOwFJwfFXpdiir35mQlySG301V4FsRV+Z0cFp4Ni0=
             -----END CERTIFICATE-----
          owner: root:root
          permissions: "0644"
          path: /etc/ssl/certs/tkg-custom-ca.pem
      preKubeadmCommands:
        - '! which rehash_ca_certificates.sh 2>/dev/null || rehash_ca_certificates.sh'
        - '! which update-ca-certificates 2>/dev/null || (mv /etc/ssl/certs/tkg-custom-ca.pem /usr/local/share/ca-certificates/tkg-custom-ca.crt && update-ca-certificates)'

For existing clusters

Edit the cluster api object type kubeadmconfigtemplate corresponding to the cluster to modify

Change the spec.template.spec.files section of the file to include the ca certificate, as shown here:

At the bottom of the file (at same indentation as files), add a preKubeadmCommands block as shown here :

Save the kubeadmconfigtemplate template file with your changes.
Patch the management cluster with the below command. It will force a rolling update of your nodes.

Overview

Practical sheets

API

Backup

Cloud Customer Space

Contractual documents

Help and technical assistance

Online help

Roles and users

Technical Dashboards

The Support

Virtual Data Center ressources

Kubernetes

Additional components

KaaS

Tooling & Troubleshooting

Network

Networks and External Interconnections (links)

VDC Networks

Security

Services Area

Log in to the service area

Services

Storage

Objet Storage (S3)

Advanced features implementation guide

Getting Started

Service user manual

Shared storage (Network storage)

VDC & Virtual Machines

vCOD

Virtual Machines

Advanced Operations

Known Issues

Main Operations

VMware Cloud Director (VCD)

Catalogs

VMWare Cloud Director Availability (vCDA)

Q & A

Services

Virtual datacenter

Install the Harbor Registry

Introduction

Prerequisite

On the admin station

On the cluster

Installation

Annex : Add Custom Certificate to Workload Cluster

For all future clusters deployed

For existing clusters