Tanzu Community Edition

Documentation

Harbor

Harbor is an open source trusted cloud native registry project that stores, signs, and scans content. Harbor extends the open source Docker Distribution by adding the functionalities usually required by users such as security, identity and management.

Supported Providers

The following table shows the providers this package can work with.

AWSAzurevSphereDocker

Components

This Harbor Package integrates open source Harbor 2.3.3. See docs for Harbor 2.3.3.

Installation

The Harbor package requires use of Contour for ingress and cert-manager for certificate generation.

  1. Install cert-manager Package

    tanzu package install cert-manager \
       --package-name cert-manager.community.tanzu.vmware.com \
       --version ${CERT_MANAGER_PACKAGE_VERSION}
    

    You can get the ${CERT_MANAGER_PACKAGE_VERSION} from running tanzu package available list cert-manager.community.tanzu.vmware.com. Specifying a namespace may be required depending on where your package repository was installed.

  2. Install Contour Package

    If your workload cluster supports Service type LoadBalancer, simply execute this command:

    tanzu package install contour \
       --package-name contour.community.tanzu.vmware.com \
       --version ${CONTOUR_PACKAGE_VERSION}
    

    You can get the ${CONTOUR_PACKAGE_VERSION} from running tanzu package available list contour.community.tanzu.vmware.com. Specifying a namespace may be required depending on where your package repository was installed.

    If your workload cluster doesn’t support Service type LoadBalancer, use NodePort with hostPorts enabled instead by following these steps:

    • Get the configuration for this package, by heading to TCE GitHub repository. Select the package/version and navigate into the bundle/config directory. Download or copy/paste the values.yaml file. Rename it contour-values.yaml.
    • Set envoy.service.type: NodePort and envoy.hostPorts.enable: true in contour-values.yaml
    • Run tanzu package install contour --package-name contour.community.tanzu.vmware.com --version ${CONTOUR_PACKAGE_VERSION} --values-file contour-values.yaml
  3. Configure Harbor Package

    Optionally get the harbor-values.yaml file to configure harbor. Download the values.yaml file from addons/packages/harbor/2.3.3/bundle/config/values.yaml to check all configuration values for Harbor Package and rename it to harbor-values.yaml.

    Or get the template configuration file by using script below:

    image_url=$(kubectl get packages harbor.community.tanzu.vmware.com.2.3.3 -o jsonpath='{.spec.template.spec.fetch[0].imgpkgBundle.image}')
    imgpkg pull -b $image_url -o /tmp/harbor-package-PACKAGE-VERSION
    cp /tmp/harbor-package-PACKAGE-VERSION/config/values.yaml harbor-values.yaml
    

    When you are using imgpkg to get the configuratuion file, specifying a namespace may be required depending on where your package repository was installed.

    Optionally get the helper script for configuring Harbor:

    image_url=$(kubectl get package harbor.community.tanzu.vmware.com.2.3.3 -o jsonpath='{.spec.template.spec.fetch[0].imgpkgBundle.image}')
    imgpkg pull -b $image_url -o /tmp/harbor-package
    cp /tmp/harbor-package/config/scripts/generate-passwords.sh .
    

    Specify the mandatory passwords and secrets in harbor-values.yaml,

    or to generate them automatically. run

    bash generate-passwords.sh harbor-values.yaml
    

    This step is needed only once.

    Specify other Harbor configuration (e.g. admin password, hostname, persistence setting, etc.) in harbor-values.yaml.

    NOTE: If the default storageClass in the Workload Cluster, or the specified storageClass in harbor-values.yaml supports the accessMode ReadWriteMany, make sure to update the accessMode from ReadWriteOnce to ReadWriteMany in harbor-values.yaml. VMware vSphere 7 with vSAN 7 File Service enabled supports accessMode ReadWriteMany but vSphere 6.7u3 does not. If you are using vSphere 7 without vSAN File Service enabled, or you are using vSphere 6.7u3, use the default accessMode ReadWriteOnce.

  4. Remove all the comments in the harbor-values.yaml file using tool yq before installation. run

    yq -i eval '... comments=""' harbor-values.yaml
    
  5. Install Harbor Package

    tanzu package install harbor \
       --package-name harbor.community.tanzu.vmware.com \
       --version 2.3.3 \
       --values-file harbor-values.yaml
    

    Specifying a namespace may be required depending on where your package repository was installed.

Usage

Connect to Harbor User Interface

The Harbor UI is exposed via the Envoy service load balancer that is running in the Contour Package. To allow users to connect to the Harbor UI, you must map the address of the Envoy service load balancer to the hostname of the Harbor service, for example harbor.yourdomain.com.

  1. Obtain the address of the Envoy service load balancer.

    kubectl get svc envoy -n tanzu-system-ingress -o jsonpath='{.status.loadBalancer.ingress[0]}'
    

    On vSphere without NSX Advanced Load Balancer (ALB), the Envoy service is exposed via NodePort instead of LoadBalancer, so the above output will be empty, and you can use the IP address of any worker node in the workload cluster instead. On Amazon EC2, it has a FQDN similar to a82ebae93a6fe42cd66d9e145e4fb292-1299077984.us-west-2.elb.amazonaws.com. On vSphere with NSX ALB and Azure, the Envoy service has a Load Balancer IP address similar to 20.54.226.44.

  2. Map the address of the Envoy service load balancer to the hostname of the Harbor service.

    • vSphere: If you deployed Harbor on a workload cluster that is running on vSphere, you must add an IP to hostname mapping in /etc/hosts or add corresponding A records in your DNS server. For example, if the IP address is 10.93.9.100, add the following to /etc/hosts:

      10.93.9.100 harbor.yourdomain.com notary.harbor.yourdomain.com
      

      On Windows machines, the equivalent to /etc/hosts/ is C:\Windows\System32\Drivers\etc\hosts.

    • Amazon EC2 or Azure: If you deployed Harbor on a workload cluster that is running on Amazon EC2 or Azure, you must create two DNS CNAME records (on Amazon EC2) or two DNS A records (on Azure) for the Harbor hostnames on a DNS server on the Internet.

      • One record for the Harbor hostname, for example, harbor.yourdomain.com, that you configured in harbor-values.yaml, that points to the FQDN or IP of the Envoy service load balancer.
      • Another record for the Notary service that is running in Harbor, for example, notary.harbor.yourdomain.com, that points to the FQDN or IP of the Envoy service load balancer.

Users can now connect to the Harbor UI by navigating to https://harbor.yourdomain.com in a Web browser and log in as user admin with the harborAdminPassword that you configured in harbor-values.yaml.

Push and Pull Images to and from Harbor

  1. If Harbor uses a self-signed certificate, download the Harbor CA certificate from https://harbor.yourdomain.com/api/v2.0/systeminfo/getcert, and install it on your local machine, so Docker can trust this CA certificate.

    • On Linux, save the certificate as /etc/docker/certs.d/harbor.yourdomain.com/ca.crt.
    • On macOS, follow this procedure.
    • On Windows, right-click the certificate file and select Install Certificate.
  2. Log in to the Harbor registry with the user admin. When prompted, enter the harborAdminPassword that you set when you deployed the Harbor Extension on the workload cluster.

    docker login harbor.yourdomain.com -u admin
    
  3. Tag an existing image that you have already pulled locally, for example nginx:1.7.9.

    docker tag nginx:1.7.9 harbor.yourdomain.com/library/nginx:1.7.9
    
  4. Push the image to the Harbor registry.

    docker push harbor.yourdomain.com/library/nginx:1.7.9
    
  5. Now you can pull the image from the Harbor registry on any machine where the Harbor CA certificate is installed.

    docker pull harbor.yourdomain.com/library/nginx:1.7.9
    

Configuration

The following lightweight pass-through values can be set to customize the Harbor installation.

Global

ValueRequired/OptionalDefaultDescription
namespaceOptionalharborThe namespace in which to deploy Harbor.

General Settings

ValueDescriptionDefaultType
harborAdminPasswordThe initial password of Harbor admin.string
secretKeyThe secret key used for encryption. Must be a string of 16 chars.string
hostnameThe FQDN for accessing Harbor admin UI and Registry service.harbor.yourdomain.comstring
logLevelThe log level of core, exporter, jobservice, registry.infostring
port.httpsThe network port of the Envoy service in Contour or other Ingress Controller.443integer
pspNamesThe PSP names used by Harbor pods. The names are separated by ‘,’. ’null’ means all PSP can be used.nullstring
enableContourHttpProxyUse contour http proxy instead of the ingress when it’s true.trueboolean
network.ipFamiliesTHe array of network ipFamilies.[IPv4 IPv6]array

Proxy Settings

ValueDescriptionDefaultType
proxy.noProxyIgnore proxy for the domains.127.0.0.1,localhost,.local,.internalstring
proxy.httpProxyHTTP proxy URL.string
proxy.httpsProxyHTTPS proxy URL.string

Registry Settings

ValueDescriptionDefaultType
registry.replicasThe replicas for the registry component.1integer
registry.secretSecret is used to secure the upload state from client and registry storage backend.string

Core Settings

ValueDescriptionDefaultType
core.replicasThe replicas for the core component.1integer
core.secretSecret is used when core server communicates with other components.string
core.xsrfKeyThe XSRF key. Must be a string of 32 chars.string

Metrics Settings

ValueDescriptionDefaultType
metrics.jobservice.pathThe path of the metrics./metricsstring
metrics.jobservice.portThe port of the metrics.8001integer
metrics.registry.portThe port of the metrics.8001integer
metrics.registry.pathThe path of the metrics./metricsstring
metrics.core.pathThe path of the metrics./metricsstring
metrics.core.portThe port of the metrics.8001integer
metrics.enabledEnable the metrics when it’s truefalseboolean
metrics.exporter.pathThe path of the metrics./metricsstring
metrics.exporter.portThe port of the metrics.8001integer

Database Settings

ValueDescriptionDefaultType
database.passwordThe initial password of the postgres database.string
database.shmSizeLimitThe initial value of shmSizeLimitinteger
database.maxIdleConnsThe initial value of maxIdleConnsinteger
database.maxOpenConnsThe initial value of maxOpenConnsinteger

JobService Settings

ValueDescriptionDefaultType
jobservice.replicasThe replicas for the jobservice component.1integer
jobservice.secretSecret is used when job service communicates with other components.string

Notary Settings

ValueDescriptionDefaultType
notary.enabledWhether to install Notarytrueboolean

Exporter Settings

ValueDescriptionDefaultType
exporter.cacheDurationThe initial value of cacheDuration.integer

tlsCertificate Settings

ValueDescriptionDefaultType
tlsCertificate.ca.crtThe certificate of CA, this enables the download, link on portal to download the certificate of CA. Note that ca.crt is a key and not nested.string
tlsCertificate.tls.crtThe certificate. Note that tls.crt is a key and not nested.string
tlsCertificate.tls.keyThe private key. Note that tls.key is a key and not nested.string

Trivy Settings

ValuesDescriptionDefaultType
trivy.enabledWhether to install Trivy scanner.trueboolean
trivy.gitHubTokenthe GitHub access token to download Trivy DB.string
trivy.replicasThe replicas for the trivy component.1integer
trivy.skipUpdateThe flag to disable Trivy DB downloads from GitHub.falseboolean

Storage Settings

General

ValuesDescriptionDefaultType
persistence.imageChartStorage.typeSpecify the type of storage: “filesystem”, “azure”, “gcs”, “s3”,“swift”, “oss” and fill the information needed in the corresponding section. The type must be “filesystem” if you want to use persistent volumes for registry and chartmuseumfilesystemstring
persistence.imageChartStorage.disableredirectSpecify whether to disable redirect for images and chart storage, for backends which not supported it (such as using minio for s3 storage type), please disable it. To disable redirects, simply set disableredirect to true instead. Refer to https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect for the detail.falseboolean
persistence.imageChartStorage.caBundleSecretNameSpecify the “caBundleSecretName” if the storage service uses a self-signed certificate. The secret must contain keys named “ca.crt” which will be injected into the trust store of registry’s and chartmuseum’s containers.string

FileSystem

ValuesDescriptionDefaultType
persistence.imageChartStorage.filesystem.rootdirectoryThe root directory in filesystem./storagestring
persistence.imageChartStorage.filesystem.maxthreadsMax threads for filesystem.100integer

Azure

ValuesDescriptionDefaultType
persistence.imageChartStorage.azure.accountkeyAccount key of azure storage.base64encodedaccountkeystring
persistence.imageChartStorage.azure.accountnameAccount name of azure storage.accountnamestring
persistence.imageChartStorage.azure.containerContainer name of azure storage.containernamestring
persistence.imageChartStorage.azure.realmRealm for azure storage.core.windows.netstring

OSS

ValuesDescriptionDefaultType
persistence.imageChartStorage.oss.chunksizeChunk size for the oss, eg 10M.string
persistence.imageChartStorage.oss.endpointEndpoint of oss.string
persistence.imageChartStorage.oss.internalUse the internal endpoint when it’s true.boolean
persistence.imageChartStorage.oss.rootdirectoryThe rootdirectory in oss.string
persistence.imageChartStorage.oss.bucketBucket name of oss.bucketnamestring
persistence.imageChartStorage.oss.accesskeysecretAccess key secert of oss.accesskeysecretstring
persistence.imageChartStorage.oss.encryptEncrypt of oss.boolean
persistence.imageChartStorage.oss.regionRegion of oss.regionnamestring
persistence.imageChartStorage.oss.secureSecure of oss.boolean
persistence.imageChartStorage.oss.accesskeyidAccess key id of oss.accesskeyidstring

S3

ValuesDescriptionDefaultType
persistence.imageChartStorage.s3.encryptEncrypt for s3.falseboolean
persistence.imageChartStorage.s3.regionendpointRegion endpoint of s3, eg http://myobjects.localstring
persistence.imageChartStorage.s3.secretkeySecret key of s3.string
persistence.imageChartStorage.s3.skipverifyskipverify for s3.falseboolean
persistence.imageChartStorage.s3.v4authUse v4auth for s3 when it’s true.trueboolean
persistence.imageChartStorage.s3.chunksizeCheck size for s3.integer
persistence.imageChartStorage.s3.multipartcopychunksizemulti part copy chunk size of s3.integer
persistence.imageChartStorage.s3.multipartcopythresholdsizemulti part copy threshold size of s3.integer
persistence.imageChartStorage.s3.secureSecure for s3.trueboolean
persistence.imageChartStorage.s3.bucketBucket name of s3.bucketnamestring
persistence.imageChartStorage.s3.multipartcopymaxconcurrencymulti part copy max concurrency of s3.integer
persistence.imageChartStorage.s3.rootdirectoryThe rootdirectory in s3.string
persistence.imageChartStorage.s3.storageclassStorage class of s3.STANDARDstring
persistence.imageChartStorage.s3.accesskeyAccess key of s3.string
persistence.imageChartStorage.s3.regionRegion of s3.us-west-1string
persistence.imageChartStorage.s3.keyidKeyid of s3.string

Swift

ValuesDescriptionDefaultType
persistence.imageChartStorage.swift.containerContainer of swift.containernamestring
persistence.imageChartStorage.swift.domainDomain of swift.string
persistence.imageChartStorage.swift.endpointtypeEndpoint type of swift, eg public.string
persistence.imageChartStorage.swift.insecureskipverifyIgnore the cert verify when it’s true.boolean
persistence.imageChartStorage.swift.regionRegion of swift.string
persistence.imageChartStorage.swift.tenantTenant of swift.string
persistence.imageChartStorage.swift.authversionAuth version of swift.string
persistence.imageChartStorage.swift.chunksizeCheck size of swift, eg 5M.string
persistence.imageChartStorage.swift.tenantidTenant id of swift.string
persistence.imageChartStorage.swift.accesskeyAccess key of swift.string
persistence.imageChartStorage.swift.domainidDomain id of swift.string
persistence.imageChartStorage.swift.tempurlcontainerkeyUse temp url container key of swift when it’s true.boolean
persistence.imageChartStorage.swift.prefixPrefix path of swift.string
persistence.imageChartStorage.swift.secretkeySecret key of swift.string
persistence.imageChartStorage.swift.tempurlmethodsTemp url methods of swift.string
persistence.imageChartStorage.swift.trustidTrust id of swift.string
persistence.imageChartStorage.swift.usernameUsername of swift.usernamestring
persistence.imageChartStorage.swift.authurlAuth url of swift.https://storage.myprovider.com/v3/authstring
persistence.imageChartStorage.swift.passwordPassword of swift.passwordstring

GCS

ValuesDescriptionDefaultType
persistence.imageChartStorage.gcs.bucketBucket name of gcs.bucketnamestring
persistence.imageChartStorage.gcs.chunksizeCheck size for gcs.5.24288e+06integer
persistence.imageChartStorage.gcs.encodedkeyThe base64 encoded json file which contains the keybase64-encoded-json-key-filestring
persistence.imageChartStorage.gcs.rootdirectoryThe rootdirectory in gcs.string

Persistent Volume Claim Settings

Database

ValuesDescriptionDefaultType
persistence.persistentVolumeClaim.database.storageClassSpecify the “storageClass” used to provision the volume. Or the default StorageClass will be used(the default). Set it to “-” to disable dynamic provisioningstring
persistence.persistentVolumeClaim.database.subPathThe “subPath” if the PVC is shared with other components.string
persistence.persistentVolumeClaim.database.accessModeAccess mode of the PVC.ReadWriteOncestring
persistence.persistentVolumeClaim.database.existingClaimUse the existing PVC which must be created manually before bound, and specify the “subPath” if the PVC is shared with other componentsstring
persistence.persistentVolumeClaim.database.sizeSize of the PVC.1Gistring

JobService

ValuesDescriptionDefaultType
persistence.persistentVolumeClaim.jobservice.subPathThe “subPath” if the PVC is shared with other components.string
persistence.persistentVolumeClaim.jobservice.accessModeAccess mode of the PVC.ReadWriteOncestring
persistence.persistentVolumeClaim.jobservice.existingClaimUse the existing PVC which must be created manually before bound, and specify the “subPath” if the PVC is shared with other componentsstring
persistence.persistentVolumeClaim.jobservice.sizeSize of the PVC.1Gistring
persistence.persistentVolumeClaim.jobservice.storageClassSpecify the “storageClass” used to provision the volume. Or the default StorageClass will be used(the default). Set it to “-” to disable dynamic provisioningstring

Redis

ValuesDescriptionDefaultType
persistence.persistentVolumeClaim.redis.accessModeAccess mode of the PVC.ReadWriteOncestring
persistence.persistentVolumeClaim.redis.existingClaimUse the existing PVC which must be created manually before bound, and specify the “subPath” if the PVC is shared with other componentsstring
persistence.persistentVolumeClaim.redis.sizeSize of the PVC.1Gistring
persistence.persistentVolumeClaim.redis.storageClassSpecify the “storageClass” used to provision the volume. Or the default StorageClass will be used(the default). Set it to “-” to disable dynamic provisioningstring
persistence.persistentVolumeClaim.redis.subPathThe “subPath” if the PVC is shared with other components.string

Registry

ValuesDescriptionDefaultType
persistence.persistentVolumeClaim.registry.accessModeAccess mode of the PVC.ReadWriteOncestring
persistence.persistentVolumeClaim.registry.existingClaimUse the existing PVC which must be created manually before bound, and specify the “subPath” if the PVC is shared with other componentsstring
persistence.persistentVolumeClaim.registry.sizeSize of the PVC.10Gistring
persistence.persistentVolumeClaim.registry.storageClassSpecify the “storageClass” used to provision the volume. Or the default StorageClass will be used(the default). Set it to “-” to disable dynamic provisioningstring
persistence.persistentVolumeClaim.registry.subPathThe “subPath” if the PVC is shared with other components.string

Trivy

ValuesDescriptionDefaultType
persistence.persistentVolumeClaim.trivy.subPathThe “subPath” if the PVC is shared with other components.string
persistence.persistentVolumeClaim.trivy.accessModeAccess mode of the PVC.ReadWriteOncestring
persistence.persistentVolumeClaim.trivy.existingClaimUse the existing PVC which must be created manually before bound, and specify the “subPath” if the PVC is shared with other componentsstring
persistence.persistentVolumeClaim.trivy.sizeSize of the PVC.5Gistring
persistence.persistentVolumeClaim.trivy.storageClassSpecify the “storageClass” used to provision the volume. Or the default StorageClass will be used(the default). Set it to “-” to disable dynamic provisioningstring

Join us!

Our open community welcomes all users and contributors

Community