Deploying Harbor Registry for Tanzu Kubernetes Grid

Introduction

Harbor is an open-source registry that is used to store the containerized images that will be consumed by the Docker/Kubernetes platform. The images stored in the Harbor registry are secured using policies and role-based access control. Harbor, delivers compliance, performance, and interoperability to help you consistently and securely manage artifacts across cloud-native compute platforms like Kubernetes and Docker.

Why harbor

Harbor not only provides a container registry but also can do vulnerability scanning and trust signing of your docker images. It also has a really smooth web interface that allows you to do things like RBAC, project creation, user management, and more.

Harbor supports the replication of images between registries and also offers advanced security features such as user management, access control, and activity auditing. 

Harbor Deployment Model

Harbor can be deployed both as a regular workload or as a K8 instance. Deploying as a K8 instance is very handy if you already have a Kubernetes management cluster. TKG supports both types of deployment, but there is a certain overhead that you should keep in mind when deploying it as a K8 instance.  

In this blog, I’m going to walk through the process to deploy a standalone Harbor instance as a regular workload on top of CentOS 7. Let’s get started.

System Requirements

Hardware Requirements

The following table lists the minimum and recommended hardware configurations for deploying Harbor.

Resource Minimum Recommended
CPU 2 CPU  4 CPU
Mem 4 GB 8 GB
Disk 40 GB 160 GB

Note: For testing in Lab/POC environments, you can go for 1 vCPU and 4 GB RAM. 

Software Requirements

Install the following software on the machine where you are intending to deploy Harbor. 

  • Docker Engine: Version 17.06.0-ce+ or higher.
  • Docker Compose: Version 1.18.0 or higher.
  • Openssl: Latest and greatest version available.
Firewall Requirements

Harbor requires that the following ports be open on the target host.

Port Protocol Description
443 HTTPS Harbor portal and core API accept HTTPS requests on this port. You can change this port in the configuration file.
80 HTTP Harbor portal and core API accept HTTP requests on this port. You can change this port in the configuration file.

Installation Steps 

Step 1: Install Docker, Docker Engine & Docker Compose

Step 2: Download and Extract Harbor installation binary

Step 3: Configure HTTPS Access to Harbor

Harbor can be deployed with and without security. The latter is used in a test/dev air-gapped environment so that connections can be made over http. In a production environment, you should configure Harbor to be accessed securely over HTTPS, disabling HTTP access completely. 

By default, Harbor does not ship with certificates, so to configure HTTPS access, you should have an SSL certificate. You can either use third-party CA-signed certificates or create and use a self-signed certificate.

In my lab, I am using openssl to create the self-signed SSL cert. I have made my harbor node act as a CA to sign the node certificate. The procedure is shown below:

Note: All references to harbor.tanzu.lab refers to the fqdn of harbor node in my environment. Please change this value to reflect yours.

3.1: Generate a CA certificate and certificate key.

3.2: Generate a Server Certificate

The server certificate usually comprises a .crt and a .key file. First you generate a Certificate Signing Request (csr) file and then convert it to a .crt file following the x509 standard.

3.3: Generate an x509 v3 extension file

An x509 certificate should contain all the SAN’s related to your harbor node to comply with the x509 v3 extension requirements. Create a new file (v3.ext) with the below contents

Use the v3.ext file to generate a certificate for your Harbor host

Convert .crt to .cert, for use by Docker

3.4: Copy the server certificate, key, and CA files into the Docker certificates folder on the Harbor host and restart the Docker service.

Step 4: Configure the Harbor YML File

You set system-level parameters for Harbor in the harbor.yml file that is contained in the installer package. These parameters take effect when you run the install.sh script to install or reconfigure Harbor.

Edit following values as per your environment.

For a complete list of required parameters, please see Harbor official documentation

Step 5: Install Harbor

Once you have prepared your harbor.yml file, you install and start Harbor by using the install.sh script.

# ./install.sh

Harbor installation roughly takes 5-6 minutes to complete and once it is completed, you can access the harbor instance by typing https://<harbor-fqdn>/ and login using the credentials that you have configured in the harbor.yml file.

You can upload the artifacts in the default project (library) that gets shipped with Harbor, or can create your own projects. 

And that concludes this post. In the next post, I will demonstrate how you can upload images in Harbor and then integrate harbor with Tanzu Kubernetes Grid to deploy K8 workloads.

I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing.

Leave a Reply