Install Harbor
One of the storage options for application images within KubeRocketCI is Harbor, utilized during the application build process.
Inspect the prerequisites and the main steps to perform for enabling Harbor on the platform.
Prerequisites​
- Kubectl version 1.29.0+ is installed. Please refer to the Kubernetes official website for details.
- Helm version 3.14.0+ is installed. Please refer to the Helm page on GitHub for details.
Installation​
To install Harbor with Helm, follow the steps below:
-
Create a namespace for Harbor:
kubectl create namespace harbor
-
Create a secret for administrator user and registry:
-
Manually
kubectl create secret generic harbor \
--from-literal=HARBOR_ADMIN_PASSWORD=<secret> \
--from-literal=REGISTRY_HTPASSWD=<secret> \
--from-literal=REGISTRY_PASSWD=<secret> \
--from-literal=secretKey=<secret> \
--namespace harbor -
Using
External Secret Operator
(ESO)
Create Secret data with ESO
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: harbor
namespace: harbor
spec:
refreshInterval: 1h
secretStoreRef:
kind: SecretStore
name: aws-parameterstore
data:
- secretKey: HARBOR_ADMIN_PASSWORD
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /control-plane/deploy-secrets
property: harbor.HARBOR_ADMIN_PASSWORD
- secretKey: secretKey
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /control-plane/deploy-secrets
property: harbor.secretKey
- secretKey: REGISTRY_HTPASSWD
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /control-plane/deploy-secrets
property: harbor.REGISTRY_HTPASSWD
- secretKey: REGISTRY_PASSWD
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /control-plane/deploy-secrets
property: harbor.REGISTRY_PASSWDnoteThe
HARBOR_ADMIN_PASSWORD
is the initial password of Harbor admin.
ThesecretKey
is the secret key that is used for encryption. Must be 16 characters long.
TheREGISTRY_PASSWD
is Harbor registry password.
TheREGISTRY_HTPASSWD
is login and password in htpasswd string format. This value is the string in the password file generated by thehtpasswd
command where the username isharbor_registry_user
and the encryption type isbcrypt
.
See the example below:htpasswd -bBc passwordfile harbor_registry_user harbor_registry_password
The username must be
harbor_registry_user
. The password must be the value fromREGISTRY_PASSWD
. -
-
Add the Helm Harbor Charts for the local client.
helm repo add harbor https://helm.goharbor.io
-
Check the parameters in the Harbor installation chart. For details, please refer to the values.yaml file.
-
Install Harbor in the harbor namespace with the Helm tool.
helm install harbor harbor/harbor
--version 1.12.2 \
--namespace harbor \
--values values.yamlSee the details on the parameters below:
Example values.yaml# we use Harbor secret to consolidate all the Harbor secrets
existingSecretAdminPassword: harbor
existingSecretAdminPasswordKey: HARBOR_ADMIN_PASSWORD
existingSecretSecretKey: harbor
core:
# The XSRF key. Will be generated automatically if it isn't specified
xsrfKey: ""
jobservice:
# Secret is used when job service communicates with other components.
# If a secret key is not specified, Helm will generate one.
# Must be a string of 16 chars.
secret: ""
registry:
# Secret is used to secure the upload state from client
# and registry storage backend.
# If a secret key is not specified, Helm will generate one.
# Must be a string of 16 chars.
secret: ""
credentials:
username: harbor_registry_user
existingSecret: harbor
fullnameOverride: harbor
# If Harbor is deployed behind the proxy, set it as the URL of proxy
externalURL: https://core.harbor.domain
ipFamily:
ipv6:
enabled: false
expose:
tls:
enabled: false
ingress:
hosts:
core: core.harbor.domain
notary: notary.harbor.domain
updateStrategy:
type: Recreate
persistence:
persistentVolumeClaim:
registry:
size: 30Gi
jobservice:
jobLog:
size: 1Gi
database:
size: 2Gi
redis:
size: 1Gi
trivy:
size: 5Gi
database:
internal:
# The initial superuser password for internal database
password: "changeit" -
To check if the installation is successful, run the command below:
helm status <harbor-release> -n harbor
You can also check ingress endpoints to get Harbor endpoint to enter Harbor UI:
kubectl describe ingress <harbor_ingress> -n harbor