Skip to main content
Version: 3.9

Integrate Harbor With Tekton Pipelines

Harbor is an advanced, open-source cloud-native registry that securely manages container images and Helm charts, and also supports a wide range of OCI artifacts. It enforces policies and role-based access control, while ensuring all managed content, including container images and other artifacts, are scanned and certified free from vulnerabilities. For those looking to integrate Harbor into their workflow, the documentation provides comprehensive steps on creating projects and establishing robot accounts. These accounts facilitate automated and secure interactions with the registry, crucial for CI pipelines and enhancing overall security and efficiency in artifact management.

Overview​

Harbor integration with Tekton enables the centralized storage of container images within the cluster, eliminating the need for external services. By leveraging Harbor as the container registry, users can manage and store their automation results and reports in one place.

Integration Procedure​

The integration process involves two steps:

  1. Creating a project to store application images.

  2. Creating two service accounts (robot account) with different permissions to push (read/write) and pull (read-only) project images.

Create New Project​

The process of creating new projects is the following:

  1. Log in to the Harbor console using your credentials.

  2. Navigate to the Projects menu, click the New Project button:

    Harbor Console

  3. On the New Project menu, enter a project name that matches your platform namespace in the Project Name field. Keep other fields as default and click OK to continue:

    New Project

Set Up Robot Account​

To facilitate seamless interaction between KubeRocketCI and a Harbor project, it is crucial to establish a robot account. This process involves:

  1. Navigate to your newly created project, select Robot Accounts menu and choose New Robot Account:

    New Project

  2. In the pop-up window, fill in the fields as follows:

    • Name - edp-push;
    • Expiration time - set the value which is aligned with your organization policy;
    • Description - read/write permissions;
    • Permissions - Pull Repository and Push Repository.

    To proceed, click the ADD button:

    New Project

  3. In the appeared window, copy the robot account credentials or click the Export to file button to save the secret and account name locally:

    New Project

  4. Provision the kaniko-docker-config secrets using kubectl, UI Portal or with the externalSecrets operator:

    The auth string can be generated by this command:

    echo -n "robot\$edp-project+edp:secret" | base64

    Navigate to Portal -> Configuration -> ARTIFACTS STORAGE -> Registry. Update or click + ADD INTEGRATION fill in the required fields and click Save.

    Registry update manual secret

  5. Repeat steps 2-3 with values below:

    • Name - edp-pull;
    • Expiration time - set the value which is aligned with your organization policy;
    • Description - read-only permissions;
    • Permissions - Pull Repository.
  6. Provision the regcred secrets using kubectl, EDP Portal or with the externalSecrets operator:

    The auth string can be generated by this command:

    echo -n "robot\$edp-project+edp-push:secret" | base64

    Navigate to Portal -> Configuration -> ARTIFACTS STORAGE -> Registry. Update or click + ADD INTEGRATION fill in the required fields and click Save.

    Registry update manual secret

  7. In the values.yaml file for the edp-install Helm chart, set the following values for the specified fields:

    If the kaniko-docker-config secret has been created manually:

    values.yaml
    ...
    kaniko:
    existingDockerConfig: "kaniko-docker-config"
    global:
    dockerRegistry:
    url: harbor-registry.com
    type: "harbor"
    ...
  8. (Optional) If you've already deployed the edp-install Helm chart, you can update it using the following command:

    helm update --install edp epamedp/edp-install \
    --values values.yaml \
    --namespace edp

As a result, application images built in UI Portal will be stored in Harbor project and will be deployed from the harbor registry.

Harbor projects can be added and retained with a retention policy generated through the script in edp-cluster-add-ons.