Skip to main content
Version: 3.10

Install Harbor

One of the storage options for application images within KubeRocketCI is Harbor, utilized during the application build process.

Inspect the prerequisites and the main steps to perform for enabling Harbor on the platform.

Prerequisites​

Installation​

To install Harbor with Helm, follow the steps below:

  1. Create a namespace for Harbor:

    kubectl create namespace harbor
  2. Create a secret for administrator user and registry:

    1. Manually

      kubectl create secret generic harbor \
      --from-literal=HARBOR_ADMIN_PASSWORD=<secret> \
      --from-literal=REGISTRY_HTPASSWD=<secret> \
      --from-literal=REGISTRY_PASSWD=<secret> \
      --from-literal=secretKey=<secret> \
      --namespace harbor
    2. Using External Secret Operator (ESO)

    Create Secret data with ESO
    apiVersion: external-secrets.io/v1beta1
    kind: ExternalSecret
    metadata:
    name: harbor
    namespace: harbor
    spec:
    refreshInterval: 1h
    secretStoreRef:
    kind: SecretStore
    name: aws-parameterstore
    data:
    - secretKey: HARBOR_ADMIN_PASSWORD
    remoteRef:
    conversionStrategy: Default
    decodingStrategy: None
    key: /control-plane/deploy-secrets
    property: harbor.HARBOR_ADMIN_PASSWORD
    - secretKey: secretKey
    remoteRef:
    conversionStrategy: Default
    decodingStrategy: None
    key: /control-plane/deploy-secrets
    property: harbor.secretKey
    - secretKey: REGISTRY_HTPASSWD
    remoteRef:
    conversionStrategy: Default
    decodingStrategy: None
    key: /control-plane/deploy-secrets
    property: harbor.REGISTRY_HTPASSWD
    - secretKey: REGISTRY_PASSWD
    remoteRef:
    conversionStrategy: Default
    decodingStrategy: None
    key: /control-plane/deploy-secrets
    property: harbor.REGISTRY_PASSWD
    note

    The HARBOR_ADMIN_PASSWORD is the initial password of Harbor admin.
    The secretKey is the secret key that is used for encryption. Must be 16 characters long.
    The REGISTRY_PASSWD is Harbor registry password.
    The REGISTRY_HTPASSWD is login and password in htpasswd string format. This value is the string in the password file generated by the htpasswd command where the username is harbor_registry_user and the encryption type is bcrypt.
    See the example below:

    htpasswd -bBc passwordfile harbor_registry_user harbor_registry_password

    The username must be harbor_registry_user. The password must be the value from REGISTRY_PASSWD.

  3. Add the Helm Harbor Charts for the local client.

    helm repo add harbor https://helm.goharbor.io
  4. Check the parameters in the Harbor installation chart. For details, please refer to the values.yaml file.

  5. Install Harbor in the harbor namespace with the Helm tool.

    helm install harbor harbor/harbor
    --version 1.12.2 \
    --namespace harbor \
    --values values.yaml

    See the details on the parameters below:

    Example values.yaml
    # we use Harbor secret to consolidate all the Harbor secrets
    existingSecretAdminPassword: harbor
    existingSecretAdminPasswordKey: HARBOR_ADMIN_PASSWORD
    existingSecretSecretKey: harbor

    core:
    # The XSRF key. Will be generated automatically if it isn't specified
    xsrfKey: ""
    jobservice:
    # Secret is used when job service communicates with other components.
    # If a secret key is not specified, Helm will generate one.
    # Must be a string of 16 chars.
    secret: ""
    registry:
    # Secret is used to secure the upload state from client
    # and registry storage backend.
    # If a secret key is not specified, Helm will generate one.
    # Must be a string of 16 chars.
    secret: ""
    credentials:
    username: harbor_registry_user
    existingSecret: harbor
    fullnameOverride: harbor
    # If Harbor is deployed behind the proxy, set it as the URL of proxy
    externalURL: https://core.harbor.domain
    ipFamily:
    ipv6:
    enabled: false
    expose:
    tls:
    enabled: false
    ingress:
    hosts:
    core: core.harbor.domain
    notary: notary.harbor.domain
    updateStrategy:
    type: Recreate
    persistence:
    persistentVolumeClaim:
    registry:
    size: 30Gi
    jobservice:
    jobLog:
    size: 1Gi
    database:
    size: 2Gi
    redis:
    size: 1Gi
    trivy:
    size: 5Gi
    database:
    internal:
    # The initial superuser password for internal database
    password: "changeit"
  6. To check if the installation is successful, run the command below:

    helm status <harbor-release> -n harbor

    You can also check ingress endpoints to get Harbor endpoint to enter Harbor UI:

    kubectl describe ingress <harbor_ingress> -n harbor