This is the Experimental version (Latest). It is under active development and may change. For the most reliable documentation, use the version selector in the top-right to switch to Stable, or click here to go to the Stable version's homepage.
Harbor Installation
Last updated:
Harbor is an open-source trusted cloud-native registry that stores, signs, and scans content. In Opstella, Harbor is used as the central artifact registry.
Installation
Section titled “Installation”The following steps describe how to install Harbor on the 🟢 Management cluster, utilizing PostgreSQL (via CloudnativePG) for metadata and SeaweedFS HA for artifact storage.
Prepare Shell Variables
Section titled “Prepare Shell Variables”Ensure you have defined and loaded your Global Shell Variables as described in Shell Variables.
-
Connect to
🟢 ManagementKubernetes Cluster ; _i.e w/ Kubeconfig File.Ensure you have defined and loaded your Global Shell Variables as described in Shell Variables.
Terminal window source $BASE_WORKING_DIR/shell-values/kubernetes/management_cluster.vars.sh -
Create Namespace for Harbor
Terminal window kubectl create namespace registry-system -
Install PostgreSQL Backend (CloudnativePG)
Apply the PostgreSQL cluster manifest. This instance will store Harbor’s registry and core metadata.
Terminal window cat <<EOF > $BASE_WORKING_DIR/kubernetes-manifests/harbor-postgres.yaml---# Postgres Superuser (root) CredentialsapiVersion: v1kind: Secrettype: kubernetes.io/basic-authmetadata:name: harbor-postgres-superusernamespace: registry-systemstringData:username: postgrespassword: "${HARBOR_POSTGRES_SUPERUSER_PASSWORD}"---# Harbor Application User CredentialsapiVersion: v1kind: Secrettype: kubernetes.io/basic-authmetadata:name: harbor-postgres-usernamespace: registry-systemstringData:username: harborpassword: "${HARBOR_POSTGRES_USER_PASSWORD}"---# S3 Credentials for Postgres Backups (to SeaweedFS HA)apiVersion: v1kind: Secrettype: Opaquemetadata:name: harbor-postgres-s3-secretnamespace: registry-systemstringData:S3_ACCESS_KEY: postgres-backupS3_SECRET_KEY: "${SEAWEEDFS_HA_S3_POSTGRES_BACKUP_PASSWORD}"---apiVersion: barmancloud.cnpg.io/v1kind: ObjectStoremetadata:name: harbor-postgres-backupnamespace: registry-systemspec:# This resource defines the backup destination for the Barman Cloud Pluginconfiguration:destinationPath: s3://postgres-backups/endpointURL: "http://${SEAWEEDFS_HA_API_INTERNAL_DOMAIN}"s3Credentials:accessKeyId:name: harbor-postgres-s3-secretkey: S3_ACCESS_KEYsecretAccessKey:name: harbor-postgres-s3-secretkey: S3_SECRET_KEYwal:compression: gzipdata:compression: gzip# Retention policy for backups and WALs handled by the pluginretentionPolicy: "30d"---apiVersion: postgresql.cnpg.io/v1kind: Clustermetadata:name: harbor-postgresnamespace: registry-systemlabels:app.kubernetes.io/name: harbor-postgresapp.kubernetes.io/part-of: harborspec:instances: 1# Image configuration (Postgres 15)imageName: ghcr.io/cloudnative-pg/postgresql:15# Enable the Barman Cloud Plugin for backupsplugins:- name: barman-cloud.cloudnative-pg.ioisWALArchiver: trueparameters:serverName: "harbor-postgres"barmanObjectName: "harbor-postgres-backup"# Postgres Configurationpostgresql:parameters:max_wal_size: "3GB"min_wal_size: "1GB"# Storage Configurationstorage:size: 5GistorageClass: "${K8S_STORAGECLASS_NAME}"walStorage:size: 5GistorageClass: "${K8S_STORAGECLASS_NAME}"# Bootstrap Configurationbootstrap:initdb:database: harborowner: harbor# Secret containing password for the Harbor application usersecret:name: harbor-postgres-user# Harbor specific schema initializations could go here if needed# postInitApplicationSQL: []# Superuser credentials (root/postgres)superuserSecret:name: harbor-postgres-superuser# Backup Configuration (Barman Cloud Plugin will automatically detect matching ObjectStore)backup:{}# Monitoring (disabled for now)monitoring:enablePodMonitor: false# Resourcesresources:requests:memory: "256Mi"cpu: "200m"limits:memory: "1Gi"cpu: "1000m"EOFTerminal window kubectl apply -f $BASE_WORKING_DIR/kubernetes-manifests/harbor-postgres.yaml -
Create Harbor Application Credentials
Apply the secret containing the Harbor admin password and PostgreSQL connection credentials.
Terminal window cat <<EOF > $BASE_WORKING_DIR/kubernetes-manifests/harbor.yaml---apiVersion: v1kind: Secrettype: Opaquemetadata:name: harbor-credentialsnamespace: registry-systemstringData:HARBOR_ADMIN_PASSWORD: "${HARBOR_ADMIN_PASSWORD}"REGISTRY_PASSWD: "${REGISTRY_PASSWD}"REGISTRY_HTPASSWD: "${REGISTRY_HTPASSWD}"EOFTerminal window kubectl apply -f $BASE_WORKING_DIR/kubernetes-manifests/harbor.yaml -
Add Harbor Helm Repository
Terminal window helm repo add harbor https://helm.goharbor.iohelm repo update -
Create Harbor Helm Values
Terminal window cat <<EOF > $BASE_WORKING_DIR/helm-values/harbor-values.yaml---# Application: Harbor ConfigurationexternalURL: "https://${HARBOR_DOMAIN}"# Kubernetes/Application: Harbor AuthenticationexistingSecretAdminPassword: harbor-credentials# Kubernetes: Expose through Ingressexpose:type: ingresstls:enabled: truecertSource: secretsecret:secretName: "${K8S_INGRESS_TLS_CERTIFICATE_SECRET_NAME}"ingress:hosts:core: "${HARBOR_DOMAIN}"className: ${K8S_INGRESSCLASS_NAME}# Kubernetes/Application: Enable Persistencepersistence:enabled: truepersistentVolumeClaim:registry:storageClass: "${K8S_STORAGECLASS_NAME}"jobservice:jobLog:storageClass: "${K8S_STORAGECLASS_NAME}"redis:storageClass: "${K8S_STORAGECLASS_NAME}"trivy:storageClass: "${K8S_STORAGECLASS_NAME}"# Kubernetes/Application: Persistence S3 StorageimageChartStorage:type: s3s3:regionendpoint: "${SEAWEEDFS_HA_API_INTERNAL_DOMAIN}"bucket: harborregion: us-east-1accesskey: harborsecretkey: "${SEAWEEDFS_HA_S3_HARBOR_PASSWORD}"v4auth: true# For RWO volume might need to use Recreate instead of RollingUpdate# updateStrategy:# type: Recreate# Application: Database Configurationdatabase:type: externalexternal:host: harbor-postgres-rw.registry-system.svcport: 5432coreDatabase: harborusername: harborexistingSecret: harbor-postgres-user# Application: Relative URLsregistry:relativeurls: truecredentials:existingSecret: "harbor-credentials"# Proxy settings when it runs behind a proxyproxy:httpProxy:httpsProxy:noProxy: 127.0.0.1,localhost,.local,.internalcomponents:- core- jobservice- trivyEOF -
Install Harbor Helm Release
Terminal window helm upgrade --install harbor harbor/harbor \--namespace registry-system \--version 1.18.2 \-f $BASE_WORKING_DIR/helm-values/harbor-values.yaml
Post-Installation
Section titled “Post-Installation”-
Verify Pod Status
Terminal window kubectl get pods -n registry-system💡 All Harbor components and the PostgreSQL cluster should be
Running:NAME READY STATUS RESTARTS AGEharbor-core-XXXXXXXXXX-YYYYY 1/1 Running 0 ...harbor-jobservice-XXXXXXXXXX-YYYYY 1/1 Running 0 ...harbor-portal-XXXXXXXXXX-YYYYY 1/1 Running 0 ...harbor-registry-XXXXXXXXXX-YYYYY 2/2 Running 0 ...harbor-trivy-0 1/1 Running 0 ...harbor-postgres-1 1/1 Running 0 ... -
Verify Harbor UI Access
- Access the Harbor UI at
https://${HARBOR_DOMAIN}. - Login with the
adminaccount and the password defined in${HARBOR_ADMIN_PASSWORD}. - Confirm that the system is healthy and responsive.
- Access the Harbor UI at
Finished?
Use the below navigation to proceed