Harbor Configurations

Create Harbor Projects

Create Harbor Project for Opstella

You will be store Container Images for Opstella here.

1. Go to ${HARBOR_DOMAIN} and Login with Initial Admin Account.

2. Go to Projects menu > + New Project

   

3. Create opstella-platform Project

   

Create Harbor Projects for CI/CD Pipelines Container Image Mirrored/Proxy Caches Repository

To ease on CI/CD Pipelines Runtime which is container-based. (GitLab Runner with Kubernetes Executor + Opstella Standard GitLab CI Pipelines)

Directly pull from source may exhaust your network bandwidth/utilisation and the availability to access the registry.

Mirrored/Proxy Caches on Harbor Projects are created to act as a domestic storage for container images that frequently used by CI/CD Pipelines without extensively access the source registry.

1. Go to Administration menu > Registries

   

2. Click + New Endpoint and populate these infomation.

   Note

   You need to repeat Click + New Endpoint step on each of Registry.

   Once you finish each of registry, Click Test Connection and after it says Connection tested successfully,then you can click OK.

   • Registry: Docker Hub
     • Provider: Docker Hub
     • Name: docker.io

   

   • Registry: gcr.io
     • Provider: Docker Registry
     • Name: gcr.io
     • Endpoint URL: https://gcr.io

   

   • Registry: quay.io
     • Provider: Docker Registry
     • Name: quay.io
     • Endpoint URL: https://quay.io

   

   • Registry: ghcr.io
     • Provider: Docker Registry
     • Name: ghcr.io
     • Endpoint URL: https://ghcr.io

   

3. You should have registries recorded like this.

   

4. Go to Projects menu > + New Project

   

5. Create Proxy Cache Projects

   Create Each Project for each of registries that you previously create them.

   

   • Registry: Docker Hub

     • Project Name: mirror-docker.io
     • Tick Proxy Cache, choose docker.io-https://hub.docker.com

   • Registry: gcr.io

     • Project Name: mirror-gcr.io
     • Tick Proxy Cache, choose gcr.io-https://gcr.io

   • Registry: quay.io

     • Project Name: mirror-quay.io
     • Tick Proxy Cache, choose quay.io-https://quay.io

   • Registry: ghcr.io

     • Project Name: mirror-ghcr.io
     • Tick Proxy Cache, choose ghcr.io-https://ghcr.io

6. Proxy Cache Projects should look like this.

   

Create Robot Accounts

Create Robot Account for Opstella Deployment

This will be a credentials used to push/pull while installing Opstella Container Images.

1. Go to Administration menu > Robot Accounts

2. Create New Robot Account + New Robot Account

   

   Basic Information

   • Name: opstella-deploy
   • Description: Deploy Credentials for Opstella
   • Expiration time: Never

   

3. Click Next to skip Assigning System Permissions

4. Assign opstella-platform Project Permissions

   • Tick on opstella-platform Project

   

   • Assign Pull, Push Repository Permissions

   

5. Keep the token SAFE as you will be using it while install Opstella in the later step

   

Create Robot Account for Opstella-managed GitLab Runner Access

This will be a credentials used to pull Artifacts for Opstella-managed GitLab Runners.

1. Go to Administration menu > Robot Accounts

2. Create New Robot Account + New Robot Account

   

   Basic Information

   • Name: opstella-gitlab-runners
   • Description: Access for Opstella-managed GitLab Runners
   • Expiration time: Never

   

3. Click Next to skip Assigning System Permissions

4. Assign Projects Permissions

   • Tick on Projects
     • library
     • mirror-docker.io
     • mirror-gcr.io
     • mirror-quay.io
     • mirror-ghcr.io

   

   • Assign Pull Repository Permission with Reset All Project Permissions and Click Finish

   

5. Keep the token SAFE as you will be using it while setup Opstella-managed GitLab Runners Deployment Template in the later step

Push Opstella Container Images to Private Registry (Air-gapped Installation)

Note

This section assumes you are performing the installation from a Bastion Host that has:

1. Internet Access (to pull from Google Artifact Registry).
2. Intranet Access (to push to your local Harbor Registry).

Prerequisites

Before proceeding, ensure you have your Google Service Account Key (JSON) on the Bastion Host.

Define the required environment variables:

# 1. Source Registry (Google Artifact Registry)
export SOURCE_REGISTRY="asia-southeast1-docker.pkg.dev/opstella/platform"

# 2. Destination Registry (Your Local Harbor)
export HARBOR_DOMAIN="harbor.your-domain.com" # Replace with your actual domain
export DEST_REGISTRY="${HARBOR_DOMAIN}/opstella-platform"

# 3. Opstella Version to Install
export VERSION="v1.0.0" # Replace with the specific version tag

1. Login to Registries

   1.1 Login to Google Artifact Registry (Source) Use the JSON key file you downloaded earlier.

   # Replace path/to/key.json with your actual file path
   cat path/to/key.json | docker login -u _json_key --password-stdin https://asia-southeast1-docker.pkg.dev

   1.2 Login to Local Harbor Registry (Destination) Use your previously created Robot Account.

   Caution

   Robot Account will have ”$” character. USE SINGLE QUOTE for character escape.

   ## For security reasons turn off bash history momentarily
   set +o history
   export REGISTRY_USERNAME='robot$opstella-deploy'
   export REGISTRY_PASSWORD="CHANGEME"
   
   docker login $HARBOR_DOMAIN \
     --username "$REGISTRY_USERNAME" \
     --password "$REGISTRY_PASSWORD"
   set -o history

2. Pull, Tag, and Push Images

   We will pull images from the Google Cloud source, re-tag them for your local Harbor, and push them.

   2.1 Core Services (UI, Backend, Utilities)

   # List of core services
   CORE_SERVICES=("ui" "core" "clear-session")
   
   for SERVICE in "${CORE_SERVICES[@]}"; do
     echo "Processing ${SERVICE}..."
   
     # Pull
     docker pull "${SOURCE_REGISTRY}/${SERVICE}:${VERSION}"
   
     # Tag
     docker tag "${SOURCE_REGISTRY}/${SERVICE}:${VERSION}" "${DEST_REGISTRY}/${SERVICE}:${VERSION}"
   
     # Push
     docker push "${DEST_REGISTRY}/${SERVICE}:${VERSION}"
   done

   2.2 Opstella Workers

   Push the specific worker images required for your installation.

   #!/bin/bash
   # Define enabled instruments
   export OPSTELLA_ENABLED_INSTRUMENTS=(keycloak kubernetes argocd-nonprod argocd-prod defectdojo gitlab headlamp-nonprod headlamp-prod harbor sonarqube vault grafana loki tempo)
   
   for KEY in "${OPSTELLA_ENABLED_INSTRUMENTS[@]}"
   do
     # Normalize image names (remove suffixes like -prod/-nonprod)
     if echo "$KEY" | grep -q "^argocd"; then
       export IMAGE_NAME="argocd"
     elif echo "$KEY" | grep -q "^headlamp"; then
       export IMAGE_NAME="headlamp"
     elif echo "$KEY" | grep -q "^kubernetes"; then
       export IMAGE_NAME="kubernetes"
     else
       export IMAGE_NAME="$KEY"
     fi
   
     SOURCE_IMAGE="${SOURCE_REGISTRY}/worker-${IMAGE_NAME}:${VERSION}"
     DEST_IMAGE="${DEST_REGISTRY}/worker-${IMAGE_NAME}:${VERSION}"
   
     echo "Processing Worker: ${IMAGE_NAME}..."
   
     # Pull
     docker pull "$SOURCE_IMAGE"
   
     # Tag
     docker tag "$SOURCE_IMAGE" "$DEST_IMAGE"
   
     # Push
     docker push "$DEST_IMAGE"
   done