With Harbor, you can manage your container registry needs in a standalone management cluster, providing a centralized and streamlined approach to container management. Plus, with the ability to deploy Harbor as a shared service, you can make it available to all of your workload clusters managed by the same standalone management cluster.
Deploy Harbor into a Cluster
Follow this procedure to deploy Harbor into a workload or shared services cluster:
- Confirm that the Harbor package is available in the cluster:
tanzu package available list -A
- Retrieve the version of the available package:
tanzu package available list harbor.tanzu.vmware.com -A
- Download the Harbor package from the standard package repository:
imgpkg pull -b projects.registry.vmware.com/tkg/packages/standard/harbor:v2.7.1_vmware.1-tkg.1 -o /tmp/harbor-package-v2.7.1_vmware.1-tkg.1
- Set the mandatory passwords and secrets in the harbor-data-values.yaml file by doing one of the following:
cp /tmp/harbor-package-v2.7.1_vmware.1-tkg.1/config/values.yaml harbor-data-values.yaml
bash /tmp/harbor-package-v2.7.1_vmware.1-tkg.1/config/scripts/generate-passwords.sh harbor-data-values.yaml
5. Specify other settings in the harbor-data-values.yaml file.
- Set the hostname setting to the hostname you want to use to access Harbor. For example, harbor.yourdomain.com.
- To use your own certificates, update the tls.crt, tls.key, and ca.crt settings with the contents of your certificate, key, and CA certificate.
- If you used the generate-passwords.sh script, optionally update the harborAdminPassword with something that is easier to remember.
- Non-empty values are required for the following:
- storageClass: Under persistence.persistentVolumeClaim, for registry, jobservice, database, redis, and trivy, set storageClass to a storage profile returned by kubectl get sc.
- Optionally, update other persistence settings to specify how Harbor stores data.
6. Remove all comments in the harbor-data-values.yaml file:yq -i eval '... comments=""' harbor-data-values.yaml
7. Install the package:
tanzu package install harbor --package harbor.tanzu.vmware.com --version 2.7.1+vmware.1-tkg.1 --values-file harbor-data-values.yaml --namespace my-packages
8. Confirm that the harbor package has been installed:tanzu package installed list -A
To see more details about the package, you can also run:tanzu package installed get harbor --namespace my-packages
Confirm that the harbor app has been successfully reconciled.kubectl get apps -A
If the status is not Reconcile Succeeded, view the full status details of the harbor app. Viewing the full status can help you troubleshoot the problem.kubectl get app harbor --namespace my-packages -o yaml
If troubleshooting does not help you solve the problem, you must uninstall the package before installing it again:tanzu package installed delete harbor --namespace my-packages
Confirm that the Harbor services are running by listing all of the pods in the cluster:kubectl get pods -n tanzu-system-registry
9. Obtain the Harbor CA certificate from the harbor-tls secret in the tanzu-system-registry namespace:kubectl -n tanzu-system-registry get secret harbor-tls -o=jsonpath="{.data.ca\.crt}" | base64 -d
Record the output for the following step
If the Harbor registry uses a self-signed CA, add it to workload clusters using the applicable procedure based on how the cluster was deployed:
- Supervisor-deployed:
- vSphere 8: See Integrate a TKG 2 Cluster with a Private Container Registry
- vSphere 7: See Use an External Container Registry with Tanzu Kubernetes Clusters
- Standalone management cluster-deployed:
- New clusters: See Configure Clusters with Multiple Trusted Registries
- Existing clusters: See Add Custom CA Certificate Trust to Existing Clusters
Reference: Install Harbor for Service Registry