Installing Harbor¶
This section explains the steps to install Harbor, a secure container registry, on a Kubernetes cluster using Helm. It includes setting up TLS for security, persistent storage, S3-compatible storage and custom pod placement with tolerations and affinities.
To install Harbor, follow the steps:
-
Add the Harbor Helm repository using the following command.
helm repo add harbor https://helm.goharbor.io
-
Fetch the Harbor Helm chart.
helm fetch harbor/harbor --version 1.12.2
Info: This downloads a specific version of the Harbor package, ensuring compatibility with your deployment environment.
-
Update the following configurations in the
values.yaml
file.certSource: "secret" secretName: "sc-harbor-com-ssl" notarySecretName: "sc-harbor-com-ssl" hosts.core: harbor.pvt-rancher1.cn1-int.domain-in.cn hosts.notary: notary.pvt-rancher1.cn1-int.domain-in.cn annotations: nginx.ingress.kubernetes.io/proxy-request-buffering: "off" externalURL: https://harbor.pvt-rancher1.cn1-int.domain-in.cn internalTLS: enabled: true storageClass: "longhorn-ssd" accessMode: ReadWriteMany size: 100Gi persistentVolumeClaim: registry: storageClass: "longhorn-ssd" accessMode: ReadWriteMany size: 100Gi jobservice: jobLog: storageClass: "longhorn-ssd" accessMode: ReadWriteMany size: 20Gi database: storageClass: "longhorn-ssd" size: 30Gi redis: storageClass: "longhorn-ssd" size: 30Gi trivy: storageClass: "longhorn-ssd" size: 20Gi imageChartStorage: type: s3 s3: region: us-east-1 bucket: "yourbucketforharborimage" accesskey: "your accesskey of the bucket ceph" secretkey: "your secretkey of the bucket ceph" regionendpoint: https://ceph.pvt-rancher1.cn1-int.domain-in.cn multipartcopychunksize: "33554432" multipartcopymaxconcurrency: 100 multipartcopythresholdsize: "33554432" nginx: tolerations: - effect: "NoSchedule" key: "domain" operator: "Equal" value: "iaas" affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: "iaas" operator: "In" values: - "true" portal: replicas: 2 tolerations: - effect: "NoSchedule" key: "domain" operator: "Equal" value: "iaas" affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: "iaas" operator: "In" values: - "true" core: replicas: 2 resources: requests: cpu: 2 memory: 4Gi limits: cpu: 4 memory: 8Gi tolerations: - effect: "NoSchedule" key: "domain" operator: "Equal" value: "iaas" affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: "iaas" operator: "In" values: - "true" jobservice: replicas: 2 tolerations: - effect: "NoSchedule" key: "domain" operator: "Equal" value: "iaas" affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: "iaas" operator: "In" values: - "true" registry: replicas: 2 tolerations: - effect: "NoSchedule" key: "domain" operator: "Equal" value: "iaas" affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: "iaas" operator: "In" values: - "true" trivy: tolerations: - effect: "NoSchedule" key: "domain" operator: "Equal" value: "iaas" affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: "iaas" operator: "In" values: - "true" notary: server: replicas: 2 tolerations: - effect: "NoSchedule" key: "domain" operator: "Equal" value: "iaas" affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: "iaas" operator: "In" values: - "true" signer: replicas: 2 tolerations: - effect: "NoSchedule" key: "domain" operator: "Equal" value: "iaas" affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: "iaas" operator: "In" values: - "true" database: internal: tolerations: - effect: "NoSchedule" key: "domain" operator: "Equal" value: "iaas" affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: "iaas" operator: "In" values: - "true" external: host: "" port: "" username: "" password: "" coreDatabase: "" notaryServerDatabase: "" notarySignerDatabase: "" redis: tolerations: - effect: "NoSchedule" key: "domain" operator: "Equal" value: "iaas" affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: "iaas" operator: "In" values: - "true" external: addr: "" exporter: tolerations: - effect: "NoSchedule" key: "domain" operator: "Equal" value: "iaas" affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: "iaas" operator: "In" values: - "true" metrics: enabled: true serviceMonitor: enabled: true
-
Update the Ingress configuration in the
templates/ingress/secret.yaml
file by adding the certificates for your Harbor URL domain.apiVersion: v1 kind: Secret metadata: name: sc-harbor-com-ssl namespace: mdsp-bk-harbor data: <add key data> type: kubernetes.io/tls
-
Create a bucket in Ceph for storage system.
-
Install Harbor using Helm with the specified
mdsp-bk-harbor
namespace by running the following command.helm -n mdsp-bk-harbor install harbor.