Skip to content

Installing Harbor

This section explains the steps to install Harbor, a secure container registry, on a Kubernetes cluster using Helm. It includes setting up TLS for security, persistent storage, S3-compatible storage and custom pod placement with tolerations and affinities.

To install Harbor, follow the steps:

  1. Add the Harbor Helm repository using the following command.

    helm repo add harbor https://helm.goharbor.io
    
  2. Fetch the Harbor Helm chart.

    helm fetch harbor/harbor --version 1.12.2
    

    Info: This downloads a specific version of the Harbor package, ensuring compatibility with your deployment environment.

  3. Update the following configurations in the values.yaml file.

    certSource: "secret"
    secretName: "sc-harbor-com-ssl"
    notarySecretName: "sc-harbor-com-ssl"
    hosts.core: harbor.pvt-rancher1.cn1-int.domain-in.cn
    hosts.notary: notary.pvt-rancher1.cn1-int.domain-in.cn
    annotations:
        nginx.ingress.kubernetes.io/proxy-request-buffering: "off"
    externalURL: https://harbor.pvt-rancher1.cn1-int.domain-in.cn
    internalTLS:
      enabled: true
    storageClass: "longhorn-ssd"
    accessMode: ReadWriteMany
    size: 100Gi
      persistentVolumeClaim:
        registry:
          storageClass: "longhorn-ssd"
          accessMode: ReadWriteMany
          size: 100Gi
        jobservice:
          jobLog:
            storageClass: "longhorn-ssd"
            accessMode: ReadWriteMany
            size: 20Gi
        database:
          storageClass: "longhorn-ssd"
          size: 30Gi
        redis:
          storageClass: "longhorn-ssd"
          size: 30Gi
        trivy:
          storageClass: "longhorn-ssd"
          size: 20Gi
    
      imageChartStorage:
        type: s3
    
        s3:
          region: us-east-1
          bucket: "yourbucketforharborimage"
          accesskey: "your accesskey of the bucket ceph"
          secretkey: "your secretkey of the bucket ceph"
          regionendpoint: https://ceph.pvt-rancher1.cn1-int.domain-in.cn
          multipartcopychunksize: "33554432"
          multipartcopymaxconcurrency: 100
          multipartcopythresholdsize: "33554432"
    
    nginx:
      tolerations:
      - effect: "NoSchedule"
        key: "domain"
        operator: "Equal"
        value: "iaas"
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: "iaas"
                operator: "In"
                values:
                - "true"
    
    portal:
      replicas: 2
      tolerations:
      - effect: "NoSchedule"
        key: "domain"
        operator: "Equal"
        value: "iaas"
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: "iaas"
                operator: "In"
                values:
                - "true"
    
    
    core:
      replicas: 2
      resources:
        requests:
          cpu: 2
          memory: 4Gi
        limits:
          cpu: 4
          memory: 8Gi
      tolerations:
      - effect: "NoSchedule"
        key: "domain"
        operator: "Equal"
        value: "iaas"
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: "iaas"
                operator: "In"
                values:
                - "true"
    
    jobservice:
      replicas: 2
      tolerations:
      - effect: "NoSchedule"
        key: "domain"
        operator: "Equal"
        value: "iaas"
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: "iaas"
                operator: "In"
                values:
                - "true"
    registry:
      replicas: 2
      tolerations:
      - effect: "NoSchedule"
        key: "domain"
        operator: "Equal"
        value: "iaas"
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: "iaas"
                operator: "In"
                values:
                - "true"
    
    trivy:
      tolerations:
      - effect: "NoSchedule"
        key: "domain"
        operator: "Equal"
        value: "iaas"
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: "iaas"
                operator: "In"
                values:
                - "true"
    
    notary:
      server:
        replicas: 2
        tolerations:
        - effect: "NoSchedule"
          key: "domain"
          operator: "Equal"
          value: "iaas"
        affinity:
          nodeAffinity:
            requiredDuringSchedulingIgnoredDuringExecution:
              nodeSelectorTerms:
              - matchExpressions:
                - key: "iaas"
                  operator: "In"
                  values:
                  - "true"
    
      signer:
        replicas: 2
        tolerations:
        - effect: "NoSchedule"
          key: "domain"
          operator: "Equal"
          value: "iaas"
        affinity:
          nodeAffinity:
            requiredDuringSchedulingIgnoredDuringExecution:
              nodeSelectorTerms:
              - matchExpressions:
                - key: "iaas"
                  operator: "In"
                  values:
                  - "true"
    database:
      internal:
        tolerations:
        - effect: "NoSchedule"
          key: "domain"
          operator: "Equal"
          value: "iaas"
        affinity:
          nodeAffinity:
            requiredDuringSchedulingIgnoredDuringExecution:
              nodeSelectorTerms:
              - matchExpressions:
                - key: "iaas"
                  operator: "In"
                  values:
                  - "true"
      external:
        host: ""
        port: ""
        username: ""
        password: ""
        coreDatabase: ""
        notaryServerDatabase: ""
        notarySignerDatabase: ""
    
    redis:
        tolerations:
        - effect: "NoSchedule"
          key: "domain"
          operator: "Equal"
          value: "iaas"
        affinity:
          nodeAffinity:
            requiredDuringSchedulingIgnoredDuringExecution:
              nodeSelectorTerms:
              - matchExpressions:
                - key: "iaas"
                  operator: "In"
                  values:
                  - "true"
    
      external:
        addr: ""
    exporter:
      tolerations:
      - effect: "NoSchedule"
        key: "domain"
        operator: "Equal"
        value: "iaas"
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: "iaas"
                operator: "In"
                values:
                - "true"
    
    metrics:
      enabled: true
      serviceMonitor:
        enabled: true
    
  4. Update the Ingress configuration in the templates/ingress/secret.yaml file by adding the certificates for your Harbor URL domain.

    apiVersion: v1
    kind: Secret
    metadata:
      name: sc-harbor-com-ssl
      namespace: mdsp-bk-harbor
    data: <add key data>
    type: kubernetes.io/tls
    
  5. Create a bucket in Ceph for storage system.

  6. Install Harbor using Helm with the specified mdsp-bk-harbor namespace by running the following command.

    helm -n mdsp-bk-harbor install harbor.
    

Last update: January 28, 2025