This topic describes how to install and configure VMware Harbor Registry using Pivotal Ops Manager for use with VMware Enterprise PKS and Pivotal Application Service (PAS).
For more information about Enterprise PKS, see the VMware Enterprise PKS documentation.
For more information about PAS, see PAS Concepts in the Pivotal documentation.
Note: This documentation supports the Harbor v1.8 release.
You must have installed Enterprise PKS. For more information, see Installing Enterprise PKS in the Enterprise PKS documentation.
Click the Harbor tile to begin the configuration process.
a.b.c.d/28, if you input only one pool, the smallest CIDR block is
a.b.c.d/25. If input two pools, the smallest CIDR block is
Note: There are 10 networks in the Harbor VM. Make sure there are enough subnetworks in the specified CIDR. If there are not enough subnets in the network, the Harbor server fails to start.For example, if you select this option, for the Address pool1 base you might enter
172.31.0.0/26, and for the Address pool1 size you might enter
28. Additional entry pairs are optional.
On the Certificate pane, you configure the SSL certificate and private key for Harbor. You can generate the certificate and private key or provide a custom signed certificate and private key. Additionally, you must provide the Certificate Authority (CA) certificate, which is used to sign the Harbor certificate. The domain name used to generate RSA certificate in the Harbor Tile can be different than the domain name used to generate the RSA certificate in the Enterprise PKS or PAS tile.
To use a certificate that Ops Manager generates automatically, follow the steps below.
Note: If you use a wildcard domain name, be sure to truncate it appropriately. For example: "SSL: certificate subject name (.harbor.pks.corp.local) does not match target host name (harbor.pks.corp.local)." In this case, the proper wildcard name for the cert is ".pks.corp.local".
To use a custom signed certificate from a third-party CA, follow the steps below.
admin. Both the user name and password can be changed after installation using the Harbor web interface. See instructions below.
You cannot change the Harbor administrator password in Ops Manager after you set it during installation. You must use the Harbor interface to make subsequent changes to the password after deployment.
On the Authentication pane in Ops Manager you select an authentication mode. You use the Harbor web console to configure detailed settings for the selected authentication mode. For more information, see Managing authentication in the Harbor User Guide in GitHub.
On the Container Registry Storage pane you specify the type of file storage to use for storing container images.
Choose one of the following as your desired storage for container images.
See the sections below for configuration instructions.
If you choose Remote NFS Server, provide the NFS Server Address in the form
nfs_server_ip:/path/to/export_directory. For example:
The user/group ID (UID) for the owner of the export directory on the NFS Server must be 10000:10000, where 10000 is the UID used by the Harbor Registry container.
Note: The Harbor Registry tile officially supports AWS S3 storage only. Other S3-compatible object stores, such as Amazon ECS and Minio, are not officially supported.
If you choose AWS S3, configure the following settings:
Secure Mode: Access to your S3 bucket is secure by default. Deselect this checkbox to disable secure mode.
Note: When using Harbor with an S3-compatible object store, the object store must be configured with a TLS cipher suite supported by the Docker client. If the S3 bucket is not configured with a compatible cipher suite, when performing a
docker push command to the Harbor Registry, you receive the following: "remote error: tls: handshake failure". The Harbor Registry redirects the connection from the Docker client to the S3-compatible object store. The TLS handshake is between the Docker client and the S3-compatible object store. To address this error, you must determine the cipher suites supported by the Docker client and S3-compatible object store, and ensure that there is at least one common cipher suite between them.
If you selected Google Cloud Storage, configure the following settings:
Key File: The service account key for your bucket.
Clair is an open-source project for the static analysis of vulnerabilities in Docker and appc containers. For more information about Clair, see the Clair repository in GitHub.
Harbor provides the ability to install and use Clair for vulnerability scanning of container images. Clair can be configured to update its Common Vulnerabilities and Exposures (CVE) databases from the Internet by setting the Updater Interval. In an intranet network environment, configure a proxy to access the Internet.
Note: You must change the default Updater interval (Hours) field to ensure that the Clair CVE databases are kept current. See instructions below.
(Optional) In the HTTP Proxy field, enter the URL to proxy HTTP traffic to the Clair service. For example:
(Optional) In the HTTPS Proxy field, enter the URL to proxy HTTPS traffic to the Clair service. For example:
Note: To use basic authentication with the HTTP/S proxy for Clair, include the user name and password in the proxy host URL, for example:
In the No Proxy field, specify the endpoints that will bypass the proxy host. This field is required if Clair is installed. The required values,
127.0.0.1,localhost,ui,registry, are populated by default.
In the Updater interval (Hours) field, specify when Clair will update its CVE databases for the registered sources. When the updater interval expires, Clair will update its CVE databases. The default updater interval is
0, which means Clair will never update its CVE databases. If you set the updater interval to
24, Clair updates its CVE databases every 24 hours.
For a list of the CVE databases that Clair uses, see Data Sources for the built-in drivers in the Clair documentation.
Harbor provides Docker Notary for container signing and trust. Notary is installed by default. For more information about Docker Notary, see Getting started with Docker Notary in the Docker documentation.
Wavefront is a high-performance streaming analytics platform that helps you monitor and optimize your environment. To use Wavefront monitoring with Harbor, you enable it in the Harbor tile and configure a few parameters.
Note: To monitor the Harbor VM with Wavefront, you will need to deploy the Wavefront dashboard. See Monitor Harbor with Wavefront for details.
Deployment errands are BOSH scripts that run at designated points during an installation using Ops Manager.
The Harbor VM runs as a single instance. On the Resource Config pane in Ops Manager you configure the resource settings for the Harbor VM, including disk size and type. If you are deploying Harbor on AWS or GCP, you can specify a load balancer that allows external access to the Harbor VM.
For standard Harbor Registry deployments, the default size and type for the Harbor VM are sufficient. The compute and storage capacity of the Harbor VM depends on the size of the images you are deploying to the Harbor registry. Some images are 30 MB, while others are 2 GB. In addition, storage requirements depend on how images are built and what base images are leveraged. In general, if your Harbor instance manages a large number of images, increase the storage size and select a VM type that has greater CPU capacity and more RAM. Using a smaller size VM than the default is not common.
If you are deploying Harbor using BOSH Director for AWS or GCP, and you are fronting the Harbor VM with a load balancer, provide its IP address in the resource settings. AWS and GCP load balancers can be internal or external. The load balancer type dictates whether you need to select or deselect the Internet Connected checkbox. The image below shows the load balancer "scheme" options for the AWS classic load balancer. For more information, see the following topics:
External versus internal load balancing in Overview of Load Balancing in the GCP documentation.
To configure the Harbor VM resources, follow the instructions below.
harbor-appVM, edit the following properties:
smoke-testingVM, specify the desired VM Type. This is an ephemeral VM deployed and used by BOSH to test the deployment of the Harbor VM. Typically, the default size is sufficient. However, if you change the size of the
harbor-appVM from the default, you may need to adjust the size of the
If the version of the Harbor tile that you are installing requires a more recent stemcell version than is currently deployed in Ops Manager, the Harbor tile displays a "Missing stemcell" error message.
To update the stemcell, follow the steps below.
When the deployment finishes, verify the deployment by checking the Harbor instance information the Harbor tile in Ops Manager.
Select the Logs tab to collect Harbor log files and generate and download the Harbor log bundle.
After you install and configure Harbor, you must update the DNS entry for Harbor and provide the Harbor CA certificate to Ops Manager. If you use Enterprise PKS with NSX-T, define a NAT rule to the Harbor IP address.