This topic describes how to install and configure VMware Harbor Registry using Ops Manager for use with VMware Tanzu Kubernetes Grid Integrated Edition (TKGI) and VMware Tanzu Application Service for VMs (TAS for VMs).
For more information about TKGI, see the VMware Tanzu Kubernetes Grid Integrated Edition documentation.
For more information about TAS for VMs, see TAS for VMs Concepts in the Pivotal documentation.
To install the Harbor Registry tile, you must have Ops Manager installed. If you are using Harbor with TKGI, see Deploying Ops Manager with NSX-T for TKGI. If you are using Harbor with TAS, see Ops Manager Installation.
These instructions are valid for new installations, reconfigurations of existing installations, or upgrades. If you are upgrading Harbor, follow the procedure in Upgrading VMware Harbor Registry before performing these steps.
To initiate the deployment of Harbor, import the tile.
Begin the installation of the Harbor tile by assigning availability zones (AZs) and networks.
In the General Settings pane, you set the hostname and IP address for Harbor.
Note: In previous releases, this pane also included the container network settings. Starting with Harbor v1.9.x, those settings are now in the Networking section. See “Configure Networking” for details.
On the Certificate pane, you configure the SSL certificate and private key for Harbor. You can generate the certificate and private key or provide a custom signed certificate and private key. Additionally, you must provide the Certificate Authority (CA) certificate, which is used to sign the Harbor certificate. The domain name used to generate RSA certificate in the Harbor Tile can be different than the domain name used to generate the RSA certificate in the Tanzu Kubernetes Grid Integrated Edition or TAS for VMs tile.
If this is an existing instance of Harbor that you are reconfiguring or upgrading, you can change the previous certificate by clicking Change. You can then either generate a new RSA certificate or add a new custom certificate, key, and CA.
To use a certificate that Ops Manager generates automatically, follow the steps below.
Note: If you use a wildcard domain name, be sure to truncate it appropriately. For example: “SSL: certificate subject name (*.harbor.tkgi.corp.local) does not match target host name (harbor.tkgi.corp.local).” In this case, the proper wildcard name for the cert is “*.tkgi.corp.local”.
To use a custom signed certificate from a third-party CA, follow the steps below.
If you are configuring an initial installation of Harbor, these credentials are used for the first login to the Harbor interface. If you are reconfiguring or upgrading Harbor, you cannot change the initial credentials. If you have changed the credentials in the Harbor interface since the initial installation, see Update Harbor Credentials below.
admin. Both the user name and password can be changed after installation using the Harbor web interface. See instructions below.
Note: The password must contain at least 8 characters with 1 lowercase letter, 1 uppercase letter and 1 numeric character. The password cannot start with the pound sign
You cannot change the Harbor administrator password in Ops Manager after you set it during installation. You must use the Harbor interface to make subsequent changes to the password after deployment.
On the Authentication pane in Ops Manager you select an authentication mode. You use the Harbor web console to configure detailed settings for the selected authentication mode. For more information, see Managing authentication in the Harbor User Guide.
If you are reconfiguring or upgrading Harbor, you cannot change the authentication mode that was set during the initial installation.
You can configure a global proxy that is used by Harbor and the image scanner (if enabled). You can also customize the container network settings.
http://your.proxy.com:3128and Https Proxy
http://your.proxy.com:3128, or Http Proxy
https://your.proxy.com:3128and Https Proxy
https://your.proxy.com:3128. Usually HTTPS is used, because most sites use HTTPS.
Note: To use basic authentication with the HTTP/S proxy, include the user name and password in the proxy host URL, for example:
Note: Some proxy servers change the certificate of the HTTPS site and replace it with a self-signed certificate generated with the proxy server root CA. If the proxy server root CA is not trusted by the client, it will return the error “X509 certificate signed by unknown authority.” To avoid this error, either a) add the proxy server’s root certificate to the Ops Manager trusted CA list (instructions here), or b) add the HTTPS site URL to the proxy server whitelist so that the original HTTPS certificate is not replaced. Use the following command to check if the original server certificate is being replaced by the proxy server certificate:
curl -x <proxy_server_url> -v https://auth.docker.io. If the proxy server replaced the certificate, the certificate fails verification when it passes through the proxy server.
(Optional) In the No Proxy field, specify the endpoints that will bypass the proxy host. The required values,
127.0.0.1,localhost,core,registry, are populated by default.
By default Docker assigns each running container a private IP address. To use the default container network settings, select Keep the default container network settings.
To customize the container network settings, select Specify customized container network settings.
If you select Specify customized container network settings, you must specify at least one address pool base and size. When a Docker container starts, the Docker daemon (dockerd) selects an IP address from the address pool and allocates it to the container.
Because the smallest network in Docker private network is
a.b.c.d/28, if you input only one pool, the smallest CIDR block is
a.b.c.d/25. If input two pools, the smallest CIDR block is
Note: There are 10 networks in the Harbor VM. Make sure there are enough subnetworks in the specified CIDR. If there are not enough subnets in the network, the Harbor server fails to start.
For example, if you select this option, for the Address pool1 base you might enter
172.31.0.0/25, and for the Address pool1 size you might enter
28. Additional entry pairs are optional.
On the Container Registry Storage pane you specify the type of file storage to use for storing container images.
Choose one of the following as your desired storage for container images. (This selection cannot be changed after deployment of Harbor.)
See the sections below for configuration instructions.
If you choose Remote NFS Server, provide the NFS Server Address in the form
nfs_server_ip:/path/to/export_directory, for example:
The user/group ID (UID) for the owner of the export directory on the NFS Server must be 10000:10000, where 10000 is the UID used by the Harbor Registry container.
Note: The Harbor Registry tile officially supports AWS S3 storage only. Other S3-compatible object stores, such as Dell EMC ECS and Minio, are not officially supported.
If you choose AWS S3, configure the following settings:
Secure Mode: Access to your S3 bucket is secure by default. Deselect this checkbox to disable secure mode.
Note: When using Harbor with an S3-compatible object store, the object store must be configured with a TLS cipher suite supported by the Docker client. If the S3 bucket is not configured with a compatible cipher suite, when performing a
docker push command to the Harbor Registry, you receive the following: “remote error: tls: handshake failure”. The Harbor Registry redirects the connection from the Docker client to the S3-compatible object store. The TLS handshake is between the Docker client and the S3-compatible object store. To address this error, you must determine the cipher suites supported by the Docker client and S3-compatible object store, and ensure that there is at least one common cipher suite between them.
If you selected Google Cloud Storage, configure the following settings:
If you selected Azure Storage, configure the following properties (all are required):
core.windows.net. Examples: The realm for “Azure in China” is
core.chinacloudapi.cn. The realm for “Azure Government” is
Harbor gives you the ability to install and use an image scanner for assessing the vulnerability of container images. Harbor supports Trivy for container image scanning.
Trivy is an open-source project for the static analysis of vulnerabilities in Docker and appc containers. For more information, see the Trivy GitHub repository.
To install Trivy with Harbor, select the option Install Trivy and click Save.
The Trivy image scanner requires internet connectivity to update the CVE database. When updating the Trivy CVE database, you may need to provide a GitHub authentication token to avoid being throttled. If you are using Harbor in an air-gapped environment, disable CVE database updates by selecting the Skip to update Trivy CVE database option.
Note: In-product support for the Clair image scanner is deprecated with Harbor tile v2.2.1. To use Clair you can install it separately from the Harbor tile VM.
Harbor provides Docker Notary for container signing and trust. Notary is installed by default. For more information about Docker Notary, see Getting started with Docker Notary.
Wavefront is a high-performance streaming analytics platform that helps you monitor and optimize your environment. To use Wavefront monitoring with Harbor, you enable it in the Harbor tile and configure a few parameters.
Wavefront must be installed, licensed, running, and available in your environment before you enable the option.
Note: To monitor the Harbor VM with Wavefront, you will need to deploy the Wavefront dashboard. See Monitor Harbor with Wavefront for details.
You can configure Harbor so that an existing deployment of VMware vRealize Log Insight pulls logs from the Harbor instance.
After enabling Harbor integration with vRealize Log Insight, all Harbor application logs are sent to the vRealize Log Insight server. The local Harbor VM no longer contains the Harbor application logs. You must access them through vRealize Log Insight.
vRealize Log Insight must be installed, licensed, running, and available in your environment before you enable the option. For instructions and additional information, see the [vRealize Log Insight documentation] (https://docs.vmware.com/en/vRealize-Log-Insight/index.html).
To configure vRealize Log Insight integration with Harbor, the vRealize Log Insight server must be accessible on the local network. Access to the vRealize Log Insight server through an HTTP/S proxy server is not supported.
Deployment errands are BOSH scripts that run at designated points during an installation using Ops Manager.
The Harbor VM runs as a single instance. On the Resource Config pane in Ops Manager you configure the resource settings for the Harbor VM, including disk size and type. If you are deploying Harbor on AWS or GCP, you can specify a load balancer that allows external access to the Harbor VM.
For standard Harbor Registry deployments, the default size and type for the Harbor VM are sufficient. The compute and storage capacity of the Harbor VM depends on the size of the images you are deploying to the Harbor registry. Some images are 30 MB, while others are 2 GB. In addition, storage requirements depend on how images are built and what base images are leveraged. In general, if your Harbor instance manages a large number of images, increase the storage size and select a VM type that has greater CPU capacity and more RAM. Using a smaller size VM than the default is not common.
If you are deploying Harbor using BOSH Director for AWS or GCP, and you are fronting the Harbor VM with a load balancer, provide its name in the resource settings. AWS and GCP load balancers can be internal or external. The load balancer type dictates whether you need to select or deselect the Internet Connected checkbox. The image below shows the load balancer “scheme” options for the AWS classic load balancer. For more information, see the following topics:
External versus internal load balancing in Overview of Load Balancing in the GCP documentation.
To configure the Harbor VM resources, follow the instructions below.
harbor-appVM, edit the following properties:
smoke-testingVM, specify the desired VM Type. This is an ephemeral VM deployed and used by BOSH to test the deployment of the Harbor VM. Typically, the default size is sufficient. However, if you change the size of the
harbor-appVM from the default, you may need to adjust the size of the
If the version of the Harbor tile that you are installing requires a more recent stemcell version than is currently deployed in Ops Manager, the Harbor tile displays a “Missing stemcell” error message.
To update the stemcell, follow the steps below.
When the deployment finishes, verify the deployment by checking the Harbor instance information the Harbor tile in Ops Manager.
After you install and configure Harbor, you must update the DNS entry for Harbor and provide the Harbor CA certificate to Ops Manager. If you use TKGI with NSX-T, define a NAT rule to the Harbor IP address.