If you plan to install Harbor with a self-signed certificate and FQDN, follow the procedures.

These steps install the Harbor appliance and use the NSX Application Platform Automation Appliance to upload NSX Application Platform components to Harbor.

Procedure

  1. Log in to the vSphere Client with admin privileges.
  2. Navigate to the vSphere host cluster on which to install Harbor.
  3. Right-click the vSphere host cluster and select Deploy OVF template to start the installation wizard.
  4. Select Local file.
  5. Enter your Broadcom support portal login credentials and click the Download product bits from the support portal icon. (HTTPS Download) icon to access the Harbor OVA file.
    For more information on downloading software from the Broadcom support portal, see the Knowledge Base article.
  6. Click Next.
  7. Enter a name, specify a data center folder location for the Harbor VM and click Next.
  8. Select a compute resource for the Harbor VM and click Next.
    The compute resource cluster is usually the Management cluster.
  9. Review the Harbor appliance details and click Next.
  10. Accept the appliance EULA agreement and click Next.
  11. Select the data store storage configuration and disk file and click Next.

    Ensure that the selected storage can store all NSX Application Platform containers and charts.

  12. Select a Harbor destination network to map the appliance vNICs to a destination port group and click Next.
    Note:

    The selected network must have connectivity on the required ports and protocols from Tanzu Kubernetes Grid and NSX Application Platform workload networks. See https://ports.esp.vmware.com/home/NSX.

  13. In the Customize template step, complete the following steps.
    1. Enter the root password and administrator password.
    2. Optionally, allow SSH login for the root user.
    3. For hostname, provide the correct FQDN (fully qualified domain name).
      The hostname has a public top-level domain (such as .com or .info) and not a private top-level domain (such as .lab or .local).
  14. Select Use Self-signed Certificate for Harbor.
    Do not enter any value for CA Certificate, Server Certificate, or Server Key.
  15. Provide the network configuration information and accept the default Docker configurations.
  16. Click Finish to begin the installation.
    Depending on your environmental resources, the installation might take 4-5 minutes to complete.

    After the deployment is successfully complete, the newly created VM appears under the cluster and VMs section.

  17. From your browser, log in to Harbor https://<FQDN of Harbor> with admin credentials.
    The browser displays a warning because Harbor does not have a trusted certificate. Ignore the warning and proceed.
  18. Create a project called nsx_application_platform.

    Select the Public check box for Access Level.

    Dialog box for creating an NSX Application Platform project and setting access level to Public.
  19. SSH to Harbor and login as root user to retrieve the certificate called harbor_ca.crt in the /storage/certs directory.
    ##########################################################################
    ## SSH access to the Harbor Cloud Native Registry Appliance can be ##
    ## used in exceptional cases that cannot be handled through standard ##
    ## remote management or CLI tools. This is primarily intended for use ##
    ## in break-fix scenarios, under the guidance of VMware GSS. ##
    ##########################################################################
    ([email protected]) Password:
    ##########################################################################
    ## SSH access to the Harbor Cloud Native Registry Appliance can be ##
    ## used in exceptional cases that cannot be handled through standard ##
    ## remote management or CLI tools. This is primarily intended for use ##
    ## in break-fix scenarios, under the guidance of VMware GSS. ##
    ##########################################################################
    07:06:36 up 15:46, 0 users, load average: 0.42, 0.15, 0.05
    9 Security notice(s)
    Run 'tdnf updateinfo info' to see the details.
    root@harborselfsigned [ ~ ]# cd /storage/certs/
    root@harborselfsigned [ /storage/certs ]# ls -al
    total 36
    drwxr-xr-x 2 root root 4096 Oct 19 15:21 .
    drwxr-xr-x 6 root root 4096 Oct 19 15:21 ..
    -rw-r--r-- 1 root root 50 Oct 19 15:21 extfile.cnf
    -rw-r--r-- 1 root root 1972 Oct 19 15:21 harbor_ca.crt
    -rw------- 1 root root 3272 Oct 19 15:21 harbor_ca.key
    -rw-r--r-- 1 root root 41 Oct 19 15:21 harbor_ca.srl
    -rw-r--r-- 1 root root 1691 Oct 19 15:21 harbor.corp.info.csr
    -rw-r--r-- 1 root root 2025 Oct 19 15:21 server.crt
    -rw------- 1 root root 3272 Oct 19 15:21 server.key
    root@harborselfsigned [ /storage/certs ]# cat harbor_ca.crt
    -----BEGIN CERTIFICATE-----
    MIIFgzCCA2ugAwIBAgIUfbhTlPlUwXe164EtphW9cCL4sCIwDQYJKoZIhvcNAQEL
    BQAwUTELMAkGA1UEBhMCQ04xDDAKBgNVBAgMA1BFSzEQMA4GA1UEBwwHQmVpSmlu
    ZzEPMA0GA1UECgwGVk13YXJlMREwDwYDVQQDDAhIYXJib3JDQTAeFw0yMzEwMTkx
    NTIxMzZaFw0zMzEwMTYxNTIxMzZaMFExCzAJBgNVBAYTAkNOMQwwCgYDVQQIDANQ
    RUsxEDAOBgNVBAcMB0JlaUppbmcxDzANBgNVBAoMBlZNd2FyZTERMA8GA1UEAwwI
    SGFyYm9yQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDbQsrPbARW
    rKHkf3DApwXbeYHVDI5rakKtVWZ3+czmHTB8AFflJxLFsetL84dztffX82sxbM9x
    d2ZgDrtVF225joj8Mu9qYrvQ9DaWDqP+lbsCG8EGuNkdRA6Ej8EuhoV0F34NjV84
    8pxreKLxmkXHWWoW+C46G2VJVcgC3G9FxCYRcFD8OKwQ0IzpzH2scMt8ysvFY0gw
    uEqqMTuHejqK82bBROYbDdHgR3IWHG+Oa1pdT9yn7E/OEYAdW2oRZiWAh9/J/3FX
    hFiUBY7Y0z1v0pEA5UE4pOe/Pf7Hr12P9djzVMFHg5FQJs9cWwOUlezXGxN749mz
    6jTX+kmP0O0/sBi2bSNhPC1d10rHy3Ca/VTlkCsSjC7WMSrQYiz8/2AJTTnD5ms2
    TVYGq+LdyVipLz4D9IhU9FAPOxFDJWVzYYvOyy8GMe7f5JLH5fZNBFHV2XrjG8wy
    Zkfll7CUfaxOd6HrSXZo+dIqqz5dIVAZpO7yCyFpVo3Tiuesm4FCvHMPZoG/Rqtu
    1fB6fbfPnWSPzOeukgIr5sEkymQpwoMTBYhhafILkFy1/AugcNZ2VCm1jYPpqYep
    xmACRJS5GY6DPWaVo5dbDwL8qbpzrVPLHAKn53cc93Yr59QQqy04pBLGDzx3+mw6
    qMw7gNoz8dRkDV+KrQPyPDNJlXqrFdngOQIDAQABo1MwUTAdBgNVHQ4EFgQUfbSr
    ZF7Y5HaCDq4I4BAVV052ORswHwYDVR0jBBgwFoAUfbSrZF7Y5HaCDq4I4BAVV052
    ORswDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEASko5WCdzAH0r
    He69dxozShlZmswj+ofmTr/hj87WHFtk/KtaZP2VlkAdS4It3GcmGuaX5zogUzmf
    DskuaILzhe99ZZTuIcqIoIpxjiW7Dl3RFuLqX5qtivASMAyEh1D8iUFT0hieNvDo
    /RyqB1yPbOrLB47j4aXeB5yyjJ3ezwBJ5kUVv8QVCrb0veFp5IJbo9htW4O43gH6
    JQ2LZ4nmCOKSKEoaI8TV29hcH1ItMKy4diYJ4F5UjzdUf64JoE5V+RcagDdsvx5s
    SVoYkdTt2T00kky/1eOQKAyFF4/5dTq4OOt+LKQSWkq6vZUwP/mdQBZqc3jcJYqf
    HBsJ/WfOtbW2skvjdLqjKgHfZEp2wjzdh/+z8IDv43cy1r4DQeQ1D7578i12Qi2P
    IhmcWtf1WOmSHNp39yjoNXYyEs0qk01/zoERVhEuhclmvLDLDuqSi0Tm++7iqMxz
    D+d+9TkUveWkrwMsWNrBQEXSACTPnafWaHHL80Y+krsAIiNHGzEGdzSnbmfI+jnO
    sxb371SM0tlSsCi/L5+GKWTirGAo30yNvC86JEeZrCucveiAPBHEpWdFhi7BDXaA
    d3nMwuZ1Pjin/F1q1tXbf97hpqMxHg4or1MPF+gD1pB6HbxQeayGJU5rLxmotL+G
    S8VZrSeY2dsa5elCcdL9r4WfLFkBeks=
    -----END CERTIFICATE-----
  20. Copy the certificate to NSX Application Platform Automation Appliance.
    root@harborselfsigned [ /storage/certs ]# scp harbor_ca.crt root@nappa:/tmp
    The authenticity of host 'nappa (nappa)' can't be established.
    ED25519 key fingerprint is SHA256:+KqK+eokriGzzpuxfg6idY11Zj52NDbzP4U25kuRrfw.
    This key is not known by any other names
    Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
    Warning: Permanently added 'nappa' (ED25519) to the list of known hosts.
    (root@nappa) Password:
    harbor_ca.crt
    100% 1972 2.1MB/s 00:00
  21. Log in to NSX Application Platform Automation Appliance and add the certificate to the certificate store.
    root@nappa [ ~ ]# cat /tmp/harbor_ca.crt
    -----BEGIN CERTIFICATE-----
    MIIFgzCCA2ugAwIBAgIUfbhTlPlUwXe164EtphW9cCL4sCIwDQYJKoZIhvcNAQEL
    BQAwUTELMAkGA1UEBhMCQ04xDDAKBgNVBAgMA1BFSzEQMA4GA1UEBwwHQmVpSmlu
    ZzEPMA0GA1UECgwGVk13YXJlMREwDwYDVQQDDAhIYXJib3JDQTAeFw0yMzEwMTkx
    [omitted]
    sxb371SM0tlSsCi/L5+GKWTirGAo30yNvC86JEeZrCucveiAPBHEpWdFhi7BDXaA
    d3nMwuZ1Pjin/F1q1tXbf97hpqMxHg4or1MPF+gD1pB6HbxQeayGJU5rLxmotL+G
    S8VZrSeY2dsa5elCcdL9r4WfLFkBeks=
    -----END CERTIFICATE-----
    root@nappa [ ~ ]# cat /tmp/harbor_ca.crt >> /etc/pki/tls/certs/ca-bundle.crt
    root@nappa [ ~ ]# curl https://harbor.corp.info
    <!DOCTYPE html>
    <html>
        <head>
            <meta charset="utf-8"/>
            <title>Harbor</title>
            <base href="/"/>
            <meta name="viewport" content="width=device-width, initial-scale=1"/>
            <link rel="icon" type="image/x-icon" href="favicon.ico?v=2"/>
        <link rel="stylesheet" href="styles.878b6852c9b5f5ec.css"></head>
        <body>
            <harbor-app>
                <div class="spinner spinner-lg app-loading app-loading-fixed">
                    Loading...
                </div>
            </harbor-app>
        <script src="runtime.af360c985dadaace.js" type="module"></script><script
    src="polyfills.b51e06395e4620c9.js" type="module"></script><script src="scripts.67f785a8ff0b6aed.js"
    defer></script><script src="main.d28b366defc1eeca.js" type="module"></script></body>
    </html>
  22. Use the NSX Application Platform Automation Appliance, to upload the NSX Application Platform components to Harbor.
    NSX Application Platform Automation Appliance is included with the necessary Helm client.
  23. Power off the NSX Application Platform Automation Appliance.
  24. Edit the VM settings, set Hard disk 4 to 150 GB, and power on the VM.
  25. After the NSX Application Platform Automation Appliance VM is completely powered on, log in and verify that the /dev/mapper/vg_docker-lv_docker logical volume size is approximately 150 GB.
    root@nappa [ ~ ]# df -h
    Filesystem Size Used Avail Use% Mounted on
    devtmpfs 2.0G 0 2.0G 0% /dev
    tmpfs 2.0G 0 2.0G 0% /dev/shm
    tmpfs 2.0G 760K 2.0G 1% /run
    tmpfs 2.0G 0 2.0G 0% /sys/fs/cgroup
    /dev/mapper/vg_system-lv_root 9.8G 2.7G 6.6G 30% /
    tmpfs 2.0G 948K 2.0G 1% /tmp
    /dev/sda3 488M 40M 412M 9% /boot
    /dev/mapper/vg_napp-lv_napp 5.9G 2.5G 3.1G 45% /opt/napp
    /dev/mapper/vg_alt_root-lv_alt_root 9.8G 24K 9.3G 1% /storage/alt_root
    /dev/mapper/vg_docker-lv_docker 148G 24K 142G 1% /var/lib/docker
    /dev/mapper/vg_lvm_snapshot-lv_lvm_snapshot 2.9G 24K 2.8G 1% /storage/lvm_snapshot
    /dev/sda2 10M 2.0M 8.1M 20% /boot/efi
    If the size of /dev/mapper/vg_docker-lv_docker is not approximately 150 GB, run the following commands:
    root@nappa [ ~ ]# cd /opt/napp
    root@nappa [ /opt/napp ]# chmod +x resize.sh
    root@nappa [ /opt/napp ]# ./resize.sh
    root@nappa [ /opt/napp ]# reboot
  26. Enter your Broadcom support portal login credentials and click the Download product bits from the support portal icon. (HTTPS Download) icon to access the NSX Application Platform OVA file.
    Select the NSX Application Platform offline bundle file.
  27. Select the most current release compatible with your NSX Manager.
  28. Transfer the downloaded tgz file to the /var/lib/docker directory using SCP or SFTP to the NSX Application Platform Automation Appliance.
    To verify that file was transferred, run the following command from the NSX Application Platform Automation Appliance command prompt:
    root@nappa [ /var/lib/docker]# ls -al
    total 36269024
    -rw-r--r-- 1 root root 32669969859 Jun  5 10:57 VMware-NSX-Application-Platform-4.2.0.0.0.24009548.tgz
    drwxr-xr-x 3 root root        4096 Jun  5 11:09 ..
    drwxr-xr-x 2 root root       16384 Jun  5 12:05 .
  29. Extract the tgz file.
    root@nappa [ /var/lib/docker]# tar xvf VMware-NSX-Application-Platform-4.2.0.0.0.24009548.tgz
    cert-manager-4.2.0.0.0.24009548.tgz
    cert-manager-4.2.0.0.0.24009548.tgz.prov
    ...omitted...
    upload_oci_artifacts_to_private_harbor.sh
  30. Edit the upload_oci_artifacts_to_private_harbor.sh script to update the values for DOCKER_REPO, DOCKER_USERNAME, DOCKER_PASSWORD, and LOCAL_HOST_IP.
    You must specify DOCKER_REPO with the FQDN of your Harbor instance. Set the NSX Application Platform Automation Appliance VM IP address used to run the upload script for LOCAL_HOST_IP.
    For example,
    root@nappa [ /var/lib/docker]# vim upload_oci_artifacts_to_private_harbor.sh
    DOCKER_REPO=<harbor_ip>/<project_name>
    DOCKER_USERNAME=admin
    DOCKER_PASSWORD=<password>
    LOCAL_HOST_IP=<ip_of_vm_used_to_run_the_script>

    Note that when you run the NSX Application Platform Automation Appliance deployment wizard, set NAPP REPOSITORY TYPE to Local, uncheck CERTIFICATE IS TRUSTED BY A PUBLIC CA, and enter the self-signed certificate harbor_ca.crt retrieved from the Step 19. This certificate is applied to both the Kubernetes guest cluster and NSX Manager so that helm charts and docker images can be pulled from the private Harbor.

  31. Start the Docker service, set the script to executable, and run the upload_oci_artifacts_to_private_harbor.sh script.
    root@nappa [ /var/lib/docker ]# systemctl start docker
    root@nappa [ /var/lib/docker]# chmod +x upload_oci_artifacts_to_private_harbor.sh
    root@nappa [ /var/lib/docker]# ./upload_oci_artifacts_to_private_harbor.sh
    WARNING! Using --password via the CLI is insecure. Use --password-stdin.
    WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
    Configure a credential helper to remove this warning. See
    https://docs.docker.com/engine/reference/commandline/login/#credentials-store
    Login Succeeded
    Login Succeeded
    The push refers to repository [harbor.corp.info/nsx_application_platform/clustering/authserver]
    fa58efb92ddd: Pushed
    ad55a372f12d: Pushed
    0ac9a10d729b: Pushed
    b5be59dad32c: Pushed
    f5bb4f853c84: Pushed
    22213786: digest: sha256:5389928227a4249231a9c0e02ffae8d60d0233f033847218156c1d8ec2a2e0be size: 1367
    The push refers to repository [harbor.corp.info/nsx_application_platform/clustering/context_correlator]
    62dcc5989d67: Pushing [===========================> ] 64.03MB/115.8MB
    253ad025466f: Pushed
    d157ab654901: Pushed
    61d21522b94c: Pushing [==> ] 35.74MB/760.5MB
    a6c1f73d4bb7: Pushed
    c5efdd805219: Pushing [=> ] 9.439MB/321.9MB
    0ef79e996a32: Pushing [> ] 1.649MB/438.6MB
    51d221927681: Pushing [==================================================>] 7.168kB
    7e799685387d: Waiting
    ...

    This operation may take some time depending on your environment.

What to do next

You can set up your NSX Application Platform environment for installation. See Deployment Requirements for NSX Application Platform and Deploying Tanzu Kubernetes Grid and NSX Application Platform.

Note that when you run the NSX Application Platform Automation Appliance deployment wizard, set NAPP REPOSITORY TYPE to Local, uncheck CERTIFICATE IS TRUSTED BY A PUBLIC CA, and enter the self-signed certificate harbor_ca.crt retrieved from the Step 19. This certificate is applied to both the Kubernetes guest cluster and NSX Manager so that helm charts and docker images can be pulled from the private Harbor.