Install Harbor with a Self-Signed Certificate and FQDN

If you plan to install Harbor with a self-signed certificate and FQDN, follow the procedures.

These steps install the Harbor appliance and use the NSX Application Platform Automation Appliance to upload NSX Application Platform components to Harbor.

Procedure

Log in to the vSphere Client with admin privileges.
Navigate to the vSphere host cluster on which to install Harbor.
Right-click the vSphere host cluster and select Deploy OVF template to start the installation wizard.
Select Local file.
Enter your Broadcom support portal login credentials and click the (HTTPS Download) icon to access the Harbor OVA file.
For more information on downloading software from the Broadcom support portal, see the Knowledge Base article.
Click Next.
Enter a name, specify a data center folder location for the Harbor VM and click Next.
Select a compute resource for the Harbor VM and click Next.
The compute resource cluster is usually the Management cluster.
Review the Harbor appliance details and click Next.
Accept the appliance EULA agreement and click Next.
Select the data store storage configuration and disk file and click Next.

Ensure that the selected storage can store all NSX Application Platform containers and charts.
Select a Harbor destination network to map the appliance vNICs to a destination port group and click Next.

Note:
The selected network must have connectivity on the required ports and protocols from Tanzu Kubernetes Grid and NSX Application Platform workload networks. See https://ports.esp.vmware.com/home/NSX.
In the Customize template step, complete the following steps.
1. Enter the root password and administrator password.
2. Optionally, allow SSH login for the root user.
3. For hostname, provide the correct FQDN (fully qualified domain name).
  The hostname has a public top-level domain (such as .com or .info) and not a private top-level domain (such as .lab or .local).
Select Use Self-signed Certificate for Harbor.
Do not enter any value for CA Certificate, Server Certificate, or Server Key.
Provide the network configuration information and accept the default Docker configurations.
Click Finish to begin the installation.
Depending on your environmental resources, the installation might take 4-5 minutes to complete.

After the deployment is successfully complete, the newly created VM appears under the cluster and VMs section.
Select the newly created VM and click Settings.
From your browser, log in to Harbor https://<FQDN of Harbor> with admin credentials.
The browser displays a warning because Harbor does not have a trusted certificate. Ignore the warning and proceed.
Create a project called nsx_application_platform.

Select the Public check box for Access Level.

SSH to Harbor and login as root user to retrieve the certificate called harbor_ca.crt in the /storage/certs directory.

##########################################################################
## SSH access to the Harbor Cloud Native Registry Appliance can be ##
## used in exceptional cases that cannot be handled through standard ##
## remote management or CLI tools. This is primarily intended for use ##
## in break-fix scenarios, under the guidance of VMware GSS. ##
##########################################################################
([email protected]) Password:
##########################################################################
## SSH access to the Harbor Cloud Native Registry Appliance can be ##
## used in exceptional cases that cannot be handled through standard ##
## remote management or CLI tools. This is primarily intended for use ##
## in break-fix scenarios, under the guidance of VMware GSS. ##
##########################################################################
07:06:36 up 15:46, 0 users, load average: 0.42, 0.15, 0.05
9 Security notice(s)
Run 'tdnf updateinfo info' to see the details.
root@harborselfsigned [ ~ ]# cd /storage/certs/
root@harborselfsigned [ /storage/certs ]# ls -al
total 36
drwxr-xr-x 2 root root 4096 Oct 19 15:21 .
drwxr-xr-x 6 root root 4096 Oct 19 15:21 ..
-rw-r--r-- 1 root root 50 Oct 19 15:21 extfile.cnf
-rw-r--r-- 1 root root 1972 Oct 19 15:21 harbor_ca.crt
-rw------- 1 root root 3272 Oct 19 15:21 harbor_ca.key
-rw-r--r-- 1 root root 41 Oct 19 15:21 harbor_ca.srl
-rw-r--r-- 1 root root 1691 Oct 19 15:21 harbor.corp.info.csr
-rw-r--r-- 1 root root 2025 Oct 19 15:21 server.crt
-rw------- 1 root root 3272 Oct 19 15:21 server.key
root@harborselfsigned [ /storage/certs ]# cat harbor_ca.crt
-----BEGIN CERTIFICATE-----
MIIFgzCCA2ugAwIBAgIUfbhTlPlUwXe164EtphW9cCL4sCIwDQYJKoZIhvcNAQEL
BQAwUTELMAkGA1UEBhMCQ04xDDAKBgNVBAgMA1BFSzEQMA4GA1UEBwwHQmVpSmlu
ZzEPMA0GA1UECgwGVk13YXJlMREwDwYDVQQDDAhIYXJib3JDQTAeFw0yMzEwMTkx
NTIxMzZaFw0zMzEwMTYxNTIxMzZaMFExCzAJBgNVBAYTAkNOMQwwCgYDVQQIDANQ
RUsxEDAOBgNVBAcMB0JlaUppbmcxDzANBgNVBAoMBlZNd2FyZTERMA8GA1UEAwwI
SGFyYm9yQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDbQsrPbARW
rKHkf3DApwXbeYHVDI5rakKtVWZ3+czmHTB8AFflJxLFsetL84dztffX82sxbM9x
d2ZgDrtVF225joj8Mu9qYrvQ9DaWDqP+lbsCG8EGuNkdRA6Ej8EuhoV0F34NjV84
8pxreKLxmkXHWWoW+C46G2VJVcgC3G9FxCYRcFD8OKwQ0IzpzH2scMt8ysvFY0gw
uEqqMTuHejqK82bBROYbDdHgR3IWHG+Oa1pdT9yn7E/OEYAdW2oRZiWAh9/J/3FX
hFiUBY7Y0z1v0pEA5UE4pOe/Pf7Hr12P9djzVMFHg5FQJs9cWwOUlezXGxN749mz
6jTX+kmP0O0/sBi2bSNhPC1d10rHy3Ca/VTlkCsSjC7WMSrQYiz8/2AJTTnD5ms2
TVYGq+LdyVipLz4D9IhU9FAPOxFDJWVzYYvOyy8GMe7f5JLH5fZNBFHV2XrjG8wy
Zkfll7CUfaxOd6HrSXZo+dIqqz5dIVAZpO7yCyFpVo3Tiuesm4FCvHMPZoG/Rqtu
1fB6fbfPnWSPzOeukgIr5sEkymQpwoMTBYhhafILkFy1/AugcNZ2VCm1jYPpqYep
xmACRJS5GY6DPWaVo5dbDwL8qbpzrVPLHAKn53cc93Yr59QQqy04pBLGDzx3+mw6
qMw7gNoz8dRkDV+KrQPyPDNJlXqrFdngOQIDAQABo1MwUTAdBgNVHQ4EFgQUfbSr
ZF7Y5HaCDq4I4BAVV052ORswHwYDVR0jBBgwFoAUfbSrZF7Y5HaCDq4I4BAVV052
ORswDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEASko5WCdzAH0r
He69dxozShlZmswj+ofmTr/hj87WHFtk/KtaZP2VlkAdS4It3GcmGuaX5zogUzmf
DskuaILzhe99ZZTuIcqIoIpxjiW7Dl3RFuLqX5qtivASMAyEh1D8iUFT0hieNvDo
/RyqB1yPbOrLB47j4aXeB5yyjJ3ezwBJ5kUVv8QVCrb0veFp5IJbo9htW4O43gH6
JQ2LZ4nmCOKSKEoaI8TV29hcH1ItMKy4diYJ4F5UjzdUf64JoE5V+RcagDdsvx5s
SVoYkdTt2T00kky/1eOQKAyFF4/5dTq4OOt+LKQSWkq6vZUwP/mdQBZqc3jcJYqf
HBsJ/WfOtbW2skvjdLqjKgHfZEp2wjzdh/+z8IDv43cy1r4DQeQ1D7578i12Qi2P
IhmcWtf1WOmSHNp39yjoNXYyEs0qk01/zoERVhEuhclmvLDLDuqSi0Tm++7iqMxz
D+d+9TkUveWkrwMsWNrBQEXSACTPnafWaHHL80Y+krsAIiNHGzEGdzSnbmfI+jnO
sxb371SM0tlSsCi/L5+GKWTirGAo30yNvC86JEeZrCucveiAPBHEpWdFhi7BDXaA
d3nMwuZ1Pjin/F1q1tXbf97hpqMxHg4or1MPF+gD1pB6HbxQeayGJU5rLxmotL+G
S8VZrSeY2dsa5elCcdL9r4WfLFkBeks=
-----END CERTIFICATE-----

Copy the certificate to NSX Application Platform Automation Appliance.

root@harborselfsigned [ /storage/certs ]# scp harbor_ca.crt root@nappa:/tmp
The authenticity of host 'nappa (nappa)' can't be established.
ED25519 key fingerprint is SHA256:+KqK+eokriGzzpuxfg6idY11Zj52NDbzP4U25kuRrfw.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'nappa' (ED25519) to the list of known hosts.
(root@nappa) Password:
harbor_ca.crt
100% 1972 2.1MB/s 00:00

root@nappa [ ~ ]# cat /tmp/harbor_ca.crt
-----BEGIN CERTIFICATE-----
MIIFgzCCA2ugAwIBAgIUfbhTlPlUwXe164EtphW9cCL4sCIwDQYJKoZIhvcNAQEL
BQAwUTELMAkGA1UEBhMCQ04xDDAKBgNVBAgMA1BFSzEQMA4GA1UEBwwHQmVpSmlu
ZzEPMA0GA1UECgwGVk13YXJlMREwDwYDVQQDDAhIYXJib3JDQTAeFw0yMzEwMTkx
[omitted]
sxb371SM0tlSsCi/L5+GKWTirGAo30yNvC86JEeZrCucveiAPBHEpWdFhi7BDXaA
d3nMwuZ1Pjin/F1q1tXbf97hpqMxHg4or1MPF+gD1pB6HbxQeayGJU5rLxmotL+G
S8VZrSeY2dsa5elCcdL9r4WfLFkBeks=
-----END CERTIFICATE-----
root@nappa [ ~ ]# cat /tmp/harbor_ca.crt >> /etc/pki/tls/certs/ca-bundle.crt
root@nappa [ ~ ]# curl https://harbor.corp.info
<!DOCTYPE html>
<html>
    <head>
        <meta charset="utf-8"/>
        <title>Harbor</title>
        <base href="/"/>
        <meta name="viewport" content="width=device-width, initial-scale=1"/>
        <link rel="icon" type="image/x-icon" href="favicon.ico?v=2"/>
    <link rel="stylesheet" href="styles.878b6852c9b5f5ec.css"></head>
    <body>
        <harbor-app>
            <div class="spinner spinner-lg app-loading app-loading-fixed">
                Loading...
            </div>
        </harbor-app>
    <script src="runtime.af360c985dadaace.js" type="module"></script><script
src="polyfills.b51e06395e4620c9.js" type="module"></script><script src="scripts.67f785a8ff0b6aed.js"
defer></script><script src="main.d28b366defc1eeca.js" type="module"></script></body>
</html>

Use the NSX Application Platform Automation Appliance, to upload the NSX Application Platform components to Harbor.
NSX Application Platform Automation Appliance is included with the necessary Helm client.
Power off the NSX Application Platform Automation Appliance.
Edit the VM settings, set Hard disk 4 to 150 GB, and power on the VM.

After the NSX Application Platform Automation Appliance VM is completely powered on, log in and verify that the /dev/mapper/vg_docker-lv_docker logical volume size is approximately 150 GB.

root@nappa [ ~ ]# df -h
Filesystem Size Used Avail Use% Mounted on
devtmpfs 2.0G 0 2.0G 0% /dev
tmpfs 2.0G 0 2.0G 0% /dev/shm
tmpfs 2.0G 760K 2.0G 1% /run
tmpfs 2.0G 0 2.0G 0% /sys/fs/cgroup
/dev/mapper/vg_system-lv_root 9.8G 2.7G 6.6G 30% /
tmpfs 2.0G 948K 2.0G 1% /tmp
/dev/sda3 488M 40M 412M 9% /boot
/dev/mapper/vg_napp-lv_napp 5.9G 2.5G 3.1G 45% /opt/napp
/dev/mapper/vg_alt_root-lv_alt_root 9.8G 24K 9.3G 1% /storage/alt_root
/dev/mapper/vg_docker-lv_docker 148G 24K 142G 1% /var/lib/docker
/dev/mapper/vg_lvm_snapshot-lv_lvm_snapshot 2.9G 24K 2.8G 1% /storage/lvm_snapshot
/dev/sda2 10M 2.0M 8.1M 20% /boot/efi

If the size of /dev/mapper/vg_docker-lv_docker is not approximately 150 GB, run the following commands:

root@nappa [ ~ ]# cd /opt/napp
root@nappa [ /opt/napp ]# chmod +x resize.sh
root@nappa [ /opt/napp ]# ./resize.sh
root@nappa [ /opt/napp ]# reboot

Enter your Broadcom support portal login credentials and click the (HTTPS Download) icon to access the NSX Application Platform OVA file.
Select the NSX Application Platform offline bundle file.
Select the most current release compatible with your NSX Manager.
Transfer the downloaded tgz file to the /var/lib/docker directory using SCP or SFTP to the NSX Application Platform Automation Appliance.
To verify that file was transferred, run the following command from the NSX Application Platform Automation Appliance command prompt:
```
root@nappa [ /var/lib/docker]# ls -al
total 36269024
-rw-r--r-- 1 root root 32669969859 Jun  5 10:57 VMware-NSX-Application-Platform-4.2.0.0.0.24009548.tgz
drwxr-xr-x 3 root root        4096 Jun  5 11:09 ..
drwxr-xr-x 2 root root       16384 Jun  5 12:05 .
```

Extract the tgz file.

root@nappa [ /var/lib/docker]# tar xvf VMware-NSX-Application-Platform-4.2.0.0.0.24009548.tgz
cert-manager-4.2.0.0.0.24009548.tgz
cert-manager-4.2.0.0.0.24009548.tgz.prov
...omitted...
upload_oci_artifacts_to_private_harbor.sh

Edit the upload_oci_artifacts_to_private_harbor.sh script to update the values for DOCKER_REPO, DOCKER_USERNAME, DOCKER_PASSWORD, and LOCAL_HOST_IP.
You must specify DOCKER_REPO with the FQDN of your Harbor instance. Set the NSX Application Platform Automation Appliance VM IP address used to run the upload script for LOCAL_HOST_IP.
For example,
```
root@nappa [ /var/lib/docker]# vim upload_oci_artifacts_to_private_harbor.sh
DOCKER_REPO=<harbor_ip>/<project_name>
DOCKER_USERNAME=admin
DOCKER_PASSWORD=<password>
LOCAL_HOST_IP=<ip_of_vm_used_to_run_the_script>
```

Start the Docker service, set the script to executable, and run the upload_oci_artifacts_to_private_harbor.sh script.

root@nappa [ /var/lib/docker ]# systemctl start docker
root@nappa [ /var/lib/docker]# chmod +x upload_oci_artifacts_to_private_harbor.sh
root@nappa [ /var/lib/docker]# ./upload_oci_artifacts_to_private_harbor.sh
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
Login Succeeded
The push refers to repository [harbor.corp.info/nsx_application_platform/clustering/authserver]
fa58efb92ddd: Pushed
ad55a372f12d: Pushed
0ac9a10d729b: Pushed
b5be59dad32c: Pushed
f5bb4f853c84: Pushed
22213786: digest: sha256:5389928227a4249231a9c0e02ffae8d60d0233f033847218156c1d8ec2a2e0be size: 1367
The push refers to repository [harbor.corp.info/nsx_application_platform/clustering/context_correlator]
62dcc5989d67: Pushing [===========================> ] 64.03MB/115.8MB
253ad025466f: Pushed
d157ab654901: Pushed
61d21522b94c: Pushing [==> ] 35.74MB/760.5MB
a6c1f73d4bb7: Pushed
c5efdd805219: Pushing [=> ] 9.439MB/321.9MB
0ef79e996a32: Pushing [> ] 1.649MB/438.6MB
51d221927681: Pushing [==================================================>] 7.168kB
7e799685387d: Waiting
...

This operation may take some time depending on your environment.

Log in to NSX Manager as root and run a CLi command to verify that the connection to your local Harbor repository from NSX Manager is successful.
```
curl http://<harbor-repo-fqdn>
```
Verify that the NSX Application Platform project is accessible from the URL.
https://<harbor-repo-fqdn>

What to do next

You can set up your NSX Application Platform environment for installation. See Deployment Requirements for NSX Application Platform and Deploying Tanzu Kubernetes Grid and NSX Application Platform.

Note that when you run the NSX Application Platform Automation Appliance deployment wizard, set NAPP REPOSITORY TYPE to Local, uncheck CERTIFICATE IS TRUSTED BY A PUBLIC CA, and enter the self-signed certificate harbor_ca.crt in the box provided from the NSX Manager nodes and NSX Application Platform Automation Appliance.