Deploy an Offline Harbor Registry on vSphere

This topic describes how to install a private Harbor image registry from a downloaded OVA file, to provide the images needed to deploy Tanzu Kubernetes Grid (TKG) in an offline vSphere environment. The resulting Harbor instance runs outside of TKG.

To install a packaged Harbor instance to TKG workload clusters, for use by apps hosted by the clusters, see Install Harbor for Service Registry in Creating and Managing TKG 2.1 Workload Clusters with the Tanzu CLI.

Note

Notary and Chartmuseum are deprecated in Harbor v2.6 and are scheduled to be removed in a future release as noted in the Harbor v2.6.0 release notes. Users should switch to Sigstore Cosign for container signing and verification.

Prerequisites

• vSphere Client v7.0.2.00000
• Harbor OVA file, downloaded from the Tanzu Kubernetes Grid downloads page.
• Custom certificates (optional): ca.crt, server.crt, and server.key files

Deploy Harbor

To deploy Harbor from an OVA file:

1. In vCenter, right-click on a vSphere cluster and choose Deploy OVF Template….

   

2. A Deploy OVF Template window appears. Select Local File and browse to the location of the downloaded Harbor OVA file.

3. Click NEXT on the bottom right. A series of configuration panes appears.

4. Source Verification: Click YES.

   

5. Virtual machine name: Enter a name that you choose for the virtual machine that runs the Harbor instance. Click NEXT.

   

6. Select a compute resource: Leave the default choice and click NEXT.

   

   This step may take a few minutes, as vSphere downloads and renders the OVF template.

7. Review details: Click NEXT.

   

8. License agreements: Please accept the license and click NEXT.

   

9. Select storage: Select vsanDatastore and click NEXT.

   

10. Select networks: Choose the default VM Network and click NEXT.

    

11. Customize template > VM Credentials:

    

    1. Root Password (Required): Your preferred password for the root user account on the VM, and it must be 8-128 characters long.

    2. Allow SSH via Root: Leave the default, enabled, to allow ssh access to the VM as root user.

12. Customize template > Harbor Configurations:

    

    1. Hostname (Optional): If provided, the Harbor hostname as an FQDN, such as yourdomain.com. Cannot be an IP address or localhost.

       If you specify Hostname the SAN (Subject Alt Names) property contains only the DNS information; no IP information is provided.

       If if you do not specify Hostname, the SAN property contains only the IP information, no DNS information is provided.

    2. Administrator Password (Required): Password for Harbor admin user. Used by admins to access Harbor UI and by client containers to pull and push images. Must be 8 to 128 characters long.

    3. Harbor Database Password: Password for the Harbor internal database. If provided, should be 8 to 128 characters long.

    4. Enable Harbor Default Scanner: Enable to install the Trivy scanner and activate it to scan images as they are uploaded to Harbor.

    5. Use Self-signed Certificate For Harbor:

       • Enable to use self-signed certificates, and leave CA Certificate, Server Certificate, and Server Key blank.

       • Otherwise, deactivate Use Self-signed Certificate For Harbor and paste in multi-line file contents for CA Certificate, Server Certificate, and Server Key. When you paste them into the form, the multi-line values turn to a one-line string with the space character as the delimiter.

13. Customize template > Networking Configurations:

    

    1. IP Address, Netmask, and Gateway: A static IP address, netmask, and gateway for eth0, if any.

    2. DNS, DNS Domain: DNS server and domain for the Harbor VM.

14. Ready to complete: Review the configuration and click FINISH.

    

Watch and Debug Deployment

The first time you deploy a Harbor OVA, Harbor takes several minutes to load Docker images.

To watch the process and confirm that it is progressing, ssh in to the VM and run:

watch docker ps

If Harbor is not running after 5 minutes or so, retrieve the log file on the VM for debugging:

1. cd /etc/goharbor/harbor && ./harbor-support.sh --include-private

2. Find and unzip the log file. It has a name like /storage/log/harbor_appliance_logs_2022-11-30T09-39-12Z.tar.gz

Troubleshooting

Error: Unable to retrieve manifest or certificate file

1. If you see Error: Unable to retrieve manifest or certificate file as below, just try deploying the Harbor OVA again.

   

Reset the Root Password

If you lost the root password, recover it by following the procedure Resetting a Lost Root Password.

Expand Data Disk

A Harbor instance deployed from an OVA has two disks:

• Data disk: contains Harbor application data and certificate files; mounted as /storage.
• System disk: contains VM system data and Harbor bootstrap images, and runs the bootstrap images.

If you need to increase the size of Harbor’s data disk to accommodate requests you must temporarily power off the Harbor VM while you change settings. If the VM has a dynamic IP address, restarting the VM necessitates additional steps as described below.

To expand the data disk of your Harbor instance:

1. From vSphere Hosts and Clusters view, right-click the Harbor OVA VM and choose Power > Power Off:

   

2. Right-click the Harbor OVA VM again and choose Edit Settings:

   

3. An Edit Settings window appears. Under Virtual Hardware, increase the Hard disk 2 setting to a capacity you prefer. Click OK.

   

4. Right-click the Harbor OVA VM again and choose Power > Power On to restart the VM.

   

5. Because you restarted the Harbor VM, you may need to perform additional steps depending on the VM’s host address configuration:

6. Static IP address: No additional steps.

7. Dynamic IP address: If the IP address of the Harbor VM has changed:

   1. Generate a certificate for the new IP address as described in the How to change existing expired harbor CA certificate with new one thread in the Harbor repository.
   2. Apply the new certificate to the VM as described in Rotate Certificates below.

8. FQDN: If the IP address of the Harbor VM has changed, update its address in the VM’s /etc/hosts file or in the DNS record.

Rotate Certificates

When the IP address of the Harbor VM has changed, rotate its certificate:

1. ssh in to the VM.

2. Stop the Harbor service:

   systemctl stop harbor
   

3. Back up the old certificate’s server.crt, server.key, ca.crt files by moving or renaming them:

   • server.crt is in /storage/data/secret/cert/server.crt
   • server.key is in /storage/data/secret/cert/server.key
   • ca.crt is in /storage/data/ca_download/ca.crt

4. Save the new certificate’s server.crt, server.key, ca.crt to the locations above and set their file ownership and permissions to the same settings as the old files.

5. Start the Harbor service:

   systemctl start harbor
   

What to Do Next

After you use this Harbor registry to deploy a management cluster in an Internet-restricted environment, you can enable TKG workload clusters to use Harbor in one of two ways:

• Use the external Harbor registry. If this registry uses a trusted CA certificate, connections between workload clusters and the registry are secure. If your central registry uses self-signed certificates, you can deactivate TKG_CUSTOM_IMAGE_REPOSITORY_SKIP_TLS_VERIFY and specify the TKG_CUSTOM_IMAGE_REPOSITORY_CA_CERTIFICATE option. Setting this option automatically injects your self-signed certificates into your workload clusters.

• Deploy a second instance of Harbor as a shared service within TKG. VMware recommends deploying the Harbor package as shared service managed by TKG. For more information, see Deploy Harbor into a Workload or a Shared Services Cluster.

On infrastructures with load balancing, VMware recommends installing the External DNS packaged service alongside the Harbor service, as described in Harbor Registry and External DNS.