Deploy an Offline Harbor Registry on vSphere

This topic describes how to install a private Harbor image registry from a downloaded OVA file, to provide the images needed to deploy Tanzu Kubernetes Grid (TKG) in an offline vSphere environment. The resulting Harbor registry runs alongside and separately from TKG to store and manage component images used by TKG.

Important

  • This VM-based Harbor deployment is only supported for hosting TKG system images in an internet-restricted or airgapped environment. To deploy a scalable and highly-available Harbor that can manage large numbers of images for hosted apps in a production environment, deploy the Harbor package to TKG clusters as described in Install Harbor for Service Registry in Creating and Managing TKG 2.3 Workload Clusters with the Tanzu CLI.

  • Notary and Chartmuseum are deprecated since Harbor v2.6 and are scheduled to be removed in a future release as noted in the Harbor v2.6.0 release notes. Switch to Sigstore Cosign for container signing and verification.

Prerequisites

Deploy Harbor

To deploy Harbor from an OVA file:

  1. In vCenter, right-click on a vSphere cluster and choose Deploy OVF Template….

    Harbor installation screenshot

  2. A Deploy OVF Template window appears. Select Local File and browse to the location of the downloaded Harbor OVA file.

  3. Click NEXT on the bottom right. A series of configuration panes appears.

  4. Source Verification: Click YES.

    Harbor installation screenshot

  5. Virtual machine name: Enter a name that you choose for the virtual machine that runs the Harbor instance. Click NEXT.

    Harbor installation screenshot

  6. Select a compute resource: Leave the default choice and click NEXT.

    Harbor installation screenshot

    This step may take a few minutes, as vSphere downloads and renders the OVF template.

  7. Review details: Click NEXT.

    Harbor installation screenshot

  8. License agreements: Please accept the license and click NEXT.

    Harbor installation screenshot

  9. Select storage: Select vsanDatastore and click NEXT.

    Harbor installation screenshot

  10. Select networks: Choose the default VM Network and click NEXT.

    Harbor installation screenshot

  11. Customize template > VM Credentials:

    Harbor installation screenshot

    1. Root Password (Required): Your preferred password for the root user account on the VM, and it must be 8-128 characters long.

    2. Allow SSH via Root: Leave the default, enabled, to allow ssh access to the VM as root user.

  12. Customize template > Harbor Configurations:

    Harbor installation screenshot

    1. Hostname (Optional): If provided, the Harbor hostname as an FQDN, such as yourdomain.com. Cannot be an IP address or localhost.

      If you specify Hostname the SAN (Subject Alt Names) property contains only the DNS information; no IP information is provided.

      If if you do not specify Hostname, the SAN property contains only the IP information, no DNS information is provided.

    2. Administrator Password (Required): Password for Harbor admin user. Used by admins to access Harbor UI and by client containers to pull and push images. Must be 8 to 128 characters long.

    3. Harbor Database Password: Password for the Harbor internal database. If provided, should be 8 to 128 characters long.

    4. Enable Harbor Default Scanner: Enable to install the Trivy scanner and activate it to scan images as they are uploaded to Harbor.

    5. Use Self-signed Certificate For Harbor:

      • Enable to use self-signed certificates, and leave CA Certificate, Server Certificate, and Server Key blank.

      • Otherwise, deactivate Use Self-signed Certificate For Harbor and paste in multi-line file contents for CA Certificate, Server Certificate, and Server Key. When you paste them into the form, the multi-line values turn to a one-line string with the space character as the delimiter.

  13. Customize template > Networking Configurations:

    Harbor installation screenshot

    1. IP Address, Netmask, and Gateway: A static IP address, netmask, and gateway for eth0, if any.

    2. DNS, DNS Domain: DNS server and domain for the Harbor VM.

  14. (Optional) Customize template > Docker Configurations:

    Harbor installation screenshot

    This configuration is optional and only available for OVAs with Harbor v2.8.x or later.

    1. Docker Daemon BIP Value: A CIDR format value to configure the Docker daemon, for example: 198.18.251.1/24

    2. Address Pool 1 Base, Address Pool 1 Size: Address pool base and address pool size should be configured in pairs if any. We allow at most three pairs of address pool base and address pool size. Also address pool base should be in CIDR format, for example 198.18.252.0/22; and address pool size should be an integer between 1 ~ 32.

  15. Ready to complete: Review the configuration and click FINISH.

    Harbor installation screenshot

Watch and Debug Deployment

Docker Deployment (Optional)

For OVAs with Harbor v2.8.x or later you can optionally set a Docker daemon configuration to run on the OVA, as configured under the Docker Configurations tab described above.

If you enter invalid arguments under Docker Configurations, both the firstboot systemd service and Docker will fail.

To verify Docker installation, ssh into the Harbor VM and run systemctl status firstboot and systemctl status docker. If the firstboot service status is listed as Active: failed then the deployment failed, but if it shows Active: inactive (dead) and firstboot.service: Succeeded and then docker service is listed as Active: active (running), then deployment succeeded.

To check the logs for more details, run journalctl -u firstboot and journalctl -u docker.

Harbor Deployment:

The first time you deploy a Harbor OVA, Harbor takes several minutes to load Docker images.

To watch the process and confirm that it is progressing, ssh in to the VM and run:

watch docker ps

If Harbor is not running after 5 minutes or so, retrieve the log file on the VM for debugging:

  1. cd /etc/goharbor/harbor && ./harbor-support.sh --include-private

  2. Find and unzip the log file. It has a name like /storage/log/harbor_appliance_logs_2022-11-30T09-39-12Z.tar.gz

Troubleshooting

Error: Unable to retrieve manifest or certificate file

  1. If you see Error: Unable to retrieve manifest or certificate file as below, just try deploying the Harbor OVA again.

    Harbor installation screenshot

No Harbor Proxy Cache Support

You cannot use Harbor’s proxy cache feature for running Tanzu Kubernetes Grid v2.3 in an internet-restricted environment. You can still use a Harbor proxy cache to proxy images from prior versions of Tanzu Kubernetes Grid, and non-Tanzu images such as application images.

Reset the Root Password

If you lost the root password, recover it by following the procedure Resetting a Lost Root Password.

Expand Data Disk

A Harbor instance deployed from an OVA has two disks:

  • Data disk: contains Harbor application data and certificate files; mounted as /storage.
  • System disk: contains VM system data and Harbor bootstrap images, and runs the bootstrap images.

If you need to increase the size of Harbor’s data disk to accommodate requests you must temporarily power off the Harbor VM while you change settings. If the VM has a dynamic IP address, restarting the VM necessitates additional steps as described below.

To expand the data disk of your Harbor instance:

  1. From vSphere Hosts and Clusters view, right-click the Harbor OVA VM and choose Power > Power Off:

    Harbor installation screenshot

  2. Right-click the Harbor OVA VM again and choose Edit Settings:

    Harbor installation screenshot

  3. An Edit Settings window appears. Under Virtual Hardware, increase the Hard disk 2 setting to a capacity you prefer. Click OK.

    Harbor installation screenshot

  4. Right-click the Harbor OVA VM again and choose Power > Power On to restart the VM.

    Harbor installation screenshot

  5. Because you restarted the Harbor VM, you may need to perform additional steps depending on the VM’s host address configuration:

  6. Static IP address: No additional steps.

  7. Dynamic IP address: If the IP address of the Harbor VM has changed:

    1. Generate a certificate for the new IP address as described in the How to change existing expired harbor CA certificate with new one thread in the Harbor repository.
    2. Apply the new certificate to the VM as described in Rotate Certificates below.
  8. FQDN: If the IP address of the Harbor VM has changed, update its address in the VM’s /etc/hosts file or in the DNS record.

Rotate Certificates

When the IP address of the Harbor VM has changed, rotate its certificate:

  1. ssh in to the VM.

  2. Stop the Harbor service:

    systemctl stop harbor
    
  3. Back up the old certificate’s server.crt, server.key, ca.crt files by moving or renaming them:

    • server.crt is in /storage/data/secret/cert/server.crt
    • server.key is in /storage/data/secret/cert/server.key
    • ca.crt is in /storage/data/ca_download/ca.crt
  4. Save the new certificate’s server.crt, server.key, ca.crt to the locations above and set their file ownership and permissions to the same settings as the old files.

  5. Start the Harbor service:

    systemctl start harbor
    

What to Do Next

After you use this Harbor registry to deploy a management cluster in an Internet-restricted environment, you can enable TKG workload clusters to use Harbor in one of two ways:

  • Use the external Harbor registry. If this registry uses a trusted CA certificate, connections between workload clusters and the registry are secure. If your central registry uses self-signed certificates, you can deactivate TKG_CUSTOM_IMAGE_REPOSITORY_SKIP_TLS_VERIFY and specify the TKG_CUSTOM_IMAGE_REPOSITORY_CA_CERTIFICATE option. Setting this option automatically injects your self-signed certificates into your workload clusters.

  • Deploy a second instance of Harbor as a shared service within TKG. VMware recommends deploying the Harbor package as shared service managed by TKG. For more information, see Install Harbor for Service Registry.

On infrastructures with load balancing, VMware recommends installing the External DNS packaged service alongside the Harbor service, as described in Harbor Registry and External DNS.

check-circle-line exclamation-circle-line close-line
Scroll to top icon