Install Harbor for Service Registry
This topic gives an overview of the Harbor package, which you can install in Tanzu Kubernetes Grid (TKG) workload clusters to provide image registry services for the cluster.
Harbor is an open-source, enterprise-ready container registry system that provides an image repository, image vulnerability scanning, and project administration.
Installation: Install Harbor in one of the following ways, based on its deployment option:
-
Supervisor Service: Install and Configure Harbor as a Supervisor Service
-
TKG on Supervisor:
-
Standalone management cluster: Install Harbor in Workload Clusters Deployed by a Standalone Management Cluster
Harbor Components, Configuration, Data Values
The following sections describe Harbor components and show how you can configure the Harbor package.
Harbor Components
The Harbor package installs on the cluster the containers listed in the table. For more information, see https://goharbor.io/. The package pulls the containers from the VMware public registry specified in Package Repository.
| Container | Resource Type | Replicas | Description |
|---|---|---|---|
harbor-core |
Deployment | 1 | Management and configuration server for Envoy |
harbor-database |
Pod | 1 | Postgres database |
harbor-jobservice |
Deployment | 1 | Harbor job service |
harbor-notary-server |
Deployment | 1 | Harbor notary service |
harbor-notary-signer |
Deployment | 1 | Harbor notary |
harbor-portal |
Deployment | 1 | Harbor web interface |
harbor-redis |
Pod | 1 | Harbor redis instance |
harbor-registry |
Deployment | 2 | Harbor container registry instance |
harbor-trivy |
Pod | 1 | Harbor image vulnerability scanner |
Harbor Data Values
Below are example harbor-data-values for the secret in the harbor.yaml file provided with the installation. See Install Harbor Using Kubectl.
| Data Value | Description |
|---|---|
hostname: myharbordomain.com |
The FQDN for accessing Harbor admin UI and Registry service. |
harborAdminPassword: change-it |
The initial password for the Harbor admin account. This is applied only during installation. You can update it using the Harbor UI or API after installation. |
secretKey: 0123456789ABCDEF |
The secret key used for encryption. Must be a string of 16 chars. |
database.password: change-it |
The initial password of the postgres database. |
core.secret: change-it |
Secret is used when core server communicates with other components. |
xsrfKey: 0123456789ABCDEF0123456789ABCDEF |
The XSRF key. Must be a string of 32 chars. |
jobservice.secret: change-it |
Secret is used when job service communicates with other components. |
registry.secret: change-it |
Secret is used to secure the upload state from client and registry storage backend. |
persistence.persistentVolumeClaim.registry.storageClass: mystorageclass |
Specify the vSphere storage policy used to provision the volume. |
persistence.persistentVolumeClaim.jobservice.jobLog.storageClass: mystorageclass |
Specify the vSphere storage policy used to provision the volume. |
persistence.persistentVolumeClaim.database.size: size |
If you are performing a new installation of Harbor v2.10.3, increase the value from 1Gi to 10Gi, if you have sufficient available disk space. |
persistence.persistentVolumeClaim.database.storageClass: mystorageclass |
Specify the vSphere storage policy used to provision the volume. |
persistence.persistentVolumeClaim.redis.size: size |
If you are performing a new installation of Harbor v2.10.3, increase the value from 1Gi to 10Gi, if you have sufficient available disk space. |
persistence.persistentVolumeClaim.redis.storageClass: mystorageclass |
Specify the vSphere storage policy used to provision the volume. |
persistence.persistentVolumeClaim.registry.size: size |
If you are performing a new installation of Harbor v2.10.3, increase the value from 1Gi to 10Gi, if you have sufficient available disk space. |
persistence.persistentVolumeClaim.trivy.storageClass: mystorageclass |
Specify the vSphere storage policy used to provision the volume. |
Harbor Configuration Parameters
The Harbor configuration is set in the harbor-data-values.yaml file. The table lists and describes the minimum required fields for deployment.
| Property | Value | Description |
|---|---|---|
| hostname | FQDN | The FQDN that you have designated to access the Harbor UI and for referencing the registry in client applications. The domain should be configured in an external DNS server such that it resolves to the Envoy Service IP created by Contour. |
| tlsCertificate.tlsSecretLabels | {“managed-by”: “vmware-vRegistry”} | The certificate that Tanzu Kubernetes Grid uses to install the Harbor CA as a trusted root on Tanzu Kubernetes Grid clusters. |
| persistence.persistentVolumeClaim.registry.storageClass | A storage policy name. | A storage class that is used for the Harbor registry PVCs. |
| persistence.persistentVolumeClaim.jobservice.jobLog.storageClass | A storage policy name. | A storage class that is used for the Harbor jobservice PVCs. |
| persistence.persistentVolumeClaim.database.storageClass | A storage policy name. | A storage class that is used for the Harbor database PVCs. |
| persistence.persistentVolumeClaim.redis.storageClass | A storage policy name. | A storage class that is used for the Harbor redis PVCs. |
| persistence.persistentVolumeClaim.trivy.storageClass | A storage policy name. | A storage class that is used for Harbor trivy PVCs. |
Upgrading Harbor
When upgrading Harbor, VMware recommends only upgrading from N-1 or N-2 versions, to avoid database migration gaps.
