Installing and Configuring Harbor on a Supervisor in vSphere IaaS Control Plane

Checkout how to install and configure Harbor as a Supervisor Service. You can then use Harbor as a registry for workloads running on TKG clusters and vSphere Pods. Harbor requires Contour as ingress controller, therefore you first install the Contour Supervisor Service then you install Harbor.

Install Harbor as a Supervisor Service

You install Harbor as a Supervisor Service trough the Workload Managementt option in the vSphere Client.

Prerequisites

Verify that you have upgraded to vCenter Server 8.0a or higher. Contour and Harbor Supervisor Services are supported with vCenter Server 8.0a and higher.
Verify that you have the Manage Supervisor Services privilege on the vCenter Server system where you add the services.
Install Contour as a Supervisor Service on the same Supervisor where you want to install Harbor. See Install Contour as a Supervisor Service in vSphere IaaS Control Plane.
Designate and FQDN for accessing the Harbor admin UI.

Procedure

Go to the Harbor Versions section of the Supervisor-Services repository and download the following files:
- The Harbor service definition, the link is named Harbor vX.X.X.. For example Harbor 2.5.3
- The Harbor configuration file, the link named values for vX.X.X. For example values 2.5.3
The resulting files look like this:
- harbor.yml
- harbor-data-values.yml
In the vSphere Client go to Workload Management , and select Services.
Deploy the Harbor operator by clicking Add New Service and uploading the harbor.yml service definition. .

Once the Harbor operator is deployed, it appears in the Services tab:

Now that the Harbor operator is deployed, you can install the Supervisor Service on the same Supervisor where Contour runs .

Open the harbor-data-values.yml file and edit the properties as required.

Property	Value	Description
hostname: myharbor.com https: 443	FQDN	Change to the FQDN that you have designated to access the Harbor admin UI.
tlsCertificate: tlsSecretLabels: {"managed-by": "vmware-vRegistry"}	Note: Do not change	This value is required for the TKG integration to work.
harborAdminPassword: Harbor12345	Optionally change	The Harbor password that is used during installation. You can change it through the Harbor admin UI, once the service is installed.
secretKey: 0123456789ABCDEF	String of 16 characters	The secret key used for encryption. Must be a string of 16 chars.
database: password: change-it	A secure password	An initial password used for the Postgres database.
core: replicas: secret: change-it xsrfKey: 0123456789ABCDEF0123456789ABCDEF jobservice: replicas: 1 secret: change-it registry: replicas: secret: change-it	Strings for the secrets and a 32 character XSRF key string	Change to setup your own secrets.
persistence: persistentVolumeClaim: registry: storageClass: "insert-storage-class-name-here" subPath: "" accessMode: ReadWriteOnce size: 10Gi jobservice: storageClass: "insert-storage-class-name-here" subPath: "" accessMode: ReadWriteOnce size: 1Gi database: storageClass: "insert-storage-class-name-here" subPath: "" accessMode: ReadWriteOnce size: 1Gi redis: storageClass: "insert-storage-class-name-here" subPath: "" accessMode: ReadWriteOnce size: 1Gi trivy: storageClass: "insert-storage-class-name-here" subPath: "" accessMode: ReadWriteOnce size: 5Gi	Storage class name	The storage policies that will be used as storage classes for provisioning PVCs , in the Harbor registry, job service, database, and so on. Set each of the properties to existing storage policies that are available in your environment. Change the storage policy name to a valid storage class name by replacing all the upper case letters with lower case letters as well, as replace all of "_" symbols and spaces with a dash, "-". For example, modify `Harbor Storage Policy` to `harbor-storage-policy`.
network: ipFamilies: ["IPv4"]	Note: Do not change	IPv6 is not supported.

Go back to Workload Management > Services and in the Harbor service card, select Actions > Install on Supervisors.
Select the Supervisor where Contour runs and in YAML Service Config copy and paste the contents of the modified harbor-data-values.yml file.
Click OK.
Once the installation begins, you can track it by clicking the Supervisors field on the Harbor service card. It might take a few seconds until the number next to Supervisors increments. The service is in Configuring state until the desired state is reached. When the desired state is reached, the state of the service changes to Running.

Results

You can view the vSphere Namespace and vSphere Pods created for Harbor from the Hosts and Cluster view. A view of the Harbor namespace with all the containing vSphere Pods

A view of the Harbor namespace with all the containing vSphere Pods

Map the Harbor FQDN to the Envoy Ingress IP Address

After Harbor is installed successfully, include a record of the Harbor FQDN mapping to the Envoy ingress IP address in an external DNS server that is configured with the Supervisor.

TKG clusters, vSphere Pods, and the Supervisor must be able to resolve the Harbor FQDN to be able to pull images from the registry.

To locate the Envoy ingress IP address, navigate to the Contour namespace, select Network and select Services:

The screenshot shows the Envoy IP address.

Establishing Trust with the Harbor Supervisor Service

Once Harbor is installed, you must configure trust between the Supervisor and Harbor to use it as registry for vSphere Pods. TKG clusters that are on the same Supervisor as Harbor have trust established with Harbor automatically. To use Harbor as a registry for TKG clusters that run on different Supervisors, you must configure trust between Harbor and these TKG clusters.

Establish Trust Between Harbor and Supervisor

To establish trust between Harbor and the Supervisor:

Extract the Harbor CA from the Harbor UI or by using the TLS secret on the Supervisor control plane. You can get the Harbor ca.cert in the Harbor admin UI at Administration > Configuration > Registry Root Certificate > Download.

Add the Harbor CA to the image-fetcher-ca-bundle ConfigMap in the kube-system namespace. You must be logged in with a vCenter Single Sign-on administrative account and have permission to edit the image-fetcher-ca-bundle.

Configure the KUBE_EDITOR environment variable as described here:

Edit the ConfigMap using the following command:

kubectl edit configmap image-fetcher-ca-bundle -n kube-system

Append the contents of the Harbor ca.cert file to the ConfigMap beneath the existing Supervisor certificate. Make sure not to change the Supervisor certificate.

apiVersion: v1
data:
  ca-bundle: |-
    -----BEGIN CERTIFICATE-----
    MIIC/jCCAeagAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
    ...
    qB72tWi8M5++h2RGcVash0P1CUZOHkpHxGdUGYv1Z97Wl89dT2OTn3iXqn8d1JAK
    aF8=
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIDKDCCAhCgAwIBAgIQBbUsj7mqXXC5XRhqqU3GiDANBgkqhkiG9w0BAQsFADAU
    ...
    5q7y87vOLTr7+0MG4O01zK0dJYx2jVhZlsuduMYpfqRLLewVl0eGu/6vr2M=
    -----END CERTIFICATE-----    
kind: ConfigMap
metadata:
  creationTimestamp: "2023-03-15T14:28:34Z"
  name: image-fetcher-ca-bundle
  namespace: kube-system
  resourceVersion: "713"
  uid: 6b7611a0-25fa-40f7-b4f5-e2a13bd0afe3

Save the edits made to the file. As a result kubectl reports:
```
configmap/image-fetcher-ca-bundle edited
```

Establishing Trust Between Harbor and TKG Cluster Running on Different Supervisors than Harbor

TKG clusters running on Supervisors different than the one where Harbor is installed must have network connectivity with Harbor. These TKG clusters must be able to resolve the Harbor FQDN.

To establish trust between Harbor and the TKG clusters, extract the Harbor CA from the Harbor UI or by using the TLS secret on the Supervisor control plane, then follow the steps listed at Integrate a TKG 2 Cluster with a Private Container Registry.