You can install the Harbor Container Registry as a Supervisor Service and run Harbor as a private registry.

Prerequisites

Adhere to the following prerequisites:
Note: These instructions are validated with vSphere 8 and NSX 4 networking.

Download Required YAML Files

Download the required YAML files, including Contour and Harbor.
  1. Download the following Contour files from the Kubernetes Ingress Controller Service site:
    1. The Contour service definition file: contour.yml
    2. The Contour service configuration file: contour-data-values.yml
  2. Download the following Harbor files from the Cloud Native Registry Service site:
    1. The Harbor service definition file: harbor.yml
    2. The Harbor service configuration file: harbor-data-values.yml

Install Contour

You must install Contour first before installing Harbor.
  1. Upload contour.yml to vCenter at Workload Management > > Services > Add.
  2. Verify that the Contour Service Definition is added.
  3. Select Workload Management > Supervisors > Supervisor > Configure.
  4. Select Supervisor Services > Overview.
  5. Select the Available tab.
  6. Select Contour and click Install.
  7. Copy/paste the contents from the contour-data-values.yml to the "YAML Service Config" input field.
    Note: The Contour data values can be used as-is and require no configuration changes. The service type for Envoy is set to LoadBalancer.
  8. Click OK to proceed with the Contour installation.
  9. Verify that Contour is installed.
    1. Select the vSphere Namespace named svc-contour-domain-XXXX.
    2. Select the Network tab and then Services.
    3. You should see the contour service of type ClusterIP and envoy service of type LoadBalancer. The envoy service should have an external IP address.

Update Harbor Data Values

Before installing Harbor, update the data values file.
  1. Using a text editor, open the harbor-data-values.yml file.
  2. Make the following edits (at a minimum, other fields are optional to edit).
  3. Save the changes.
    Name Value
    hostname harbordomain.com (choose something unique)
    tlsCertificate.tlsSecretLabels {"managed-by": "vmware-vRegistry"} (verify this value but keep as is)
    persistence.persistentVolumeClaim.registry.storageClass "vwt-storage-policy" (enter the name of the vSphere storage policy for Supervisor)
    persistence.persistentVolumeClaim.jobservice.storageClass "vwt-storage-policy" (enter the name of the vSphere storage policy for Supervisor)
    persistence.persistentVolumeClaim.database.storageClass "vwt-storage-policy" (enter the name of the vSphere storage policy for Supervisor)
    persistence.persistentVolumeClaim.redis.storageClass "vwt-storage-policy" (enter the name of the vSphere storage policy for Supervisor)
    persistence.persistentVolumeClaim.trivy.storageClass "vwt-storage-policy" (enter the name of the vSphere storage policy for Supervisor)

Install Harbor

Install Harbor by completing the following instructions.
  1. Upload harbor.yml to vCenter at Workload Management > > Services > Add.
  2. Verify that the Harbor Service Definition is added.
  3. Select Workload Management > Supervisors > Supervisor > Configure.
  4. Select Supervisor Services > Overview.
  5. Select the Available tab.
  6. Select Harbor and click Install.
  7. Copy/paste the contents from the harbor-data-values.yml you edited to the "YAML Service Config" input field.
  8. Click OK to proceed with the Harbor installation.
  9. Verify that Harbor is installed.
    1. Select the vSphere Namespace named svc-harbor-domain-XXXX.
    2. Select the Network tab and then Services.
    3. You should see several containers installed for Harbor, each a service of type ClusterIP.

Configure DNS for Harbor

You will need to register a domain name and set up a DNS record for Harbor.
  1. Select Workload Management > Namespaces.
  2. Select the Contour namespace.
  3. Select Network > Services.
  4. Record the External IP address for the Envoy ingress service, for example 10.197.154.71.
  5. Register the Harbor domain name (FQDN) you specified in the Harbor configuration.
  6. Create a DNS "A" record using AWS Route 53 or similar service.

Log In to Harbor

Once Harbor DNS is set up, log in.
  1. Go to the domain name that you registered for Harbor.
  2. Log in at the domain using admin | password that you specified in the Harbor configuration.
  3. Change the password once logged in to something more secure.

Configure Supervisor to Trust the Harbor Registry (Optional)

TKG clusters are automatically configured to trust the Harbor Supervisor Service when both the TKG cluster and Harbor are deployed on the same Supervisor. However, Supervisor is NOT automatically configured to trust the Harbor Supervisor Service when creating vSphere Pods. Complete these steps to establish trust between Supervisor and the Harbor Service by updating the configmap with the Harbor CA certificate.
  1. In Harbor go to Administration > Configuration > System Settings.
  2. Download the Registry Root Certificate which is a file named ca.crt.
  3. Configure the KUBE_EDITOR environment variable.

    See Configure a Text Editor for Kubectl.

  4. Log in to Supervisor using kubectl.

    See Connect to Supervisor as a vCenter Single Sign-On User with Kubectl.

  5. Switch context to the Supervisor context (IP address).
  6. Edit the configmap/image-fetch-ca-bundle using the following command: 
    kubectl edit configmap image-fetcher-ca-bundle -n kube-system
  7. Copy the contents of the Harbor ca.crt file and append it the configmap beneath the existing certificate (which is for Supervisor and must not be changed.) Save the edits made to the file. You should see that Kubectl reports "configmap/image-fetcher-ca-bundle edited".