You can install the Harbor Container Registry as a Supervisor Service and run Harbor as a private registry.
Prerequisites
Adhere to the following prerequisites:
- vSphere 8 Supervisor is enabled
- Familiarized yourself with Supervsior Services
Note: These instructions are validated with vSphere 8 and NSX 4 networking.
Download Required YAML Files
Download the required YAML files, including Contour and Harbor.
- Download the following Contour files from the Kubernetes Ingress Controller Service site:
- The Contour service definition file: contour.yml
- The Contour service configuration file: contour-data-values.yml
- Download the following Harbor files from the Cloud Native Registry Service site:
- The Harbor service definition file: harbor.yml
- The Harbor service configuration file: harbor-data-values.yml
Install Contour
You must install Contour first before installing Harbor.
- Upload contour.yml to vCenter at .
- Verify that the Contour Service Definition is added.
- Select .
- Select .
- Select the Available tab.
- Select Contour and click Install.
- Copy/paste the contents from the contour-data-values.yml to the "YAML Service Config" input field.
Note: The Contour data values can be used as-is and require no configuration changes. The service type for Envoy is set to LoadBalancer.
- Click OK to proceed with the Contour installation.
- Verify that Contour is installed.
- Select the vSphere Namespace named svc-contour-domain-XXXX.
- Select the Network tab and then Services.
- You should see the contour service of type ClusterIP and envoy service of type LoadBalancer. The envoy service should have an external IP address.
Update Harbor Data Values
Before installing Harbor, update the data values file.
- Using a text editor, open the harbor-data-values.yml file.
- Make the following edits (at a minimum, other fields are optional to edit).
- Save the changes.
Name Value hostname harbordomain.com (choose something unique) tlsCertificate.tlsSecretLabels {"managed-by": "vmware-vRegistry"} (verify this value but keep as is) persistence.persistentVolumeClaim.registry.storageClass "vwt-storage-policy" (enter the name of the vSphere storage policy for Supervisor) persistence.persistentVolumeClaim.jobservice.storageClass "vwt-storage-policy" (enter the name of the vSphere storage policy for Supervisor) persistence.persistentVolumeClaim.database.storageClass "vwt-storage-policy" (enter the name of the vSphere storage policy for Supervisor) persistence.persistentVolumeClaim.redis.storageClass "vwt-storage-policy" (enter the name of the vSphere storage policy for Supervisor) persistence.persistentVolumeClaim.trivy.storageClass "vwt-storage-policy" (enter the name of the vSphere storage policy for Supervisor)
Install Harbor
Install Harbor by completing the following instructions.
- Upload harbor.yml to vCenter at .
- Verify that the Harbor Service Definition is added.
- Select .
- Select .
- Select the Available tab.
- Select Harbor and click Install.
- Copy/paste the contents from the harbor-data-values.yml you edited to the "YAML Service Config" input field.
- Click OK to proceed with the Harbor installation.
- Verify that Harbor is installed.
- Select the vSphere Namespace named svc-harbor-domain-XXXX.
- Select the Network tab and then Services.
- You should see several containers installed for Harbor, each a service of type ClusterIP.
Configure DNS for Harbor
You will need to register a domain name and set up a DNS record for Harbor.
- Select .
- Select the Contour namespace.
- Select .
- Record the External IP address for the Envoy ingress service, for example 10.197.154.71.
- Register the Harbor domain name (FQDN) you specified in the Harbor configuration.
- Create a DNS "A" record using AWS Route 53 or similar service.
Log In to Harbor
Once Harbor DNS is set up, log in.
- Go to the domain name that you registered for Harbor.
- Log in at the domain using admin | password that you specified in the Harbor configuration.
- Change the password once logged in to something more secure.
Configure Supervisor to Trust the Harbor Registry (Optional)
TKG clusters are automatically configured to trust the Harbor
Supervisor Service when both the TKG cluster and Harbor are deployed on the same
Supervisor. However,
Supervisor is NOT automatically configured to trust the Harbor
Supervisor Service when creating
vSphere Pods. Complete these steps to establish trust between
Supervisor and the Harbor Service by updating the configmap with the Harbor CA certificate.
- In Harbor go to .
- Download the Registry Root Certificate which is a file named ca.crt.
- Configure the KUBE_EDITOR environment variable.
- Log in to Supervisor using kubectl.
See Connect to Supervisor as a vCenter Single Sign-On User with Kubectl.
- Switch context to the Supervisor context (IP address).
- Edit the configmap/image-fetch-ca-bundle using the following command:
kubectl edit configmap image-fetcher-ca-bundle -n kube-system
- Copy the contents of the Harbor ca.crt file and append it the configmap beneath the existing certificate (which is for Supervisor and must not be changed.) Save the edits made to the file. You should see that Kubectl reports "configmap/image-fetcher-ca-bundle edited".