Install HA MSR¶
Get the Harbor
values.yamlfile:helm show values oci://registry.mirantis.com/harbor/helm/harbor > harbor-values.yaml
Helm automatically creates certificates. To manually create your own, follow these steps:
Create a directory for certificates named
certs:mkdir certsCreate a
harbor.conftext file in thecertsdirectory:[req] distinguished_name = req_distinguished_name x509_extensions = v3_req prompt = no [req_distinguished_name] C = US ST = State L = City O = Organization OU = Organizational Unit CN = msr [v3_req] keyUsage = digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] IP.1 = <IP-ADDRESS-OF-WORKERNODE> # Replace with your actual IP address
Generate the certificate and the key using the
harbor.conffile you just created:openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -config harbor.conf
If you are using the Helm certificates skip this step. If you manually created your own certificates, create the Kubernetes secret. Run the following command from outside of the
certsfolder:“kubectl create secret tls <NAME-OF-YOUR-SECRET> \ --cert=certs/tls.crt \ --key=certs/tls.key
Modify the
harbor-values.yamlfile to configure MSR:Set the expose type:
expose: # Set how to expose the service. Set the type as "ingress", "clusterIP", "nodePort" or "loadBalancer" # and fill the information in the corresponding section type: nodePort
Set the cert source to TLS and the secret name:
certSource: secret secret: # The name of secret which contains keys named: # "tls.crt" - the certificate # "tls.key" - the private key secretName: "<NAME-OF-YOUR-SECRET>"
Set the
nodePortports to allownodePort ingress. You can use any ephemeral port. Some Kubernetes distributions restrict the range. Generally accepted range is 32768-35535.nodePort: # The name of NodePort service name: harbor ports: http: # The service port Harbor listens on when serving HTTP port: 80 # The node port Harbor listens on when serving HTTP nodePort: 32769 https: # The service port Harbor listens on when serving HTTPS port: 443 # The node port Harbor listens on when serving HTTPS nodePort: 32770
Set the external URL, if using nodePort use a worker node IP address (the same one that you used in generating the cert):
externalURL: <A-WORKER-NODE-EXTERNAL-IP:httpsnodePort>
Enable data persistence:
persistence: enabled: true
If you are using a named StorageClass (as opposed to the default StorageClass) you need to specify it as shown in the following sample:
persistence: enabled: true resourcePolicy: "keep" persistentVolumeClaim: registry: existingClaim: "" storageClass: “<nameofstorageclass>” subPath: "" accessMode: ReadWriteOnce size: 5Gi annotations: {}
Set the default admin password (reset after initial setup from UI, can also be set by secret):
harborAdminPassword: "HarborPassword"
Set the replica number to at least 2 under
portal,registry,core,trivyand jobservice:jobservice: image: repository: harbor-jobservice replicas: 2
Set PostgreSQL as an external database:
database: # if external database is used, set "type" to "external" # and fill the connection information in "external" section type: external
Update external database section to reflect PostgreSQL configuration:
external: host: "<POOLSERVICENAME>" port: "<PORT>" username: "postgres" password: "<PASSWORD>"
Set Redis as an external database:
redis: # if external Redis is used, set "type" to "external" # and fill the connection information in "external" section type: external
Update the external Redis configuration:
external: # support redis, redis+sentinel # addr for redis: <HOST_REDIS>:<PORT_REDIS> # addr for redis+sentinel: <HOST_SENTINEL_1>:<PORT_SENTINEL_1>,<HOST_SENTINEL_2>:<PORT_SENTINEL_2>,<HOST_SENTINEL_3>:<PORT_SENTINEL_3> addr: "<SERVICE_NAME:PORT" # The name of the set of Redis instances to monitor, it must be set to support redis+sentinel sentinelMasterSet: "" # The "coreDatabaseIndex" must be "0" as the library Harbor # used doesn't support configuring it # harborDatabaseIndex defaults to "0", but it can be configured to "6", this config is optional # cacheLayerDatabaseIndex defaults to "0", but it can be configured to "7", this config is optional coreDatabaseIndex: "0" jobserviceDatabaseIndex: "1" registryDatabaseIndex: "2" trivyAdapterIndex: "5" # harborDatabaseIndex: "6" # cacheLayerDatabaseIndex: "7" # username field can be an empty string, and it will be authenticated against the default user username: "" password: "<PASSWORD>"
Check you settings against a full example of MSR configuration:
expose: type: loadBalancer persistence: enabled: true resourcePolicy: "keep" persistentVolumeClaim: registry: storageClass: "<nameofstorageclass>" accessMode: ReadWriteOnce size: 5Gi jobservice: jobLog: storageClass: "<nameofstorageclass>" accessMode: ReadWriteOnce size: 5Gi trivy: storageClass: "<nameofstorageclass>" accessMode: ReadWriteOnce size: 5Gi portal: replicas: 2 core: replicas: 2 jobservice: replicas: 2 registry: replicas: 2 trivy: replicas: 2 database: type: external external: host: "postgresql-ha-pgpool.${namespace}.svc.cluster.local" port: "5432" coreDatabase: "harbor_core" username: "postgres" password: "${postgres password here}" redis: type: external external: addr: "redis-master.${namespace}.svc.cluster.local:6379" sentinelMasterSet: "" coreDatabaseIndex: "0" jobserviceDatabaseIndex: "1" registryDatabaseIndex: "2" trivyAdapterIndex: "5" username: "" password: "${redis password here}"
Install MSR using Helm:
helm install my-release oci://registry.mirantis.com/harbor/helm/harbor -f <PATH-TO/harbor-values.yaml>
Configure Docker to trust the self-signed certificate. On the system logged into MSR:
Create a directory:
/etc/docker/certs.d/<IPADDRESS:NODEPORT>
Move and rename the certificate:
mv tls.crt /etc/docker/certs.d/<IPADDRESS:NODEPORT>/ca.crt
Access the MSR UI at
https://<WORKER-NODE-EXTERNAL-IP>:32767provided the same NodePort numbers were used as specified in this guide. You can also log in using:docker login <WORKER-NODE-EXTERNAL-IP>:32767