Install highly available MSR¶

Generate a configuration values file for the chart:

helm show values oci://registry.mirantis.com/harbor/helm/msr --version <MSR-VERSION>

Helm automatically creates certificates. To manually create your own, follow these steps:

Create a directory for certificates named certs:
```
mkdir certs
```

Create a certs.conf text file in the certs directory:

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no

[req_distinguished_name]
C = US
ST = State
L = City
O = Organization
OU = Organizational Unit
CN = msr

[v3_req]
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
IP.1 = <IP-ADDRESS-OF-WORKERNODE>  # Replace with your actual IP address

Generate the certificate and the key using the certs.conf file you just created:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -config certs.conf

If you are using the Helm certificates skip this step. If you manually created your own certificates, create the Kubernetes secret. Run the following command from outside of the certs folder:
```
“kubectl create secret tls <NAME-OF-YOUR-SECRET> \
--cert=certs/tls.crt \
--key=certs/tls.key
```

Modify the msr-values.yaml file to configure MSR:

Set the expose type:

expose:
   # Set how to expose the service. Set the type as "ingress", "clusterIP", "nodePort" or "loadBalancer"
   # and fill the information in the corresponding section
   type: nodePort

Set the cert source to TLS and the secret name:

certSource: secret
secret:
# The name of secret which contains keys named:
# "tls.crt" - the certificate
# "tls.key" - the private key
   secretName: "<NAME-OF-YOUR-SECRET>"

Set the nodePort ports to allow nodePort ingress. You can use any ephemeral port. Some Kubernetes distributions restrict the range. Generally accepted range is 32768-35535.

nodePort:
# The name of NodePort service
   name: harbor
   ports:
      http:
         # The service port Harbor listens on when serving HTTP
        port: 80
        # The node port Harbor listens on when serving HTTP
        nodePort: 32769
      https:
         # The service port Harbor listens on when serving HTTPS
         port: 443
         # The node port Harbor listens on when serving HTTPS
         nodePort: 32770

Set the external URL, if using nodePort use a worker node IP address (the same one that you used in generating the cert):
```
externalURL: <A-WORKER-NODE-EXTERNAL-IP:httpsnodePort>
```

Enable data persistence:

persistence:
   enabled: true

If you are using a named StorageClass (as opposed to the default StorageClass) you need to specify it as shown in the following sample:

persistence:
  enabled: true
  resourcePolicy: "keep"
  persistentVolumeClaim:
   registry:
   existingClaim: ""
   storageClass: “<STORAGE-CLASS-NAME>”
   subPath: ""
   accessMode: ReadWriteOnce
   size: 5Gi
   annotations: {}

Set the default admin password (reset after initial setup from UI, can also be set by secret):
```
harborAdminPassword: "HarborPassword"
```
Set the replica number to at least 2 under portal, registry, core, trivy and jobservice:
```
jobservice:
  image:
   repository: harbor-jobservice
  replicas: 2
```

Set PostgreSQL as an external database:

database:
# if external database is used, set "type" to "external"
# and fill the connection information in "external" section
   type: external

Update external database section to reflect PostgreSQL configuration:

external:
   sslmode: require
   host: <POSTGRES-SERVICE-IP-ADDRESS>
   port: <POSTGRES-SERVICE-PORT-NUMBER>
   coreDatabase: registry
   username: msr
   existingSecret: msr.msr-postgres.credentials.postgresql.acid.zalan.do

Set Redis as an external database:

redis:
      # if external Redis is used, set "type" to "external"
      # and fill the connection information in "external" section
      type: external

Update the external Redis configuration:

external:
   addr: msr-redis:<REDIS-PORT-NUMBER>
   existingSecret: msr-redis-secret

Check you settings against a full example of MSR configuration:

expose:
  type: loadBalancer
persistence:
  enabled: true
  resourcePolicy: "keep"
  persistentVolumeClaim:
    registry:
      storageClass: "<STORAGE-CLASS-NAME>"
      accessMode: ReadWriteOnce
      size: 5Gi
    jobservice:
      jobLog:
        storageClass: "<STORAGE-CLASS-NAME>"
        accessMode: ReadWriteOnce
        size: 5Gi
    trivy:
      storageClass: "<STORAGE-CLASS-NAME>"
      accessMode: ReadWriteOnce
      size: 5Gi
portal:
  replicas: 2
core:
  replicas: 2
jobservice:
  replicas: 2
registry:
  replicas: 2
trivy:
  replicas: 2
database:
  type: external
  external:
     sslmode: require
     host: "<POSTGRES-SERVICE-IP-ADDRESS>"         # Replace with actual IP
     port: "<POSTGRES-SERVICE-PORT-NUMBER>"        # Replace with actual port
     coreDatabase: registry
     username: msr
     existingSecret: msr.msr-postgres.credentials.postgresql.acid.zalan.do
redis:
  type: external
  external:
    addr: "msr-redis:<REDIS-PORT-NUMBER>"
    existingSecret: msr-redis-secret

Install MSR using Helm:

helm install my-release oci://registry.mirantis.com/harbor/helm/msr --version <MSR-VERSION> -f <PATH-TO/msr-values.yaml>

Configure Docker to trust the self-signed certificate. On the system logged into MSR:
1. Create a directory:
```
/etc/docker/certs.d/<IPADDRESS:NODEPORT>
```
2. Move and rename the certificate:
```
mv tls.crt /etc/docker/certs.d/<IPADDRESS:NODEPORT>/ca.crt
```
3. Access the MSR UI at https://<WORKER-NODE-EXTERNAL-IP>:32767 provided the same NodePort numbers were used as specified in this guide. You can also log in using:
```
docker login <WORKER-NODE-EXTERNAL-IP>:32767
```