Install highly available MSR¶
Generate a configuration values file for the chart:
helm show values oci://registry.mirantis.com/harbor/helm/msr --version <MSR-VERSION> > msr-values.yaml
Helm automatically creates certificates. To manually create your own, follow these steps:
Create a directory for certificates named
certs:mkdir certsCreate a
certs.conftext file in thecertsdirectory:[req] distinguished_name = req_distinguished_name x509_extensions = v3_req prompt = no [req_distinguished_name] C = US ST = State L = City O = Organization OU = Organizational Unit CN = msr [v3_req] keyUsage = digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] IP.1 = <IP-ADDRESS-OF-WORKERNODE> # Replace with your actual IP address
Generate the certificate and the key using the
certs.conffile you just created:openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -config certs.conf
If you are using the Helm certificates skip this step. If you manually created your own certificates, create the Kubernetes secret. Run the following command from outside of the
certsfolder:kubectl create secret tls <NAME-OF-YOUR-SECRET> \ --cert=certs/tls.crt \ --key=certs/tls.key
Modify the
msr-values.yamlfile to configure MSR:Set the expose type:
expose: # Set how to expose the service. Set the type as "ingress", "clusterIP", "nodePort" or "loadBalancer" # and fill the information in the corresponding section type: nodePort
Set the cert source to TLS and the secret name:
certSource: secret secret: # The name of secret which contains keys named: # "tls.crt" - the certificate # "tls.key" - the private key secretName: "<NAME-OF-YOUR-SECRET>"
Set the
nodePortports to allownodePort ingress. You can use any ephemeral port. Some Kubernetes distributions restrict the range. Generally accepted range is 32768-35535.nodePort: # The name of NodePort service name: harbor ports: http: # The service port Harbor listens on when serving HTTP port: 80 # The node port Harbor listens on when serving HTTP nodePort: <httpNodePort> https: # The service port Harbor listens on when serving HTTPS port: 443 # The node port Harbor listens on when serving HTTPS nodePort: <httpNodePort>
Set the external URL, if using nodePort use a worker node IP address (the same one that you used in generating the cert):
externalURL: <A-WORKER-NODE-EXTERNAL-IP:httpsNodePort>
Enable data persistence:
persistence: enabled: true
If you are using a named StorageClass (as opposed to the default StorageClass) you need to specify it as shown in the following sample:
persistence: enabled: true resourcePolicy: "keep" persistentVolumeClaim: registry: existingClaim: "" storageClass: “<STORAGE-CLASS-NAME>” subPath: "" accessMode: ReadWriteOnce size: 5Gi annotations: {}
Set the initial admin password:
harborAdminPassword: "Harbor12345"
Note
After you launch MSR 4, change the admin password from the MSR web UI, or provide an existing secret by using the
existingSecretAdminPasswordKeyparameter.Set the replica number to at least 2 under
portal,registry,core,trivyand jobservice:jobservice: image: repository: harbor-jobservice replicas: 2
Set PostgreSQL as an external database:
database: # if external database is used, set "type" to "external" # and fill the connection information in "external" section type: external
Update external database section to reflect PostgreSQL configuration:
external: sslmode: require host: <POSTGRES-SERVICE-IP-ADDRESS> port: <POSTGRES-SERVICE-PORT-NUMBER> coreDatabase: registry username: msr existingSecret: msr.msr-postgres.credentials.postgresql.acid.zalan.do
Set Redis as an external database:
redis: # if external Redis is used, set "type" to "external" # and fill the connection information in "external" section type: external
Update the external Redis configuration:
external: addr: msr-redis-master:<REDIS-PORT-NUMBER> existingSecret: msr-redis-secret
Check you settings against a full example of MSR configuration:
expose: type: loadBalancer persistence: enabled: true resourcePolicy: "keep" persistentVolumeClaim: registry: storageClass: "<STORAGE-CLASS-NAME>" accessMode: ReadWriteOnce size: 5Gi jobservice: jobLog: storageClass: "<STORAGE-CLASS-NAME>" accessMode: ReadWriteOnce size: 5Gi trivy: storageClass: "<STORAGE-CLASS-NAME>" accessMode: ReadWriteOnce size: 5Gi portal: replicas: 2 core: replicas: 2 jobservice: replicas: 2 registry: replicas: 2 trivy: replicas: 2 database: type: external external: sslmode: require host: "<POSTGRES-SERVICE-IP-ADDRESS>" # Replace with actual IP port: "<POSTGRES-SERVICE-PORT-NUMBER>" # Replace with actual port coreDatabase: registry username: msr existingSecret: msr.msr-postgres.credentials.postgresql.acid.zalan.do redis: type: external external: addr: "msr-redis-master:<REDIS-PORT-NUMBER>" existingSecret: msr-redis-secret
Install MSR using Helm:
helm install my-release oci://registry.mirantis.com/harbor/helm/msr --version <MSR-VERSION> -f <PATH-TO/msr-values.yaml>
Configure Docker to trust the self-signed certificate. On the system logged into MSR:
Create a directory:
/etc/docker/certs.d/<IPADDRESS:NODEPORT>
Move and rename the certificate:
mv tls.crt /etc/docker/certs.d/<IPADDRESS:NODEPORT>/ca.crt
Access the MSR web UI at
https://<WORKER-NODE-EXTERNAL-IP>:<httpsNodePort>provided the same NodePort numbers were used as specified in this guide. You can also log in using:docker login <WORKER-NODE-EXTERNAL-IP>:<httpsNodePort>
Warning
By default, robot account names start with the
$character, which some software may interpret as a variable. As such, you should change the default prefix to avoid any potential issues:Log in to the MSR 4 web UI with an account that has administrator privileges.
Navigate to Configuration and select System Settings.
In the Robot Name Prefix row, modify the prefix.