Install highly available MSR#
-
Generate a configuration values file for the chart:
helm show values oci://registry.mirantis.com/harbor/helm/msr --version <MSR-VERSION> > msr-values.yaml -
Helm automatically creates certificates. To manually create your own,
follow these steps:-
Create a directory for certificates named
certs:mkdir certs -
Create a
certs.conftext file in thecertsdirectory:[req] distinguished_name = req_distinguished_name x509_extensions = v3_req prompt = no [req_distinguished_name] C = US ST = State L = City O = Organization OU = Organizational Unit CN = msr [v3_req] keyUsage = digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] IP.1 = <IP-ADDRESS-OF-WORKERNODE> # Replace with your actual IP address -
Generate the certificate and the key using the
certs.conffile
you just created:openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ -keyout tls.key -out tls.crt -config certs.conf
-
-
If you are using the Helm certificates skip this step. If you manually
created your own certificates, create the Kubernetes secret. Run the
following command from outside of thecertsfolder:kubectl create secret tls <NAME-OF-YOUR-SECRET> \ --cert=certs/tls.crt \ --key=certs/tls.key -
Modify the
msr-values.yamlfile to configure MSR:-
Set the expose type:
expose: # Set how to expose the service. Set the type as "ingress", # "clusterIP", "nodePort" or "loadBalancer" and fill the # information in the corresponding section type: nodePort -
Set the cert source to TLS and the secret name:
certSource: secret secret: # The name of secret which contains keys named: # "tls.crt" - the certificate # "tls.key" - the private key secretName: "<NAME-OF-YOUR-SECRET>" -
Set the
nodePortports to allownodePort ingress. You can use any
ephemeral port. Some Kubernetes distributions restrict the range.
The range32768–35535is generally accepted.nodePort: # The name of NodePort service name: harbor ports: http: # The service port Harbor listens on when serving HTTP port: 80 # The node port Harbor listens on when serving HTTP nodePort: <httpNodePort> https: # The service port Harbor listens on when serving HTTPS port: 443 # The node port Harbor listens on when serving HTTPS nodePort: <httpNodePort> -
Set the external URL, if using nodePort use a worker node IP address
(the same one that you used in generating the cert):externalURL: https://<A-WORKER-NODE-EXTERNAL-IP:httpsnodePort> -
Enable data persistence:
persistence: enabled: trueIf you are using a named StorageClass (as opposed to the default
StorageClass) you need to specify it as shown in the following sample:persistence: enabled: true resourcePolicy: "keep" persistentVolumeClaim: registry: existingClaim: "" storageClass: "<STORAGE-CLASS-NAME>" subPath: "" accessMode: ReadWriteMany size: 5Gi annotations: {} -
Set the initial admin password:
harborAdminPassword: "Harbor12345"Note
After you launch MSR 4, change the admin password from the
MSR web UI, or provide an existing secret using the
existingSecretAdminPasswordKeyparameter. -
Set the replica number to at least 2 under
portal,registry,
core,trivy, andjobservice:jobservice: image: repository: harbor-jobservice replicas: 2 -
Set PostgreSQL as an external database:
database: # if external database is used, set "type" to "external" # and fill the connection information in "external" section type: external -
Update external database section to reflect PostgreSQL configuration:
external: sslmode: require host: <POSTGRES-SERVICE-IP-ADDRESS> port: <POSTGRES-SERVICE-PORT-NUMBER> coreDatabase: registry username: msr existingSecret: msr.msr-postgres.credentials.postgresql.acid.zalan.do -
Set Redis as an external database:
redis: # if external Redis is used, set "type" to "external" # and fill the connection information in "external" section type: external -
Update the external Redis configuration:
external: addr: msr-redis-master:<REDIS-PORT-NUMBER> existingSecret: msr-redis-secret -
Check your settings against a full example of MSR configuration:
expose: type: loadBalancer persistence: enabled: true resourcePolicy: "keep" persistentVolumeClaim: registry: storageClass: "<STORAGE-CLASS-NAME>" accessMode: ReadWriteMany size: 5Gi jobservice: jobLog: storageClass: "<STORAGE-CLASS-NAME>" accessMode: ReadWriteMany size: 5Gi trivy: storageClass: "<STORAGE-CLASS-NAME>" accessMode: ReadWriteMany size: 5Gi portal: replicas: 2 core: replicas: 2 jobservice: replicas: 2 registry: replicas: 2 trivy: replicas: 2 database: type: external external: sslmode: require host: "<POSTGRES-SERVICE-IP-ADDRESS>" port: "<POSTGRES-SERVICE-PORT-NUMBER>" coreDatabase: registry username: msr existingSecret: msr.msr-postgres.credentials.postgresql.acid.zalan.do redis: type: external external: addr: "msr-redis-master:<REDIS-PORT-NUMBER>" existingSecret: msr-redis-secret
-
-
Install MSR using Helm:
helm install my-release oci://registry.mirantis.com/harbor/helm/msr \ --version <MSR-VERSION> -f <PATH-TO/msr-values.yaml> -
Configure Docker to trust the self-signed certificate.
On the system logged into MSR:-
Create a directory:
/etc/docker/certs.d/<IPADDRESS:NODEPORT> -
Move and rename the certificate:
mv tls.crt /etc/docker/certs.d/<IPADDRESS:NODEPORT>/ca.crt -
Access the MSR web UI at
https://<WORKER-NODE-EXTERNAL-IP>:<httpsNodePort>
provided the same NodePort numbers were used as specified in this
guide. You can also log in using:docker login <WORKER-NODE-EXTERNAL-IP>:<httpsNodePort>
Warning
By default, robot account names start with the
$character, which
some software may interpret as a variable. As such, you should change
the default prefix to avoid any potential issues:- Log in to the MSR 4 web UI with an account that has administrator
privileges. - Navigate to Configuration and select System Settings.
- In the Robot Name Prefix row, modify the prefix.
-