Install MSR on MKE 3#
This guide describes how to configure the Gateway API, discover the NodePort, and deploy Mirantis Secure Registry (MSR) on Mirantis Kubernetes Engine (MKE) 3.9 or later.
Prerequisites#
Ensure that the following components are installed and configured before deploying MSR:
Prepare the Envoy Gateway Infrastructure#
Envoy Gateway requires a Gateway resource and a TLS certificate to terminate HTTPS traffic. If you are performing a proof-of-concept (PoC) or internal testing, you can generate a temporary self-signed certificate using these steps.
Enterprise deployments
For enterprise deployments, create the secret using a certificate signed by your organization's Trusted Certificate Authority (CA) or a public CA. Ensure the certificate includes the Fully Qualified Domain Name (FQDN) of your MSR instance in the Subject Alternative Name (SAN) field.
-
Create a namespace:
kubectl create namespace msr4 -
Create a Kubernetes TLS secret for the Envoy Gateway HTTPS listener to terminate TLS at the edge:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ -keyout msr.key -out msr.crt -subj "/CN=msr.example.com" kubectl create secret tls msr-tls-cert -n <MSR4 namespace> --cert=msr.crt --key=msr.key
Configure the Envoy Gateway#
Configure how Envoy Gateway is exposed externally.
-
Apply EnvoyProxy (NodePort Strategy) to create a NodePort service for Envoy Gateway.
Port
33002is used in the following example; you may substitute this with any available port within your allowed NodePort range.kubectl apply -n <MSR4 namespace> -f - <<EOF apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: msr-envoy-proxy namespace: <MSR4 namespace> spec: provider: type: Kubernetes kubernetes: envoyService: type: NodePort patch: type: StrategicMerge value: spec: externalTrafficPolicy: Cluster ports: - name: https-443 nodePort: 33002 port: 443 protocol: TCP targetPort: 10443 EOF -
Apply the Gateway to trigger the deployment of the actual Envoy proxy pods:
kubectl apply -n <MSR4 namespace> -f - <<EOF apiVersion: gateway.networking.k8s.io/v1 kind: Gateway metadata: name: msr-gateway namespace: <MSR4 namespace> spec: gatewayClassName: mke-gateway-ingress infrastructure: parametersRef: group: gateway.envoyproxy.io kind: EnvoyProxy name: msr-envoy-proxy listeners: - name: https protocol: HTTPS port: 443 tls: mode: Terminate certificateRefs: [{name: msr-tls-cert}] allowedRoutes: namespaces: from: Selector selector: matchLabels: kubernetes.io/metadata.name: <MSR4 namespace> EOF
Deploy MSR 4#
Configure the MSR Helm chart to use the Gateway API instead of Ingress.
-
Prepare the
values.yamlfile:expose: type: route tls: enabled: false # TLS is handled by the Gateway route: parentRefs: - name: msr-gateway namespace: <MSR4 namespace> kind: Gateway hosts: - "<YOUR_INGRESS_HOSTNAME>" externalURL: https://<YOUR_INGRESS_HOSTNAME>:33002 -
Install the Helm chart:
helm install <MSR4 deployment name> oci://registry.mirantis.com/harbor/helm/msr --version <MSR version> -n <MSR4 namespace> -f values.yml
Apply X-Forwarded Headers#
Because the external NodePort (for example, 33002) differs from the internal
Envoy port 443, you must patch the HTTPRoute to set the correct forwarded headers.
kubectl patch httproute <MSR4 httproute name> -n <MSR4 namespace> --type=json -p='[
{
"op": "add",
"path": "/spec/rules/0/filters",
"value": [{
"type": "RequestHeaderModifier",
"requestHeaderModifier": {
"set": [
{"name": "X-Forwarded-Proto", "value": "https"},
{"name": "X-Forwarded-Port", "value": "33002"}
]
}
}]
}
]'
Verify Gateway Configuration#
-
Check the status of the
HTTPRouteto ensure the Gateway has accepted it:kubectl get httproute <MSR4 httproute name> -n <MSR4 namespace> -o jsonpath='{.status.parents[0].conditions}' | jqThe output should include
"reason": "Accepted"and"status": "True". -
Open a web browser and navigate to
https://<YOUR_INGRESS_HOSTNAME>:33002to confirm that the service is accessible.