Kamis, 14 November 2024

HARBOR-centos7 OK

 

Harbor 2.7.0 Installation on Centos 7 using docker and docker compose.

https://medium.com/@perezmark.tomcat/harbor-2-7-0-installation-on-centos-7-using-docker-and-docker-compose-a912067563dd
Mark Perez

4 min read

Harbor is an open source registry that secures artifacts with policies and role-based access control, ensures images are scanned and free from vulnerabilities, and signs images as trusted. Harbor, a CNCF Graduated project, delivers compliance, performance, and interoperability to help you consistently and securely manage artifacts across cloud native compute platforms like Kubernetes and Docker.

Installation Process

The standard Harbor installation process involves the following stages:

  1. Make sure that your target host meets the Harbor Installation PrerequisitesHarbor docs | Harbor Installation Prerequisites (goharbor.io)
  2. Download the Harbor Installer
  3. Configure HTTPS Access to Harbor
  4. Configure the Harbor YML File
  5. Run the Installer Script

Prerequisites:

Docker Engine — Version 17.06.0-ce+ or higher

Docker Compose — docker-compose (v1.18.0+) or docker compose v2 (docker-compose-plugin)

Openssl — Latest is preferred.

CPU Minimun: 2 CPU, Recommended 4 CPU

MEM Minimun: 4 GB, Recommended 8 GB

DISK Minimun: 40 GB, Recommended 160 GB

Step 1: Provision Centos 7 VM

For this tutorial I provision a Centos 7 VM on GCP

Step 2: Install Docker & wget

In you VM

sudo curl https://get.docker.com | sh
sudo yum install wget -y

[root@harbor ~]# docker version
Client: Docker Engine - Community
Version: 20.10.23
API version: 1.41
Go version: go1.18.10
Git commit: 7155243
Built: Thu Jan 19 17:36:21 2023
OS/Arch: linux/amd64
Context: default
Experimental: true

Server: Docker Engine - Community
Engine:
Version: 20.10.23
API version: 1.41 (minimum version 1.12)
Go version: go1.18.10
Git commit: 6051f14
Built: Thu Jan 19 17:34:26 2023
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.6.16
GitCommit: 31aa4358a36870b21a992d3ad2bef29e1d693bec
runc:
Version: 1.1.4
GitCommit: v1.1.4-0-g5fd4c4d
docker-init:
Version: 0.19.0
GitCommit: de40ad0

Step 3: Install Docker Compose

sudo curl -SL https://github.com/docker/compose/releases/download/v2.15.1/docker-compose-linux-x86_64 -o /usr/local/bin/docker-compose

sudo chmod +x /usr/local/bin/docker-compose
[root@harbor ~]# docker compose version
Docker Compose version v2.15.1

Step 4: Install OpenSSL for Certificates

sudo yum install openssl -y 

Step 5: Download Harbor installer.

Releases · goharbor/harbor (github.com)

wget https://github.com/goharbor/harbor/releases/download/v2.7.0/harbor-online-installer-v2.7.0.tgz

[root@harbor ~]# ll
total 12
-rw-r--r--. 1 root root 10987 Dec 19 02:43 harbor-online-installer-v2.7.0.tgz

Step 6: Create Certificates using openssl for HTTPS.

For the hostname I’m using my.harbor.com

mkdir -p cert
cd cert

openssl genrsa -out ca.key 4096

openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=PH/ST=NCR/L=Manila/O=Any/OU=Personal/CN=my.harbor.com" \
-key ca.key \
-out ca.crt


openssl genrsa -out my.harbor.com.key 4096


openssl req -sha512 -new \
-subj "/C=CN/PH=NCR/L=Manila/O=Any/OU=Personal/CN=my.harbor.com" \
-key my.harbor.com.key \
-out my.harbor.com.csr


cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=my.harbor.com
EOF




openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in my.harbor.com.csr \
-out my.harbor.com.crt

openssl x509 -inform PEM -in my.harbor.com.crt -out my.harbor.com.cert

[root@harbor ~]# ls cert
ca.crt ca.key ca.srl my.harbor.com.cert my.harbor.com.crt my.harbor.com.csr my.harbor.com.key v3.ext

Copy .crt and .key in folder /data/cert

mkdir -p /data/cert/
cp my.harbor.com.crt /data/cert/
cp my.harbor.com.key /data/cert/

[root@harbor ~]# ls /data/cert/
my.harbor.com.crt my.harbor.com.key

Copy .cert .key ca.crt to docker certs

Note: make sure that the name of the folder is same for your hostname and port.

mkdir -p /etc/docker/certs.d/my.harbor.com:8443/
cp my.harbor.com.cert /etc/docker/certs.d/my.harbor.com:8443/
cp my.harbor.com.key /etc/docker/certs.d/my.harbor.com:8443/
cp ca.crt /etc/docker/certs.d/my.harbor.com:8443/

[root@harbor ~]# ls /etc/docker/certs.d/my.harbor.com:8443/
ca.crt my.harbor.com.cert my.harbor.com.key

Step 7: Install Harbor

tar -xvf harbor-online-installer-v2.7.0.tgz
cd harbor

Edit harbor.yml template and rename it to harbor.yml

You can choose the port for the http and https.

hostname: my.harbor.com

# https related config
https:
# https port for harbor, default is 443
port: 8443
# The path of cert and key files for nginx
certificate: /data/cert/my.harbor.com.crt
private_key: /data/cert/my.harbor.com.key

harbor_admin_password: admin

inside the harbor folder

./prepare

docker compose up -d

then check if containers are up

[root@harbor ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
19755a629759 goharbor/harbor-jobservice:v2.7.0 "/harbor/entrypoint.…" 10 minutes ago Up 10 minutes (healthy) harbor-jobservice
d5999a3d4a20 goharbor/nginx-photon:v2.7.0 "nginx -g 'daemon of…" 10 minutes ago Up 10 minutes (healthy) 0.0.0.0:8443->8443/tcp, :::8443->8443/tcp, 0.0.0.0:8081->8080/tcp, :::8081->8080/tcp nginx
f2b8d084368f goharbor/harbor-core:v2.7.0 "/harbor/entrypoint.…" 10 minutes ago Up 10 minutes (healthy) harbor-core
355020aa5c04 goharbor/redis-photon:v2.7.0 "redis-server /etc/r…" 10 minutes ago Up 10 minutes (healthy) redis
97eec786f2dd goharbor/harbor-registryctl:v2.7.0 "/home/harbor/start.…" 10 minutes ago Up 10 minutes (healthy) registryctl
a365effeed86 goharbor/harbor-db:v2.7.0 "/docker-entrypoint.…" 10 minutes ago Up 10 minutes (healthy) harbor-db
c14d58a8b0b9 goharbor/registry-photon:v2.7.0 "/home/harbor/entryp…" 10 minutes ago Up 10 minutes (healthy) registry
1742ab1d2cc6 goharbor/harbor-portal:v2.7.0 "nginx -g 'daemon of…" 10 minutes ago Up 10 minutes (healthy) harbor-portal
7830bc74811c goharbor/harbor-log:v2.7.0 "/bin/sh -c /usr/loc…" 10 minutes ago Up 10 minutes (healthy) 127.0.0.1:1514->10514/tcp harbor-log

In your browser.

You can download the certificate you generated to enable https.

login using the credentials you provided in the harbor.yml file

Conclusion

In this tutorial, we’ve installed harbor centos 7 using docker and docker compose and configure HTTPS access.

=====================================================

mkdir -p cert

cd cert


openssl genrsa -out ca.key 4096


openssl req -x509 -new -nodes -sha512 -days 3650 \

 -subj "/C=PH/ST=NCR/L=Manila/O=Any/OU=Personal/CN=harbor.yogya.com" \

 -key ca.key \

 -out ca.crt

 

 

openssl genrsa -out harbor.yogya.com.key 4096

 

 

openssl req -sha512 -new \

    -subj "/C=CN/PH=NCR/L=Manila/O=Any/OU=Personal/CN=harbor.yogya.com" \

    -key harbor.yogya.com.key \

    -out harbor.yogya.com.csr

 

 

cat > v3.ext <<-EOF

authorityKeyIdentifier=keyid,issuer

basicConstraints=CA:FALSE

keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

extendedKeyUsage = serverAuth

subjectAltName = @alt_names

[alt_names]

DNS.1=harbor.yogya.com

EOF



 

openssl x509 -req -sha512 -days 3650 \

    -extfile v3.ext \

    -CA ca.crt -CAkey ca.key -CAcreateserial \

    -in harbor.yogya.com.csr \

    -out harbor.yogya.com.crt


openssl x509 -inform PEM -in harbor.yogya.com.crt -out harbor.yogya.com.cert

HARBOR-install kubernetes

 

Setting Up Harbor Registry on Kubernetes Using Helm Chart

https://vishynit.medium.com/setting-up-harbor-registry-on-kubernetes-using-helm-chart-5989d7c8df2a
Vishal Gupta

4 min read

Harbor is an open-source container image registry that secures images with role-based access control, scans images for vulnerabilities, and signs images as trusted. Setting up Harbor on Kubernetes using Helm is a streamlined process that allows you to deploy a fully functional container registry quickly and efficiently. This guide walks you through the necessary steps to set up Harbor using a Helm chart.

Prerequisites

Before you start, ensure you have the following prerequisites:

  1. Kubernetes Cluster: A running Kubernetes cluster (v1.12+).
  2. Helm: Helm 3 installed on your local machine.
  3. kubectl: kubectl installed and configured to interact with your Kubernetes cluster.

Step 1: Add the Harbor Helm Repository

First, add the Harbor Helm repository to your Helm client:

helm repo add harbor https://helm.goharbor.io
helm repo update

Step 2: Create a Namespace for Harbor

Create a dedicated namespace for Harbor to keep things organized:

kubectl create namespace harbor

Step 3: Install Harbor with Helm

You can install Harbor with the default configuration using the following command:

helm install harbor harbor/harbor --namespace harbor

This will deploy Harbor with default settings. However, for production environments, you may want to customize the configuration.

Step 4: Customize Harbor Configuration

To customize Harbor’s settings, you need to have SSL certs and a custom configuration created in a values.yaml file. This file allows you to override default settings.

Step 4a: Create SSL Certs

Container registry needs to have TLS certificate signed by known certificate authority. Although self sign certificates can be used when deploying harbor but images push/pull will fail unless you trust CA. Free SSL certs signed by CA can be generated using LetsEncrypt certbot or from this portal. Once you get the certificate and key, rename the cert to tls.crt and key to tls.key and store the certs content as a Secret.

kubectl create secret tls harbor-cert --key tls.key --cert tls.crt -n harbor

Step 4b: Install Harbor using custom configuration

Here is an example of a basic values.yaml file which uses the above secret create containing ssl cert. Make sure your Kubernetes service provider supports service type Load Balancer.

expose:
# Set how to expose the service. Set the type as "ingress", "clusterIP", "nodePort" or "loadBalancer"
# and fill the information in the corresponding section
type: loadBalancer
tls:
# Enable TLS or not.
# Delete the "ssl-redirect" annotations in "expose.ingress.annotations" when TLS is disabled and "expose.type" is "ingress"
# Note: if the "expose.type" is "ingress" and TLS is disabled,
# the port must be included in the command when pulling/pushing images.
# Refer to https://github.com/goharbor/harbor/issues/5291 for details.
enabled: true
# The source of the tls certificate. Set as "auto", "secret"
# or "none" and fill the information in the corresponding section
# 1) auto: generate the tls certificate automatically
# 2) secret: read the tls certificate from the specified secret.
# The tls certificate can be generated manually or by cert manager
# 3) none: configure no tls certificate for the ingress. If the default
# tls certificate is configured in the ingress controller, choose this option
certSource: secret
auto:
# The common name used to generate the certificate, it's necessary
# when the type isn't "ingress"
commonName: ""
secret:
# The name of secret which contains keys named:
# "tls.crt" - the certificate
# "tls.key" - the private key
secretName: "harbor-cert"
notarySecretName: "harbor-cert"
ingress:
hosts:
core: harbor.mydomain.com
notary: harbor.mydomain.com

# The external URL for Harbor core service. It is used to
# 1) populate the docker/helm commands showed on portal
# 2) populate the token service URL returned to docker client
#
# Format: protocol://domain[:port]. Usually:
# 1) if "expose.type" is "ingress", the "domain" should be
# the value of "expose.ingress.hosts.core"
# 2) if "expose.type" is "clusterIP", the "domain" should be
# the value of "expose.clusterIP.name"
# 3) if "expose.type" is "nodePort", the "domain" should be
# the IP address of k8s node
#
# If Harbor is deployed behind the proxy, set it as the URL of proxy
externalURL: https://harbor.mydomain.com

# The initial password of Harbor admin. Change it from portal after launching Harbor
# or give an existing secret for it
# key in secret is given via (default to HARBOR_ADMIN_PASSWORD)
# existingSecretAdminPassword:
existingSecretAdminPasswordKey: HARBOR_ADMIN_PASSWORD
harborAdminPassword: "Harbor@12345"

Step 5: Deploy Harbor with Custom Values

Use your custom values.yaml file to deploy Harbor:

helm install harbor harbor/harbor --namespace harbor -f values.yaml

Step 6: Verify the Installation

Check the status of your Harbor deployment:

helm status harbor -n harbor

Ensure all Harbor components are running:

kubectl get pods -n harbor

Step 7: Access Harbor

If you’ve configured Harbor to use an ingress, you can access it via the URL specified in your values.yaml file (e.g., https://harbor.mydomain.com). Ensure your DNS settings are configured to point to your Kubernetes load balancer IP.

End Note

Above configuration is a very basic configuration. For a production grade setup, make sure that you setup external Database and external Redis setup created and used with Harbor.

Loved this?

So, did you find this article helpful? If you did, please consider buying me a coffee :-)

https://buymeacoffee.com/vishynit