From the Docker Registry official documentation: A Registry is a stateless, highly scalable server-side application that stores and lets you distribute Docker images. Harbor is an open source registry having a lot of features, such as an advanced UI, a vulnerability scanner, robot accounts and so on. For more information visit the official web page.
You should use the Harbor Registry if you want to:
- tightly control where your images are being stored.
- fully own your images distribution pipeline.
- integrate image storage and distribution tightly into your in-house development workflow.
- leverage the high-speed network that connects your servers, avoiding to consume precious Internet bandwidth to transfer images stored in the Docker Hub public service.
- leverage Proxy Cache functionalities, to not exceed Docker Hub’s rate limiting policy.
- have a vulnerability scanner to detect possible image vulnerabilities.
- manage your Helm Charts.
Finally, consider that, in this Kubernetes setup, users instantiate mainly VMs, whose image may be rather large. Allowing users to download the VM image locally, instead of from a remote server, would greatly impact on their quality of experience in term of time required to start their service.
To install Harbor, it is possible to leverage the official Helm Chart, appropriately configuring the values.yaml file (additional details follow in the next sections).
- Kubernetes cluster 1.10+
- Helm 3
- High available ingress controller (Harbor does not manage the external endpoint)
- High available PostgreSQL 9.6+ (Harbor does not handle the HA deployment of the database)
- High available Redis (Harbor does not handle the HA deployment of Redis)
- PVC that can be shared across nodes (i.e., with
ReadWriteManyaccess mode) or external object storage
In our architecture we have a Redis-Sentinel service, instead of Redis Cluster, because with this architecture Sentinel manages automatically the failover of the master.
To enable the Redis-Sentinel architecture it is necessary to configure the following parameter in the redis file values (redis-service-values.yaml):
sentinel.enabled=trueTo deploy Redis service, it is possible to proceed as follows:
helm repo add bitnami https://charts.bitnami.com/bitnami
helm upgrade redis bitnami/redis --namespace harbor \
--install --create-namespace --values redis-service-values.yamlA pre-requisite to deploy PostregreSQL cluster is the PostgreSQL-Operator, because it delivers an easy way to run highly-available PostgreSQL clusters on Kubernetes. Once you have a PostgreSQL-Operator running, you can create your PostgreSQL cluster with the following command:
kubectl apply -f postgres-cluster-manifest.yamlThis command creates the database and applies the configuration specified by the postgres-cluster-manifest.yaml.
The following outlines the most relevant modifications applied to the Harbor values file (harbor-values.yaml):
-
Configuration of how the harbor registry is exposed (i.e., by means of an ingress), the external URL and accessory parameters (e.g., the annotations concerning certificate generation).
-
Configuration of the parameters to access the Postgres database created previously.
-
Configuration of the parameters to access the Redis service deployed previously.
Before installing the chart, the Harbor repository must be added to helm with the following command:
helm repo add harbor https://helm.goharbor.io
helm repo updateTo install the chart with the release name harbor and apply the configuration specified by the harbor-values.yaml file, it is possible to proceed as follows:
helm upgrade harbor harbor/harbor --namespace harbor \
--install --create-namespace --values harbor-values.yamlWarning: credentials and secret parameters have been redacted from the values file stored in this repository. Look here for a complete configuration guide.