Kubernetes installs Harbor warehouse through Helm Chart and accesses verification

Kubernetes installs Harbor warehouse through Helm Chart and accesses verification

Harbor basic introduction

Harbor is an open source enterprise-level Docker and OCI (Open Container Initiative) mirror repository for storing, distributing, and managing container images. It provides a safe and reliable way to manage and share container images, suitable for building and deploying containerized application environments.
The Harbor mirror warehouse is the first choice for the current enterprise-level mirror warehouse.

The main features and functions of the Harbor mirror warehouse:

• Image storage and management: Harbor allows users to upload Docker and OCI images to the warehouse for storage and management. It provides version control, tag management, and metadata storage for easy browsing, searching, and filtering of images.
• Security and authority control: Harbor has powerful security and authority control functions. It supports user authentication and authorization, and can restrict user access and operations on images through roles and permissions. In addition, Harbor also provides security functions such as vulnerability scanning and static code analysis to help users discover and fix security vulnerabilities in container images in a timely manner.
• Registry replication and synchronization: Harbor supports registry replication and synchronization functions, which can copy images from one Harbor instance to another instance, or synchronize with other Docker Registries. This enables users to share and deploy container images across multiple environments, improving the availability and reliability of images.
• Enterprise-level features: As an enterprise-level mirror warehouse, Harbor provides many features to meet enterprise needs. It supports LDAP/AD integration and can be integrated with existing user authentication systems. In addition, Harbor also provides functions such as audit logs, reports, and statistical information to help users track and analyze the usage of images.
• Scalability and flexibility: Harbor has good scalability and can achieve high availability and load balancing by adding additional Harbor nodes. It also provides a RESTful API and plug-in mechanism, which can be integrated and extended with other systems to meet the specific needs of users.

1. Harbor installation

1.1 Prerequisites

a. Kubernetes cluster version>=1.20

b. Helm version >=v3.2.0, for the installation of Helm, please refer to: Helm Install

c. A default StorageClass is required. For the specific preparation process, please refer to: Install StorageClass on Kubernetes

d. Need to have the default IngressClasses, the specific preparation process reference: Kubernetes installation IngressClass where step 4 "Set as the default Ingress Class" is necessary, and the NodePort port of the Ingress is preferably set to 80, 443

1.2 Installation process

Perform the following operations on the master node of the cluster:
a. Add Harbor Chart warehouse

helm repo add harbor https://helm.goharbor.io 

b. Create a namespace to install Harbor

kubectl create ns harbor

c. Execute the Chart installation command, and the service exposure method uses the default Ingress

Note: Since there are default IngressClasses and StorageClass, there is no need to specify specific parameters for installation. IngressClasses and StorageClass, the default tls encryption certificate is also automatically generated by the process (of course, it can also be set manually).
For the introduction of specific parameters, please refer to: harbor chart official website
harbor chart official website
You can also refer to related processes (note that the chart version in the video is v1.0.0, which is only of reference value):
reference video

helm install harbor harbor/harbor \
--set externalURL=https://harbor.example.com \ #对外访问地址
--set expose.ingress.hosts.core=harbor.example.com \ #ingress.hosts.core地址，要和externalURL后的域名一致
--set expose.ingress.hosts.notary=notary.example.com \ #ingress.hosts.notary地址
--set harborAdminPassword=Yiqi123 \ #默认admin用户密码
-n harbor #安装的名字空间

d. After completion, you can check whether the installation is successful through the following command

kubectl get po,ing,svc -n harbor
NAME                                        READY   STATUS    RESTARTS       AGE
pod/harbor-core-84dccff85b-7qlkd            1/1     Running   0              120m
pod/harbor-database-0                       1/1     Running   0              120m
pod/harbor-jobservice-f4689d655-4tqrc       1/1     Running   4 (119m ago)   120m
pod/harbor-notary-server-7d4b6ff68-xpjb5    1/1     Running   1 (119m ago)   120m
pod/harbor-notary-signer-665bc967c8-7x79d   1/1     Running   1 (119m ago)   120m
pod/harbor-portal-7d5f8d86cf-2qxl2          1/1     Running   0              120m
pod/harbor-redis-0                          1/1     Running   0              120m
pod/harbor-registry-75fcfd8b8c-qz4vg        2/2     Running   0              120m
pod/harbor-trivy-0                          1/1     Running   0              120m

NAME                                              CLASS   HOSTS                ADDRESS        PORTS     AGE
ingress.networking.k8s.io/harbor-ingress          nginx   harbor.example.com   172.16.80.22   80, 443   120m
ingress.networking.k8s.io/harbor-ingress-notary   nginx   notary.example.com   172.16.80.22   80, 443   120m

NAME                           TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)             AGE
service/harbor-core            ClusterIP   172.16.226.24    <none>        80/TCP              120m
service/harbor-database        ClusterIP   172.16.138.139   <none>        5432/TCP            120m
service/harbor-jobservice      ClusterIP   172.16.90.83     <none>        80/TCP              120m
service/harbor-notary-server   ClusterIP   172.16.51.31     <none>        4443/TCP            120m
service/harbor-notary-signer   ClusterIP   172.16.238.7     <none>        7899/TCP            120m
service/harbor-portal          ClusterIP   172.16.178.86    <none>        80/TCP              120m
service/harbor-redis           ClusterIP   172.16.125.72    <none>        6379/TCP            120m
service/harbor-registry        ClusterIP   172.16.155.145   <none>        5000/TCP,8080/TCP   120m
service/harbor-trivy           ClusterIP   172.16.201.86    <none>        8080/TCP            120m

2. Access verification

a. Set the hosts configuration on the machine that needs to be accessed

vi /etc/hosts

#添加如下配置
<集群中任意Worker节点的Ip地址> harbor.example.com

b. Browser access

c. Push mirror settings. Since the tls certificate used by the current mirror warehouse is self-signed, it is a non-trusted warehouse. You need to set the non-trusted warehouse configuration in the accessed docker configuration file

vi /etc/docker/daemon.json
#添加如下内容：
{
    
    
  "insecure-registries": [
    "harbor.example.com"
  ]
}

#写完配置文件后执行以下命令：
systemctl daemon-reload
systemctl restart docker

#通过 docker login 登录私有仓库
docker login harbor.example.com

#镜像打标签
docker tar nginx:alpine harbor.example.com/library/nginx:alpine

#镜像推送
docker push harbor.example.com/library/nginx:alpine

After the push is complete, you can see the pushed image in the graphical interface