In the previous post we deployed VCH without Harbor as the registry. Harbor is a enterprise-class registry container server in which you can push and pull images. Think of Harbor as a Docker distribution but with additional functionality that may be required for certain environments including:
- Role Based Access Control (RBAC)
- AD/LDAP authentication
- Policy based image replication
- GUI, Auditing
- RESTful API
To learn more about these features, and Harbor in general, click here. There are a couple of ways to deploy registry, manually or via an OVA. I will be deploying via OVA. You can download Harbor at the bottom of Part 1 – Getting Started. The process is similar to the previous post on deploying VCH so I will skip the prerequisites and dive right into the deployment. The only thing to note is that you will need to configure the VCH with a static IP address; as well as available compute and storage resources. The appliance uses 2 vCPUs, 4GB of memory, and 60-80GB of disk space.
Step 1. Log into the vSphere web Client and deploy the Harbor OVA. I took defaults for most of the deployment except I allowed root login. They hide the networking settings at the bottom, leave them blank for DHCP, or configure a static IP. The deployment of the VM is quick, but it has to run an initialization script during startup which takes about 5-7 minutes.
Step 2. Open a browser and navigate to the IP or FQDN of the Harbor appliance. Login with the Admin Account and click on Admin -> About. Download the root Certificate.
Step 3. Deploy VCH and add the –registry-ca parameter.
./vic-machine-darwin create -t vcsa1.corp.local -u "firstname.lastname@example.org" -p PASSWORD -n harbor -r mgmt-edge-compute -i drobo1 -b vic-bridge --bnr 10.10.0.0/12 -cln vic-all --dns-server 172.16.10.2 -pn vic-all -mn vic-all -cn vic-all --public-network-ip 172.16.10.48 --public-network-gateway 172.16.10.1/24 --registry-ca ./HarborCert/ca.crt --no-tlsverify -f
Creating Projects, Users, and storing images
Harbor is now configured! Let’s create a user, add them to a project, and push an image to the project.
Log back into the harbor page and click on admin -> Add User. Provide a username, email, and password.
Click on Projects, New Project, and provide a name. If you want to allow read permissions to all repositories without login, click the Public checkbox.
To add the user to the new project, click the project, then select users -> add member. Click Save.
Unfortunately user docker via a VCH host won’t allow you to push anything to the registry at this time; instead I deployed a PhotonOS VM and used Docker on that localOS to run the next few commands. Login to the registry
root@photon-machine [ ~ ]# docker login harbor.corp.local Username (admin): sean Password: Login Succeeded
Tag the image, and then push it to the registry. I chose to just hello-world which was pulled from the docker distro.
root@photon-machine [ ~ ]# docker tag hello-world harbor.corp.local/harborproject1/hello-world root@photon-machine [ ~ ]# docker push harbor.corp.local/harborproject1/hello-world The push refers to a repository [harbor.corp.local/harborproject1/hello-world] 98c944e98de8: Pushed latest: digest: sha256:c5515758d4c5e1e838e9cd307f6c6a0d620b5e07e6f927b07d05f6d12a1ac8d7 size: 524