It's been quiet here on the blog, but I finally got around to getting something nifty out the door!
Harbor is an Open Source Project that is sponsored by VMware and is currently being sandboxed by the CNCF. It's a container registry that has all the bells and whistles that include Clair for CVE (critical vulnerability) scanning and Notary for image signing.
I originally began playing with Harbor as a component of the Pivotal Container Service (PKS) package since it was all bundled and has automated deploy capabilities. After exploring what Harbor had to offer, I wanted to use it with my existing Kubernetes clusters that were built with kubeadm outside of PKS. I began by deploying the OVA into my vSphere environment and ran into issues and learned the OVA was being a deprecated form of installation (#5276). I decided to try using the online version of the installer that will pull images from DockerHub. I've been using CentOS a lot more than Ubuntu lately because it maps more to customer environments. So create a new CentOS 7 virtual machine from a template or build one out.
The installation and configuration directions on Harbor's README are a bit like a "choose your own adventure" book. For instance, "Install it like X if you want to use Y feature". The best thing about Harbor is that is has a bunch of features, so I wanted to use them all. In an effort to streamline this process and not figure it out line by line, it made more sense to turn this into a bash installation script!
The script will use the virtual machine's fully qualified domain name to automatically generate the files needed and will be using self-signed certificates for quick and easy usage. For my scenario, the virtual machine host name is harbor01 and the domain is vsphere.local. Once again, this is tailored for Cent OS 7. All commands are performed ON the harbor VM. If you want to push images from a different machine to the harbor instance, take the self-signed CA certificates within the `openssl` folder and place them on your machine in the locations shown for Docker and Notary.
To use the script:
sudo vi install.sh # press i # paste the code from the gist below # press esc and :wq sudo chmod u+x install.sh sudo ./install.sh
Exit out of the terminal and go back in (via SSH more than likely). This will give you permission to use the `docker` cli without sudo! Let's login with the Docker CLI so we can push images using the user "admin" and password "Harbor12345".
docker login harbor01.vsphere.local
Access the Harbor UI with the username "admin" and password "Harbor12345"
Create a New Project
Let's call it "test"
Go into the project and go to configuration and click on "Enable Content Trust" and "Automatically Scan Images on Push"
Now that this is set up we need an image. Let's pull nginx from DockerHub, tag it for our new project, and push it.
docker pull nginx docker tag nginx:latest harbor01.vsphere.local/test/nginx:V1 docker push harbor01.vsphere.local/test/nginx:V1
Going back into the Docker UI, we can see that the image has been pushed and that Clair has scanned it but it's not considered "Signed".
Let's create a new version of this same image, set the environment variables for Content Trust and Push once again. However, this time you are going to be prompted for 2 new passphrases. One is the root key and the other is the new repository key. Use any password you wish.
docker tag nginx:latest harbor01.vsphere.local/test/nginx:V2 export DOCKER_CONTENT_TRUST_SERVER=https://harbor01.vsphere.local:4443 export DOCKER_CONTENT_TRUST=1 docker push harbor01.vsphere.local/test/nginx:V2
Going back into the UI, hit the refresh icon, we can see that the new image is now signed!
If you're interested in learning more about Harbor, join the CNCF Slack team and join the #harbor and #harbor-dev channels.
There is also a weekly community meeting that you can join on Zoom.
What's the future hold? The next version of Harbor (1.6) is going to have Helm chart support. Helm makes life easier by having a simple installation command line, like using apt-get or yum with linux. However, using Helm us going to require new operations around troubleshooting and maintenance because you are now introducing storage and network primitives that are revolved around Kubernetes. It's also a chicken and egg scenario that if you want to use any Deployment, ReplicaSet, DaemonSet, etc that have images stored in Harbor, it becomes very critical to give proper priority to the Harbor containers and it's a first class application that all other applications will depend on. There will be more considerations in the future with regards to Helm and Harbor.
Visit https://goharbor.io/ to lean more!
Check it out on VMware {code}!