Harbor Edge Native Config
Versions Supported
- 1.0.0
The Harbor Edge-Native Config pack is a system application pack. When you provision a cluster with a profile that includes this pack, Palette automatically chooses the latest version of Harbor supported by Palette to install on the cluster. You cannot manually choose a version of this pack.
Enable Harbor to Protect Against Outage
You can use Harbor in an Edge cluster that is connected to external networks. Harbor stores all container images downloaded from the internet and future image pulls from the cluster will be from the local harbor registry. If your cluster experiences an internet outage, it can still reboot containers or add new nodes using images stored locally in Harbor. For more information, refer to Deploy a Cluster with a Local Harbor Registry.
Log in to Harbor Web UI
With Harbor enabled on your Edge cluster, you can log in to Harbor via its web UI. By default, the Harbor service is
accessible as a NodePort-type service with HTTPS enabled on port 30003
. You can use the following steps to log in to
Harbor via the web UI.
-
Log in to Palette.
-
From the left Main Menu, navigate to Clusters. Choose your Edge cluster.
-
Navigate to the Nodes tab, in the Private Ips column, you can find the IP addresses of your Edge hosts.
-
Ensure you have network access to your Edge hosts. Open a new tab in your browser and navigate to
https://NODE_IP:30003
and replaceNODE_IP
with any IP address in your cluster. NodePort-type services are exposed on the same port on all nodes in your cluster. If you changed the HTTPS port in the configurations, replace the port with the HTTPS port you used. -
If you didn't provide a certificate or used a self-signed certificate, your browser might warn you about an unsafe connection. Dismiss the warning, and you will be directed to Harbor's web UI. If you use Google Chrome, you can click anywhere in your browser tab and type
this is unsafe
using your keyboard to dismiss the warning. -
Type in
admin
as the username and your password to log in to Harbor. If you don't know your password, refer to Retrieve Harbor Credentials to retrieve your password.
Retrieve Harbor Credentials
During cluster creation, Palette creates two secrets that store the password used to authenticate the admin
user in
Harbor and the X509 certificate used for TLS. You can access both of these credentials using the following steps:
-
Configure kubectl to access your Kubernetes cluster. For more information, refer to Access a Cluster with CLI.
-
Depending on the credential you want to retrieve, use the commands described below.
- Password
- X509 certificate
- Private key
-
Issue the command
kubectl get namespaces
to get all namespaces. Look for a namespace calledcluster-CLUSTER-ID
, whereCLUSTER-ID
is a string of alphanumeric characters. This is the namespace where the secret for your Harbor password is stored. -
Issue the following command to get the password of your Harbor user. Replace
CLUSTER-ID-NAMESPACE
with the namespace you identified in the previous step. This command outputs your password.
kubectl get secret registry-info --namespace CLUSTER-ID-NAMESPACE --output jsonpath="{.data.SPECTRO_USER_PASSWORD}" | base64 --decode
Issue the following command to retrieve the certificate.
kubectl get secret harbor-tls --namespace harbor --output jsonpath="{.data.tls\.crt}" | base64 --decode
Issue the following command to retrieve the private key.
kubectl get secret harbor-tls --namespace harbor --output jsonpath="{.data.tls\.key}" | base64 --decode
Push and Pull Images to Harbor
You can use the following steps to push images to and pull images from the Harbor registry.
If you didn't provide a certificate or are using a self-signed certificate, Docker will refuse to connect to the
registry unless you configure Docker to trust the certificate authority or use a insecure connection for your Harbor
registry. You can configure Docker to use a insecure connection by adding a line
"insecure-registries": ["REGISTRY_URL"]
in your Docker daemon.json
file. For more information about daemon.json
,
refer to Docker documentation.
-
Log in to Palette.
-
From the left Main Menu, navigate to Clusters. Choose your Edge cluster.
-
Navigate to the Nodes tab, in the Private Ips column, you can find the IP addresses of your Edge hosts.
-
Ensure you have network access to your Edge hosts. Log in to Harbor from your command-line interface. The following example uses Docker, but you can use any other image management tool. Replace
NODE_IP
with the IP address of any of the nodes and replaceHARBOR_PASSWORD
with the password of your Harbor user. If you don't know your password, refer to Retrieve Harbor Credentials.docker login NODE_IP:30003 --user admin --password HARBOR_PASSWORD
-
After a successful login, you can start to pull and push images.
- Pull images
- Push images
To pull an image from the Harbor registry, issue the following command.
docker pull REGISTRY_URL/PROJECT_NAME/IMAGE_NAME:TAG
For example, the following command pulls the image for kube-vip
from the Harbor registry.
docker pull 10.10.137.220:30003/spectro-images/gcr.io/spectro-images-public/kube-vip/kube-vip:v0.6.3
To push an image to the Harbor registry, first tag the image with your registry URL.
docker tag LOCAL_IMAGE:LOCAL_IMAGE_TAG REGISTRY_URL/PROJECT_NAME/IMAGE_NAME:TAG
After tagging the image, you can push it to the Harbor registry.
docker push REGISTRY_URL/PROJECT_NAME/IMAGE_NAME:TAG
For example, the following commands tag the local image alpine:latest
and push it to the Harbor registry.
docker tag alpine:latest 10.10.137.220:30003/spectro-images/alpine:latest
docker push 10.10.137.220:30003/spectro-images/alpine:latest
Add Additional Projects in Harbor
Harbor organizes repositories by project. As a best practice, a project in Harbor should contain all repositories of an application. When you use the Harbor pack in a cluster, a project named spectro-images is created by default. You can follow the steps below to create additional projects.
-
Log in to Palette.
-
From the left Main Menu, navigate to Profiles. Select the profile you use to deploy the cluster with Harbor.
-
Select the Harbor layer of the cluster profile.
-
In the Harbor pack values.yaml, add the image
gcr.io/spectro-dev-public/edge/alpine-curl:v1
topack.content.images
.pack:
content:
images:
- image: gcr.io/spectro-images-public/goharbor/harbor-core:v2.9.0
- image: gcr.io/spectro-images-public/goharbor/harbor-db:v2.9.0
- image: gcr.io/spectro-images-public/goharbor/harbor-exporter:v2.9.0
- image: gcr.io/spectro-images-public/goharbor/harbor-jobservice:v2.9.0
- image: gcr.io/spectro-images-public/goharbor/nginx-photon:v2.9.0
- image: gcr.io/spectro-images-public/goharbor/harbor-portal:v2.9.0
- image: gcr.io/spectro-images-public/goharbor/redis-photon:v2.9.0
- image: gcr.io/spectro-images-public/goharbor/registry-photon:v2.9.0
- image: gcr.io/spectro-images-public/goharbor/harbor-registryctl:v2.9.0
- image: gcr.io/spectro-images-public/goharbor/trivy-adapter-photon:v2.9.0
- image: gcr.io/spectro-dev-public/edge/alpine-curl:v1 -
Click New manifest to add a manifest. Give your manifest a name such as create-harbor-project.
-
Use the following job definition in your new manifest. The manifest executes a job that calls the Harbor API to create a new project. Replace the value of the variable
PROJECT_NAME
with the name you want to give to your new project.apiVersion: batch/v1
kind: Job
metadata:
name: harbor-project
spec:
template:
spec:
containers:
- name: harbor-project
image: gcr.io/spectro-dev-public/edge/alpine-curl:v1
command: ["/bin/sh", "-c"]
args:
- |
PROJECT_NAME=<projectName> # Update this name to the project you want to create
echo "Creating a new project in Harbor: $PROJECT_NAME"
# Create a new project in Harbor
curl --insecure --user $HARBOR_USERNAME:$HARBOR_PASSWORD --request POST "https://harbor.harbor.svc.cluster.local/api/v2.0/projects" \
--header "Content-Type: application/json" \
--header 'accept: application/json' \
--header 'X-Resource-Name-In-Location: false' \
--data '{
"project_name": "'$PROJECT_NAME'",
"public": true,
"metadata": {
"public": "true"
}
}'
sleep 100
echo "Created project $PROJECT_NAME in Harbor!"
env:
- name: HARBOR_USERNAME
valueFrom:
secretKeyRef:
name: registry-info
key: SPECTRO_USER
- name: HARBOR_PASSWORD
valueFrom:
secretKeyRef:
name: registry-info
key: SPECTRO_USER_PASSWORD
restartPolicy: Never
backoffLimit: 1infoYou can use the same approach to make changes the your Harbor registry using any Harbor API endpoint. If you have an active cluster with Harbor, you can view all the available API endpoints at
https://<nodeIP>:30003/devcenter-api-2.0
. ReplacenodeIP
with the IP address of any node in the cluster. -
Click Confirm Updates.
-
Click Save Changes.
-
Use the newly updated cluster profile to deploy a new cluster, or update an existing cluster to use the new profile. For more information, refer to Create Cluster Definition and Update a Cluster.
Enable Image Download from Outside of Harbor
If a cluster is configured with the Harbor Edge-Native Config pack, it will assume that all images will be stored in Harbor once they are initially downloaded. However, it is important to note that only the images that are part of the cluster profile and managed by Palette will be stored in the Harbor registry. Any images not managed by Palette will not be available in the Harbor registry.
This can cause issues if you want to use images that are not managed by Palette in your cluster. Harbor will not store those images because they are not part of your cluster profile and were not requested by Palette. However, the Palette agent in your Edge host will still try to pull those images from Harbor, resulting in ImagePullBackOff errors.
You can apply the label stylus.io/imageswap=disable
to a namespace, which instructs the Palette agent to not pull
images from the Harbor registry. You can do this when you create the namespace, or apply the label to existing
namespaces. As long as a namespace has the label, the Palette agent will not attempt to pull images in the namespace
from the Harbor registry.
You can apply a label to a namespace by editing the pack YAML in the cluster's profile or use kubectl
to add the label
through the command-line.
- Add Label through kubectl
- Add Label through Pack YAML
-
Connect to the cluster via
kubectl
. For more information, refer to Access Cluster with kubectl. -
Apply the
stylus.io/imageswap=disable
label to the namespace you plan to deploy resources in. Replacenamespace-name
with the name of your namespace.kubectl label namespace namespace-name stylus.io/imageswap=disable
-
Deploy the resources into the namespace. Since the namespace has the label
stylus.io/imageswap=disable
, the Palette agent will pull the image from registiries you specify instead of from the Harbor registry.If you already deployed the resources before applying the label, you will need to trigger another image pull action as the label will only apply to subsequent image pulls after it has been applied. You can do this by issuing the
kubectl apply
command again to reapply the manifest. Or use thekubectl delete
command to delete the resource and wait for it to be re-created.
-
Log in to Palette.
-
From the left Main Menu, click on Profiles.
-
Select the profile you are using to deploy your cluster.
-
Click on Add Manifest to add a new manifest to your cluster profile containing the namespaces you plan to deploy resources to. Create a namespace if needed, and apply the label
stylus.io/imageswap=disable
to the namespace. Refer to Profile Customizations for more information on how to apply labels to namespaces. For example, the following pack YAML creates a namespaced called"wordpress"
and applies the labelstylus.io/imageswap=disable
to the namespace.pack:
namespace: "wordpress"
namespaceLabels:
"wordpress": "stylus.io/imageswap=disable" -
Deploy the resources into the namespace. Since the namespace has the label
stylus.io/imageswap=disable
, the Palette agent will pull the image from registiries you specify instead of from the Harbor registry.
Troubleshooting
Scenario - Harbor DB Pod Fails to Start
When you start a cluster with the Harbor pack, the harbor-database pod might fail to start and get stuck on the CrashLoopBackoff state. It's possible that this is due to known issue with the Harbor pack related to file permissions. The workaround is to delete the pod and a new pod will be automatically created.
Debug Steps
- Issue the following command to identify the pods with names that start with
harbor-database
.
kubectl get pods --namespace harbor --output wide
- Delete the pod you identified in the previous step. Replace
POD_NAME
with the name of the pods. If there are multiple pods, use the command for each pod.
kubectl delete pod POD_NAME --namespace harbor
Terraform
You can reference the Harbor Edge-Native Config pack in Terraform with a data resource.
data "spectrocloud_registry" "public_registry" {
name = "Public Repo"
}
data "spectrocloud_pack_simple" "harbor-edge-native-config" {
name = "harbor-edge-native-config"
version = "1.0.0"
type = "helm"
registry_uid = data.spectrocloud_registry.public_registry.id
}