Container Registry⚓︎
To support the development (ref. Application Hub) and deployment/execution (ref. ADES) of user-defined applications, we deploy a container registry to host container images. This is provied by a deployment of the Harbor artefact repository.
Helm Chart⚓︎
Harbor is deployed via the harbor
helm chart from the Harbor Helm Chart Repository.
helm install --version 1.7.3 --values harbor-values.yaml \
--repo https://helm.goharbor.io \
harbor harbor
Values⚓︎
The chart is configured via values that are fully documented on the Harbor website.
Example…
expose:
ingress:
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: letsencrypt-production
nginx.ingress.kubernetes.io/proxy-read-timeout: '600'
# from chart:
ingress.kubernetes.io/ssl-redirect: letsencrypt-production
ingress.kubernetes.io/proxy-body-size: "0"
nginx.ingress.kubernetes.io/ssl-redirect: letsencrypt-production
nginx.ingress.kubernetes.io/proxy-body-size: "0"
hosts:
core: harbor.192-168-49-2.nip.io
tls:
enabled: "true"
certSource: secret
secret:
secretName: "harbor-tls"
persistence:
persistentVolumeClaim:
registry:
storageClass: standard
chartmuseum:
storageClass: standard
jobservice:
storageClass: standard
database:
storageClass: standard
redis:
storageClass: standard
trivy:
storageClass: standard
externalURL: https://harbor.192-168-49-2.nip.io
# initial password for logging in with user "admin"
harborAdminPassword: "changeme"
chartmuseum:
enabled: false
trivy:
enabled: false
notary:
enabled: false
Note
- We specify use of ‘valid’ certificates from Letsencrypt ‘production’. The Workspace API, which calls the Harbor API, expects valid certificates and will thus fail if presented with TLS certificates that fail validation.
- The
letsencrypt-production
Cluster Issuer relies upon the deployment being accessible from the public internet via theexpose.ingress.hosts.core
DNS name. If this is not the case, e.g. for a local minikube deployment in which this is unlikely to be so. In this case the TLS will fall-back to the self-signed certificate built-in to the nginx ingress controller. The Workspace API will not like this.
Container Registry Usage⚓︎
After deployemnt Harbor is accessible via its web interface at https://harbor.192-168-49-2.nip.io/
e.g. https://harbor.192-168-49-2.nip.io/.
Login as the admin user with the password specified in the helm values.
Additional Information⚓︎
Additional information regarding the Container Registry can be found at: