logo

Harbor Cheatsheet

Harbor

Harbor API

Hierarchy:

HarborCluster (owns)
├── Harbor
│   ├── Core
│   │   └── core Service (type: LoadBalancer)
│   ├── Registry
│   │   └── registry/registryctl Service
│   ├── RegistryController
│   ├── JobService
│   │   └── jobservice Service
│   ├── Portal
│   └── Exporter
│       └── exporter Service
├── postgresql
└── redis

API objects:

  • harborcluster
  • harborconfiguration
  • harbor
  • harborserverconfiguration
  • jobservice
  • notaryserver
  • notarysigner
  • portal
  • pullsecretbinding
  • registry

apiVersion is goharbor.io/v1beta1, e.g.

apiVersion: goharbor.io/v1beta1
kind: HarborCluster

apiVersion: goharbor.io/v1beta1
kind: Registry

Databases are not included in Harbor, e.g. Redis can use:

apiVersion: databases.spotahome.com/v1
kind: RedisFailover
# https://github.com/spotahome/redis-operator

Harbor Components

Harbor is not a single binary, but a group of components: harbor-core, harbor-jobservice, nginx, registryctl, registry, harbor-portal, redis, harbor-db, harbor-log.

  • cache: Redis
  • database: PostgreSQL
  • storage: FileSystem
  • harbor-exporter: expose Harbor metrics in Prometheus format.

Harbor Deployment

There are two possible ways we can run Harbor:

  • As Docker containers managed by Docker compose.
  • As containers inside of Kubernetes. In this case, installation is done by Helm. (More details below.)

Harbor is deployed as several Docker containers. You can therefore deploy it on any Linux distribution that supports Docker. The target host requires Docker, and Docker Compose, openssl to be installed.

Harbor Settings

Cert

Get registry url

# use jq
REGISTRY=$(kubectl get harborcluster/harbor -n harbor-system -o json | jq -r '.spec.externalURL')

# use jsonpath; remove "https://"
REGISTRY=$(echo $(KUBECONFIG="/path/to/kubeconfig" kubectl get harborcluster POD_NAME -n NAMESPACE -o jsonpath='{.spec.externalURL}') | sed s#https://##)
# Configure registry certificates.
mkdir -p /etc/docker/certs.d/${REGISTRY} && echo $(KUBECONFIG="/path/to/kubeconfig" kubectl get secret ca-cert-${REGISTRY//:/.} -n NAMESPACE -o jsonpath='{.data.ca\.crt}' ) | openssl base64 -A -d > /etc/docker/certs.d/${REGISTRY}/ca.crt

Check content in registry by curl

# List all images
$ curl -u admin:admin -k https://10.200.0.1/v2/_catalog | jq

# List all tags of one image
$ curl -u admin:admin -k http://myregistry:5000/v2/mymage/tags/list

Harbor Robot Accounts

  • cannot log in to the Harbor interface
  • can only perform operations using docker or helm CLI.
  • Harbor does not store robot account tokens; you can store them in k8s as Secrets.