starlingx/docs
Code Issues Proposed changes

Merge "Doc Update for Harbor Support"

Browse Source
This commit is contained in:
Zuul
2024-09-05 14:26:44 +00:00
committed by Gerrit Code Review
parent 15ade41a13 1bc9d21ab8
commit 75e09d8291
2 changed files with 232 additions and 220 deletions
Download Patch File Download Diff File Expand all files Collapse all files

444
doc/source/admintasks/kubernetes/harbor-as-system-app-1d1e3ec59823.rst
View File

@@ -1,25 +1,27 @@
.. _harbor-as-system-app-1d1e3ec59823: .. _harbor-as-system-app-1d1e3ec59823:
============================ =========================
Harbor as System Application Harbor Container Registry
============================ =========================
.. rubric:: |context| .. rubric:: |context|
Harbor is an open-source registry that secures artifacts with policies and Harbor is an open-source container registry with a richer and fuller set of
role-based access control, ensures images are scanned and free from capabilities than the built-in |prod| container registry. |prod| end
vulnerabilities, and signs images as trusted. Harbor has been evolved to a users can use Harbor to manage their own application container images. Harbor
complete |OCI| compliant cloud-native artifact registry. secures artifacts with policies and role-based access control, ensures images
are scanned and free from vulnerabilities, and signs images as trusted. Harbor
has been evolved to a complete |OCI| compliant cloud-native artifact registry.
With Harbor V2.0, users can manage images, manifest lists, Helm charts, With Harbor V2.0, you can manage images, manifest lists, Helm charts,
|CNABs|, |OPAs| among others which all adhere to the |OCI| image specification. |CNABs|, |OPAs| and other artifacts adhering to the |OCI| image specification.
It also allows for pulling, pushing, deleting, tagging, replicating, and It supports operations such as pulling, pushing, deleting, tagging,
scanning such kinds of artifacts. Signing images and manifest list are also replicating, and scanning these artifacts. Additionally, you can now sign
possible now. images and manifest lists.
Harbor supports replication of images between registries, and offers advanced Harbor also supports the replication of images between registries, and offers
security features such as user management, access control and activity advanced replication of images between registries, and offers advanced security
auditing. features such as user management, access control and activity auditing.
See https://goharbor.io/docs/2.0.0/ for more details on Harbor. See https://goharbor.io/docs/2.0.0/ for more details on Harbor.
@@ -56,28 +58,34 @@ Harbor Installation
apiVersion: cert-manager.io/v1 apiVersion: cert-manager.io/v1
kind: Certificate kind: Certificate
metadata: metadata:
name: harbor-certificate name: harbor-certificate
namespace: harbor namespace: harbor
spec: spec:
secretName: harbor-tls secretName: harbor-tls
issuerRef: issuerRef:
name: system-local-ca name: system-local-ca
kind: ClusterIssuer kind: ClusterIssuer
duration: 2160h # 90 days duration: 2160h # 90 days
renewBefore: 360h # 15 days renewBefore: 360h # 15 days
commonName: < oam floating IP Address or FQDN > commonName: < oam floating IP Address or FQDN >
subject: subject:
organizations: organizations:
- ABC-Company - ABC-Company
organizationalUnits: organizationalUnits:
- StarlingX-harbor - StarlingX-harbor
ipAddresses: ipAddresses:
- < oam floating IP address > - < oam floating IP address >
dnsNames: dnsNames:
- < harbor dns> # e.g. harbor.yourdomian.com - < harbor dns> # e.g. harbor.yourdomian.com
- < notary dns > # optional, required only if exposed on ingress e.g. notary.yourdomian.com - < notary dns > # optional, required only if exposed on ingress e.g. notary.yourdomian.com
EOF EOF
#. Create the Harbor namespace:
.. code-block:: none
~(keystone_admin)]$ kubectl create namespace harbor
#. Apply the configuration: #. Apply the configuration:
.. code-block:: none .. code-block:: none
@@ -93,49 +101,56 @@ Harbor Installation
After successful configuration, the certificate's Ready status After successful configuration, the certificate's Ready status
will be True. will be True.
- nodePort .. rubric:: |proc|
#. Locate the Harbor system application tarball in
``/usr/local/share/applications/helm``.
For example:
.. code-block:: none
/usr/local/share/applications/helm/harbor-<version>.tgz
#. Upload the Harbor application.
.. code-block:: none
~(keystone_admin)]$ system application-upload /usr/local/share/applications/helm/harbor-<version>.tgz
.. _configure-helm-harbor-step:
#. Configure the Helm Overrides for Harbor.
#. Expose the Harbor application externally with either nodePort or
Ingress.
**nodePort**
#. Create Harbor using NodePort to expose the service #. Create Harbor using NodePort to expose the service
.. note:: .. note::
The instructions below assume that the NodePorts 30102, 30103 The instructions below assume that the NodePorts 30002, 30003,
and 30104 are available; i.e. not used by any other and 30004 are available (i.e., not used by any other
applications. applications). If these ports are unavailable, please choose
and configure alternative ports that are not in use.
#. Locate the Harbor system application tarball in #. Put the following nodePort overrides in ``values.yaml``:
``/usr/local/share/applications/helm``.
For example:
.. code-block:: none
/usr/local/share/applications/helm/harbor-<version>.tgz
#. Upload the Harbor application.
.. code-block:: none
~(keystone_admin)]$ system application-upload /usr/local/share/applications/helm/harbor-<version>.tgz
#. Configure the Helm Overrides for Harbor.
Below values need to be configured for nodePort:
.. code-block:: none .. code-block:: none
expose: expose:
type: nodePort # Type should be nodeport
tls:
enabled: true
certSource: secret
secret: # Certificate Source is secret
secretName: "harbor-tls" # A secret containing tls.crt and tls.key
notarySecretName: "harbor-tls" # A secret containing tls.crt and tls.key
type: nodePort # Type should be nodeport nodePort:
tls:
enabled: true
certSource: secret
secret: # Certificate Source is secret
secretName: "harbor-tls" # A secret containing tls.crt and tls.key
notarySecretName: "harbor-tls" # A secret containing tls.crt and tls.key
nodePort:
# The name of NodePort service # The name of NodePort service
name: harbor name: harbor
ports: ports:
@@ -155,158 +170,141 @@ Harbor Installation
port: 4443 port: 4443
# The node port Notary listens on # The node port Notary listens on
nodePort: 30004 nodePort: 30004
externalURL: https://harbor.yourdomian.com:30003 # URL of harbor listing on 30003 port
externalURL: https://harbor.yourdomian.com:30003 # URL of harbor listing on 30003 port **Ingress**
For |AIO-DX| and standard setup, add below ``storageClass`` and #. Create Harbor using Ingress to expose the service.
``accessModes`` override.
Underlying PVCs pre-requisistes: ``Harbor-Jobservice`` and .. note::
``Harbor-Registry`` microservice.
For example: The instructions below assume that the URL
``harbor.yourdomain.com`` has been configured in the |DNS|
server owning ``yourdomain.com`` as the ``OAM FLOATING IP
Address`` of |prod|.
#. Put the following Ingress overrides in ``values.yaml``:
.. code-block:: none .. code-block:: none
persistence: expose:
enabled: true type: ingress. # Type should be ingress
resourcePolicy: "keep" tls:
persistentVolumeClaim: enabled: true
registry: certSource: secret
existingClaim: "" secret: # Certificate Source is secret
storageClass: "cephfs" secretName: "harbor-tls" # Above created secret name
subPath: "" notarySecretName: "harbor-tls" # Above created secret name
accessMode: ReadWriteMany ingress:
size: 5Gi hosts:
annotations: {} core: harbor.yourdomian.com # Harbor Domain name
jobservice: notary: notary.yourdomian.com # Notary Domain name
jobLog: annotations:
existingClaim: "" kubernetes.io/ingress.class: nginx. # Add ingressclass name. It would be "nginx" if you are using default ingress controller.
storageClass: "cephfs" nginx.org/client-max-body-size: "0". # Add this notation for nginx otherwise nginx will reject the image pull & push
subPath: "" externalURL: https://harbor.yourdomian.com # URL of harbor
accessMode: ReadWriteMany
size: 1Gi
annotations: {}
#. Execute Helm overrides.
.. code-block:: none #. For |AIO-DX| and Standard setup, add the following ``storageClass`` and
``accessMode`` overrides for |PVC| used for ``Harbor-Jobservice`` and
~(keystone_admin)]$ system helm-override-update harbor harbor harbor --values values.yaml ``Harbor-Registry`` microservice.
#. Apply/Create the Harbor system application.
.. code-block:: none
~(keystone_admin)]$ system application-apply harbor
- Ingress
Create Harbor using Ingress to expose the service.
.. note:: .. note::
The instructions below assume that the URL Set the registry size according to your requirements
``harbor.yourdomain.com`` has been configured in the |DNS| server considering the number and size of images that you will have in
owning ``yourdomain.com`` as the ``OAM FLOATING IP Address`` of this registry.
|prod|.
#. Locate the Harbor system application tarball in Example for nodePort:
``/usr/local/share/applications/helm``.
For example: .. code-block:: none
.. code-block:: none persistence:
enabled: true
resourcePolicy: "keep"
persistentVolumeClaim:
registry:
existingClaim: ""
storageClass: "cephfs"
subPath: ""
accessMode: ReadWriteMany
size: 100Gi
annotations: {}
jobservice:
jobLog:
existingClaim: ""
storageClass: "cephfs"
subPath: ""
accessMode: ReadWriteMany
size: 1Gi
annotations: {}
/usr/local/share/applications/helm/harbor-<version>.tgz Example for Ingress:
#. Upload the Harbor application. .. code-block:: none
.. code-block:: none persistence:
enabled: true
resourcePolicy: "keep"
persistentVolumeClaim:
registry:
existingClaim: ""
storageClass: "cephfs"
subPath: ""
accessMode: ReadWriteMany
size: 100Gi
annotations: {}
jobservice:
jobLog:
existingClaim: ""
storageClass: "cephfs"
subPath: ""
accessMode: ReadWriteMany
size: 1Gi
annotations: {}
~(keystone_admin)]$ system application-upload /usr/local/share/applications/helm/harbor-<version>.tgz #. Update the Helm overrides.
#. Configure the Helm overrides for Harbor configuration. .. code-block:: none
The values below need to be configured for ingress in the ~(keystone_admin)]$ system helm-override-update harbor harbor harbor --values values.yaml
``values.yaml`` file.
.. code-block:: none #. Execute Helm overrides.
expose: .. code-block:: none
type: ingress. # Type should be ingress
tls:
enabled: true
certSource: secret
secret: # Certificate Source is secret
secretName: "harbor-tls" # Above created secret name
notarySecretName: "harbor-tls" # Above created secret name
ingress:
hosts:
core: harbor.yourdomian.com # Harbor Domain name
notary: notary.yourdomian.com # Notary Domain name
annotations:
kubernetes.io/ingress.class: nginx. # Add ingressclass name. It would be # "nginx" if you are using default ingress # controller.
nginx.org/client-max-body-size: "0". # Add this notation for nginx otherwise nginx # will reject the image pull & push
externalURL: https://harbor.yourdomian.com # URL of harbor
~(keystone_admin)]$ system helm-override-update harbor harbor harbor --values values.yaml
For |AIO-DX| and standard setup, add below ``storageClass`` and #. Apply/Create the Harbor system application.
``accessModes`` override for |PVC| used for ``Harbor-Jobservice``
and ``Harbor-Registry`` microservice.
For example: .. code-block:: none
.. code-block:: none ~(keystone_admin)]$ system application-apply harbor
persistence:
enabled: true
resourcePolicy: "keep"
persistentVolumeClaim:
registry:
existingClaim: ""
storageClass: "cephfs"
subPath: ""
accessMode: ReadWriteMany
size: 5Gi
annotations: {}
jobservice:
jobLog:
existingClaim: ""
storageClass: "cephfs"
subPath: ""
accessMode: ReadWriteMany
size: 1Gi
annotations: {}
Update the Helm overrides.
.. code-block:: none
~(keystone_admin)]$ system helm-override-update harbor harbor harbor --values values.yaml
#. Apply/Create the Harbor system application.
.. code-block:: none
~(keystone_admin)]$ system application-apply harbor
------------------------------------------------- -------------------------------------------------
Configure LDAP Authentication for Harbor Registry Configure LDAP Authentication for Harbor Registry
------------------------------------------------- -------------------------------------------------
.. rubric:: |prereq|
- The URL for accessing the Harbor web interface is the ``externalURL`` set in
the Helm override above in the step :ref:`Configure Helm Overrides for Harbor
<configure-helm-harbor-step>`.
- The default admin username is 'admin', and the password is 'Harbor12345'.
To configure Harbor to use |prod| Local |LDAP| for authentication, follow the To configure Harbor to use |prod| Local |LDAP| for authentication, follow the
instructions in `Configure LDAP/Active Directory Authentication instructions in `Configure LDAP/Active Directory Authentication
<https://goharbor.io/docs/2.8.0/administration/configure-authentication/ldap-auth/>`__ <https://goharbor.io/docs/2.8.0/administration/configure-authentication/ldap-auth/>`__
with the following values: with the following values.
For |prod| local |LDAP|: For |prod| local |LDAP|:
.. code-block:: none .. code-block:: none
LDP URL: ldap://controller LDAP URL: ldap://controller
LDAP search DN: cn=ldapadmin,dc=cgcs,dc=local LDAP search DN: cn=ldapadmin,dc=cgcs,dc=local
@@ -316,11 +314,16 @@ For |prod| local |LDAP|:
LDAP UID: cn LDAP UID: cn
You can find ``<Password of ldapadmin>`` in ``/etc/ldap/slapd.conf.backup``.
-------------------------------------- --------------------------------------
Push an Image to a <project> in Harbor Push an Image to a <project> in Harbor
-------------------------------------- --------------------------------------
#. Run :command:`sudo su` before Docker login. .. note::
Depending on your docker setup, you may be required to run all of the
following commands with 'sudo'.
#. Docker Login. #. Docker Login.
@@ -328,10 +331,12 @@ Push an Image to a <project> in Harbor
docker login <harbor_address> -u <username> docker login <harbor_address> -u <username>
.. note:: Where ``<harbor-address>`` is either:
Replace ``<harbor_address>`` with actual harborURL and replace - for 'Ingress' expose: `harbor.yourdomian.com`
``<username>`` with your actual username.
- for 'NodePort' expose: `https:// <oam-floating-ip>:30003` and
``<username>`` is your actual username
#. Tag the image. #. Tag the image.
@@ -359,7 +364,7 @@ Where ``<harbor-address>`` is either:
- for ``'Ingress' expose: harbor.yourdomian.com`` - for ``'Ingress' expose: harbor.yourdomian.com``
- for ``'NodePort' expose: https:// <oam-floating-ip>:30103`` - for ``'NodePort' expose: https:// <oam-floating-ip>:30003``
---------------------------------- ----------------------------------
Push a Helm Chart as an OCI Object Push a Helm Chart as an OCI Object
@@ -487,20 +492,29 @@ Trivy is installed and configured as a default scanner.
Configure Size of Registry DB Configure Size of Registry DB
----------------------------- -----------------------------
Registry DB size can be configured by setting following in ``values.yaml`` #. Registry DB size can be configured by setting following in ``values.yaml``
under: under:
.. code-block:: none .. code-block:: none
persistence: persistence:
registry: registry:
size: 5Gi size: 5Gi
jobservice: jobservice:
jobLog: jobLog:
size: 1Gi size: 1Gi
Use :command:`system helm-override` command to set the value (Default set to #. Set the the value (Default set to 5Gi).
5Gi).
.. code-block:: none
system helm-override-update harbor harbor harbor --values values.yaml
#. Apply the change:
.. code-block:: none
system application-apply harbor
------------------------------------------------------ ------------------------------------------------------
Enforcement of Image Security Policies Using Portieris Enforcement of Image Security Policies Using Portieris
@@ -519,21 +533,6 @@ To use portieris, an administrator needs to follow below steps:
#. Install portieris as specified in :ref:`install-portieris`. #. Install portieris as specified in :ref:`install-portieris`.
#. Create a ``docker-registry`` secret.
.. code-block:: none
kubectl create secret docker-registry \
-n harbor harbor-registry-secret \
--docker-server=<harbor-dns>:port \
--docker-username=admin \
--docker-password=Test@123
.. note::
If the pod creation with the above secret fails, the user should try
with new secret with ``--docker-server`` as ``<harbor-dns>``.
#. Configure image policy to allow images from Harbor registry + notary as #. Configure image policy to allow images from Harbor registry + notary as
specified specified
:ref:`portieris-clusterimagepolicy-and-imagepolicy-configuration`. Below :ref:`portieris-clusterimagepolicy-and-imagepolicy-configuration`. Below
@@ -545,17 +544,30 @@ To use portieris, an administrator needs to follow below steps:
kind: ImagePolicy kind: ImagePolicy
metadata: metadata:
name: allow-custom name: allow-custom
.. code-block:: none
namespace: harbor namespace: harbor
spec: spec:
repositories: repositories:
- name: "<harbor-dns>:30003/*" - name: "<harbor-address>:30003/*"
policy: policy:
trust: trust:
enabled: true enabled: true
trustServer: "https://<notary dns>:30004" # Optional, custom trust server for repository trustServer: "https://<notary address>:30004" # Optional, custom trust server for repository
#. Create a SECRET with a Harbor username and password, to use as an
ImagePullSecret in a POD spec.
.. code-block:: none
kubectl create secret docker-registry \
-n harbor harbor-registry-secret \
--docker-server=<harbor-address>:port \
--docker-username=admin \
--docker-password=Test@123
.. note::
If the pod creation with the above secret fails, the user should try
with new secret with ``--docker-server`` as ``<harbor-address>``.
#. Pull a signed image from Harbor registry in a pod using ``harbor-secret`` #. Pull a signed image from Harbor registry in a pod using ``harbor-secret``
created above. Please note that image policy and pod should be created in created above. Please note that image policy and pod should be created in
@@ -566,21 +578,21 @@ To use portieris, an administrator needs to follow below steps:
apiVersion: v1 apiVersion: v1
kind: Pod kind: Pod
metadata: metadata:
name: test-pod-public name: test-pod-public
spec: spec:
containers: containers:
- command: - command:
- sleep - sleep
- '3600' - '3600'
image: <harbor-dns>:30003/public-demo/redis:latest image: <harbor-address>:30003/public-demo/redis:latest
imagePullPolicy: Always imagePullPolicy: Always
name: test-pod name: test-pod
tolerations: tolerations:
- key: "node-role.kubernetes.io/master" - key: "node-role.kubernetes.io/master"
operator: "Exists" operator: "Exists"
effect: "NoSchedule" effect: "NoSchedule"
imagePullSecrets: imagePullSecrets:
- name: harbor-registry-secret - name: harbor-registry-secret
---------- ----------
Limitation Limitation

6
doc/source/admintasks/kubernetes/index-admintasks-kub-ebc55fefc368.rst
View File

@@ -77,9 +77,9 @@ O-RAN O2 Interface
oran-o2-application-b50a0c899e66 oran-o2-application-b50a0c899e66
-------------------- -------------------------
Harbor as System App Harbor Container Registry
-------------------- -------------------------
.. toctree:: .. toctree::
:maxdepth: 1 :maxdepth: 1