Skip to content

Container Registry⚓︎

To support the development (ref. Application Hub) and deployment/execution (ref. ADES) of user-defined applications, we deploy a container registry to host container images. This is provied by a deployment of the Harbor artefact repository.

Helm Chart⚓︎

Harbor is deployed via the harbor helm chart from the Harbor Helm Chart Repository.

helm install --version 1.7.3 --values harbor-values.yaml \
   --repo https://helm.goharbor.io \
  harbor harbor

Values⚓︎

The chart is configured via values that are fully documented on the Harbor website.

Example…

expose:
  ingress:
    annotations:
      kubernetes.io/ingress.class: nginx
      cert-manager.io/cluster-issuer: letsencrypt-production
      nginx.ingress.kubernetes.io/proxy-read-timeout: '600'

      # from chart:
      ingress.kubernetes.io/ssl-redirect: letsencrypt-production
      ingress.kubernetes.io/proxy-body-size: "0"
      nginx.ingress.kubernetes.io/ssl-redirect: letsencrypt-production
      nginx.ingress.kubernetes.io/proxy-body-size: "0"

    hosts:
      core: harbor.192-168-49-2.nip.io
    tls:
      enabled: "true"
      certSource: secret
      secret:
        secretName: "harbor-tls"

persistence:
  persistentVolumeClaim:
    registry:
      storageClass: standard
    chartmuseum:
      storageClass: standard
    jobservice:
      storageClass: standard
    database:
      storageClass: standard
    redis:
      storageClass: standard
    trivy:
      storageClass: standard

externalURL: https://harbor.192-168-49-2.nip.io
# initial password for logging in with user "admin"
harborAdminPassword: "changeme"

chartmuseum:
  enabled: false
trivy:
  enabled: false
notary:
  enabled: false

Note

  • We specify use of ‘valid’ certificates from Letsencrypt ‘production’. The Workspace API, which calls the Harbor API, expects valid certificates and will thus fail if presented with TLS certificates that fail validation.
  • The letsencrypt-production Cluster Issuer relies upon the deployment being accessible from the public internet via the expose.ingress.hosts.core DNS name. If this is not the case, e.g. for a local minikube deployment in which this is unlikely to be so. In this case the TLS will fall-back to the self-signed certificate built-in to the nginx ingress controller. The Workspace API will not like this.

Container Registry Usage⚓︎

After deployemnt Harbor is accessible via its web interface at https://harbor.192-168-49-2.nip.io/
e.g. https://harbor.192-168-49-2.nip.io/.

Login as the admin user with the password specified in the helm values.

Additional Information⚓︎

Additional information regarding the Container Registry can be found at: