NSX Application Platform Part 2: Harbor Image Registry

NSX Application Platform Part 2: Harbor Image Registry

Harbor Image Registry Configuration

There are many ways to deploy Harbor on-premises including, but not limited to:

Issue the command below on your Harbor appliance, and follow the prompts on screen.

• Using Helm to deploy a HA instance of Harbor on kubernetes
• Tanzu Application Service with Harbor Integration
• Deploying the Harbor image registry on a virtual machine

Note: as of NSX-T 3.2 release (Impactor), self-signed certificates, including Active Directory issued certificates are not supported.

The Harbor image registry is critical to the successful deployment of the NSX Application Platform (NAPP). It holds all the images and binaries required for the application platform, which are pulled as pods are being deployed.

Virtual Machine Configuration

Finally, I complete the prerequisite installation by installing Docker Compose.

• Ubuntu 20.0.4.3 Focal Fossa
• 2 vCPU/8GB RAM
• 2 Disks attached, one for the OS (40GB) and one for data (150GB)
• Single network interface on my management network (IP address 192.168.63.100)
• VM has internet access to generate certificates and pull files for install

The official steps from Docker can be found here. The commands I ran are provided in the output below.

Prerequisites – Installing Docker

And that’s it for the Harbor repository deployment!

First, I install Lets Encrypt on my virtual appliance. I have listed the commands I ran in the output below. Remember, this command is being run on Ubuntu, you will need to edit the command to suit your operating system.

Navigate to the folder that contains the uncompressed NAPP binaries, there should be a file called upload_artifacts_to_private_harbor.sh. Open this file in a text editor, in my case I used vim.

root@harbor:/# apt-get update

root@harbor:/# apt-get install
> ca-certificates
> curl
> gnupg
> lsb-release

root@harbor:/# curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg

root@harbor:/# echo
> "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu
> $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

root@harbor:/# apt-get update <--------- DO NOT SKIP THIS
root@harbor:/# apt-get install docker-ce docker-ce-cli containerd.io

Once the project is created, the images can be uploaded. In my environment I chose to utilize a jumpbox which has all the tools I required pre-installed, as well as the NAPP binaries transferred and uncompressed. Details and configuration of this jump box can be found in the first article of this series.

Now, copy the Harbor configuration file that is in the uncompressed Harbor installer folder or rename it.

Prior to installing Harbor, the Ubuntu VM must meet the prerequisites, all of which can be found here.

Next, I install Harbor by running the command in the output below.

Generating a Lets Encrypt Certificate

You should now be able to access the Harbor registry UI, it is also worthwhile to check that the certificate was properly installed and the site is secure.

The certificates used for the registry must be signed by a trusted certificate authority. If you do not utilize a trusted certificate, when attempting to deploy NAPP, you will be faced with an x509 certificate issue, similar to the below output.

Change the first three lines to suit your environment, instructions on the VMware website for this can be found here.

root@harbor:/mnt/data/harbor# cp harbor.yml.tmpl harbor.yml

First I created a new project, to do so, login to Harbor and click on create a new project.

The final part of the series demonstrates the deployment process for NSX Application Platform and its security features (NSX Intelligence, Network Detection and Response, and Malware Prevention.

Ignore the errors you see regarding a connection, this is specific to my environment. At this point you can leave the images to be pushed to your Harbor registry, the time this takes can vary depending on your environment.

root@harbor:/mnt/data/harbor# vi harbor.yml
#### The main options that I changed are
hostname: reg.mydomain.com
certificate: /your/certificate/path
private_key: /your/private/key/path
data_volume: /data


NSX Application Platform Part 4: Deploying the Application Platform

Once this process completes, you should see something similar on your jumpbox or whatever you chose to upload the images from.

Related

DOCKER_REPO=harbor.lab2prod.com.au/impactor
DOCKER_USERNAME=admin
DOCKER_PASSWORD=Harbor12345

Setup and configure Harbor

The final part of this article is to push the images to the Harbor registry.

root@harbor:/mnt/data/harbor# sudo curl -L "https://github.com/docker/compose/releases/download/1.27.4/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 664 100 664 0 0 14434 0 --:--:-- --:--:-- --:--:-- 14434
100 11.6M 100 11.6M 0 0 14.6M 0 --:--:-- --:--:-- --:--:-- 25.8M
root@harbor:/mnt/data/harbor# sudo chmod +x /usr/local/bin/docker-compose
root@harbor:/mnt/data/harbor# docker-compose --version
docker-compose version 1.27.4, build 40524192


Harbor Repository Certificate Configuration

Download the offline Harbor installer package located here, and transfer it to the Harbor appliance.

NSX Application Platform Part 3: NSX-T, NSX-ALB (Avi), and Tanzu

NSX Application Platform Part 1: Environment Overview

This section details the specifications of the Ubuntu virtual machine that I have deployed for use as my Harbor image registry.

Note: Do not skip installing chartmuseum, it is required for NAPP.

I have recently put together a video that provides clear guidance on deploying NAPP, it can be seen here.

This guide will walkthrough deploying Harbor on a Ubuntu virtual machine.

root@harbor:/mnt/data/harbor# ./install.sh --with-chartmuseum

This was the first article in the series, it provides an overview to the environment.

root@harbor:/mnt/data# tar xzvf harbor-offline-installer-v2.4.1.tgz

The next part in this series focusses on NSX-T, NSX-ALB, and Tanzu.

Extract the archive using the command below.

Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 11m default-scheduler Successfully assigned cert-manager/cert-manager-69cc999bb5-khjws to impactorlab-workers-snmxl-dc89f6748-s9p4p
Normal Pulling 10m (x4 over 11m) kubelet Pulling image "harbor.shank.com/impactor/clustering/third-party/cert-manager-controller:19067763"
Warning Failed 10m (x4 over 11m) kubelet Failed to pull image "harbor.shank.com/impactor/clustering/third-party/cert-manager-controller:19067763": rpc error: code = Unknown desc = failed to pull and unpack image "harbor.shank.com/impactor/clustering/third-part
y/cert-manager-controller:19067763": failed to resolve reference "harbor.shank.com/impactor/clustering/third-party/cert-manager-controller:19067763": failed to do request: Head "https://harbor.shank.com/v2/impactor/clustering/third-party/cert-manager-controller/manifests/19067763":
x509: certificate signed by unknown authority
Warning Failed 10m (x4 over 11m) kubelet Error: ErrImagePull
Warning Failed 6m54s (x21 over 11m) kubelet Error: ImagePullBackOff
Normal BackOff 108s (x44 over 11m) kubelet Back-off pulling image "harbor.shank.com/impactor/clustering/third-party/cert-manager-controller:19067763"

### Install the package and all its dependencies
root@harbor:/home/harbor# apt install letsencrypt

### Check to ensure it is running
root@harbor:/home/harbor# systemctl status certbot.timer

Note: This article will not cover the Ubuntu deployment process.

The repository should list 80 repositories and 18 charts.

## Change the value after -d to match the hostname of your Harbor appliance.
root@harbor:/home/harbor# certbot certonly --standalone -d harbor.lab2prod.com.au