VMware Tanzu Basic: Installing TKG Extensions 1.2.0 – Part 3


In this part of my series on the TKG Extensions I will walk you through my installation of the Harbor Container Registry. As I was exploring the use case without NSX-T for a customer of mine, I was not able to use the embedded Harbor Registry that is only available with NSX-T and vSphere Pods. As with most of the open source components in the TKG Extensions it would be easily possible to deploy them also on top of a physical or virtual machine like Sadegh Khademi did it. I am limited to nearly 2 TB of vSAN storage and a container registry can consume a lot of disk space. That’s why I took an old workstation, put an ubuntu 20.10 server on it and installed an NFS server with at 4 TB data disk.

vCenter Datastores
vCenter Datastores

Preparation Steps (Pod Security Policies)

The harbor manifests were not prepared with service accounts unlike other components I covered in previous parts of my write up. You can simply create a service account “harbor” by issueing

kubectl create sa harbor

but unlike the ClusterRoleBindings these service accounts live in a namespace. So you are forced to create the namespace first. That’s the reason why I just added the necessary yaml definition to the first file of the manifests:






















These definitions are adding the service account and the ClusterRoleBinding to the PSP with privileged access. ytt uses the files in /overlay to preprocess  the yaml files in the main directory. As you can see I took the namespace “harbor-system” for the service account. This gets customized to “tanzu-system-registry” by the overlay  “change-namespace.yaml”. That’s why I have to enable this preprocessing:

change namespace
change namespace for service account

Attention: I didn’t do that for the ClusterRoleBinding! I didn’t want to invest in ytt syntax, please post the solution for this mystery if you find it 😉

Now we just have to use the service account:

use service account
use service account

I had to edit the following files:

  • /registry/harbor/02-clair.yaml
  • /registry/harbor/04-database.yaml
  • /registry/harbor/06-jobservice.yaml
  • /registry/harbor/09-redis.yaml
  • /registry/harbor/10-registry.yaml
  • /registry/harbor/11-trivy.yaml

Deploy the Services

Follow the README.md to generate password and copy them from the config.yaml to values.yaml. Afterwards you can deploy everything with

ytt --ignore-unknown-comments -f common/ -f registry/harbor/ -v hostname=harbor.ne.local | kubectl apply -f-

After a minute or two you should be able to access your newly installed registry, in my case with https://harbor.ne.local :

Harbor frontend
Harbor frontend

Now  let’s test the access. If you have a self-signed certificate – and if you followed my lead, you’ll unfortunately have one -, you have to prepare your client docker installation for it. Get the registry server certificate, here are two methods:

kubectl get secret harbor-tls -n tanzu-system-registry -o jsonpath='{.data.tls\.crt}' | base64 -d 

sudo openssl s_client -connect harbor.ne.local:443

Get the PEM and put it in a file harbor.crt. On ubuntu I put it on /usr/local/share/ca-certificates and add it to the system by issueing “sudo update-ca-certificates”.

Test a push:

daniele@ubuntu-dt:~/dev/tkg-extensions$ docker pull busybox
Using default tag: latest
latest: Pulling from library/busybox
e5d9363303dd: Pull complete 
Digest: sha256:c5439d7db88ab5423999530349d327b04279ad3161d7596d2126dfb5b02bfd1f
Status: Downloaded newer image for busybox:latest
daniele@ubuntu-dt:~/dev/tkg-extensions$ docker login harbor.ne.local
Authenticating with existing credentials...

Login Succeeded
daniele@ubuntu-dt:~/dev/tkg-extensions$ docker tag busybox:latest harbor.ne.local/library/busybox:latest
daniele@ubuntu-dt:~/dev/tkg-extensions$ docker push harbor.ne.local/library/busybox:latest
The push refers to repository [harbor.ne.local/library/busybox]
0064d0478d00: Pushed 
latest: digest: sha256:0415f56ccc05526f2af5a7ae8654baec97d4a614f24736e8eef41a4591f08019 size: 527

This push was successful, if you check the project /library you should see the pushed image:

pushed images
pushed images

I mentioned in the first part that I will come with complete solution if you want to use your own CA throughout all components in the next parts.

Be the first to comment

Leave a Reply

Your email address will not be published.