In an “enterprise” context, it is common to block users from pulling images from public container registries. Harbor is a private registry for k8s providing many security features, such as content signing and vulnerability scanning. For more info on why harbor in your k8s env, visit the harbor website. In this article, I describe how I set up the Harbor and run a vulnerability scan on an example image and, of course, troubleshooting.
- Installing cert-manager with ca cluster-issuer
- Installing Harbor with cert-manager (auto issuing TLS certificates) and load balancer service
- Configuring Harbor
- Pulling and pushing images to harbor registry
- Scanning images for vulnerabilities
Installing cert-manager and creating certificate issuer
The process to install cert-manager is pretty easy. According to the cert-manager website, you kubectl apply the remote yaml file and done. I used this approach in my ansible script. Today, I want to try helm3. The process is pretty straightforward. If you don’t have helm in your mac, “brew install helm” should work.
Once you have cert-manager deployed, you should see three pods, cert-manager, cert-manager-webhook, and cert-manager-cainjector with “Running” state.
Next step, you can create “self-signed” certificates for testing purposes. If you want cert-manager to issue certificates, you will need to configure an issuer or a cluster Issuer. In this example, I use the “CA” issuer in my homelab. I use openssl to generate a ca keypair.
The issuer definition is pretty simple. I need to point the ca key pair secret to cert-manager. The following shows how to create a “tls” secret to store the ca key pair (ca.key and ca.crt) and refer to the secret in the cluster issuer definition.
Installing Harbor using helm
Using helm with k8s is like apt/yum/dnf with Linux. You add/remove/update helm repo, then just helm install/uninstall/upgrade. Mostly, the default helm chart settings are good for different situations. If you want to customize the configuration, you can use “set” parameter or specify “values.yaml” when you run helm install. In my home lab env, I want to push and pull images from my laptop. It is “easier” for me to use a load balancer service instead of ingress in default.
The above commands do NOT work in my env. I hit an issue of PostgreSQL data dir is globally accessible, and database pod refused to start (because of a “rook” bug). So I uninstall the helm release and fetch the binary to my local to modify the database template. Instead of redeploying, you can kubectl edit StatefulSet by “chmod 0700 /var/lib/postgresql/data”, and bounce the pod to fix this issue. My take on redeployment is that I can reuse the local chart in case of other issues.
The initial configuration in Harbor web UI is pretty straightforward. First you login admin with the default password (inside the values.yaml). Next, you will add a user with a name and password.
After you create a user, you can jump to “Projects” to create a private project, homelab, and grant a user a role. I want to demo push/pull/scan images, so I assigned the project admin role to my new user.
Pulling and pushing images to Harbor registry
Now I come back to my mac with docker desktop installed. I should be able to login Harbor using “docker login” command.
It looks like docker cannot access my OS keychain.
For the docker desktop on mac, follow the commands in mac terminal to copy the harbor certificate to the docker SSL folder.
Then restart docker-desktop.
Now let’s try again.
Now we go back to Harbor web UI and check the registry. We have the public postgres:13.1 image pushed to our private registry.
Let’s check the detail of this postgres registry.
Take a look at the right bottom corner. Vulnerabilities -> Not Scanned. Let’s scan it. Check the box of artifacts we want to scan and click the “SCAN” button. Clair (the default scanner) will start scanning the image and report back any vulnerabilities.
Once the scan is done, you can click on the artifact and check the detail.
This is a good starting point to explore Harbor. Next article, I will deep dive into Harbor features. Stay tuned for more on my k8s journey.