Integrating VMware Harbor Registry with Enterprise PKS

This topic describes how to integrate Harbor Registry with Enterprise Pivotal Container Service (Enterprise PKS).

Note: This documentation supports the Harbor v1.8 release.

Prerequisites

Update DNS for Harbor

After you install and configure Harbor, you must update the DNS entry for the Harbor hostname with the IP address of the Harbor VM assigned by BOSH.

To view the IP address assigned to Harbor, click the Harbor tile and select the Status tab.

Get Harbor IP

Import the CA Certificate Used to Sign the Harbor Certificate and Key to BOSH

Enterprise PKS must authenticate connections to Harbor to pull images from and push images to Harbor. Before you can use Harbor with Enterprise PKS, you must configure the BOSH Director with the CA certificate that was used to sign the Harbor certificate and private key. For more information, see Configure SSL Certificate and Key in Installing and Configuring VMware Harbor Registry.

By adding the CA certificate that was used to sign the Harbor certificate and key to the BOSH Director security configuration, all Kubernetes clusters deployed by Enterprise PKS can automatically trust the Harbor registry.

Obtain the CA Certificate Used to Sign the Harbor Certificate and Key

If you installed Harbor with a custom certificate and private key, follow the steps below. For more information, see Use Custom Certificate in Installing and Configuring VMware Harbor Registry.

  1. Obtain the third-party CA certificate that was used to sign the Harbor certificate and key.

  2. Import the CA certificate to the BOSH Director. For instructions, see the Load the CA Certificate to the BOSH Director Security Configuration section below.

If you had Ops Manager automatically generate the certificate and key for Harbor, download the Ops Manager Root CA Certificate by following the steps below. For more information, see Use Generated Certificate in Installing and Configuring VMware Harbor Registry.

  1. Navigate to the Ops Manager Installation Dashboard.

  2. In the upper right corner, click your username and select Settings.

    Ops Manager Settings

  3. Select Advanced.

  4. Click Download Root CA Cert.

    Ops Manager Advanced

  5. Import the CA certificate to the BOSH Director. For instructions, see the Load the CA Certificate to the BOSH Director Security Configuration section below.

Load the CA Certificate to the BOSH Director Security Configuration

Once you have obtained the Harbor CA Certificate file, perform the following steps to load the certificate in the BOSH Director security configuration:

  1. Log in to Ops Manager.

  2. Navigate to the Installation Dashboard.

  3. Click the BOSH Director tile.

  4. Click Security.

    BOSH Director Security

  5. Open the CA certificate file from Obtain the Harbor CA Certificate in a text editor.

    CA Cert

  6. Copy and paste the contents of the CA certificate file into the Trusted Certificates field.

    Trusted Cert

  7. Click Save.

    Save

  8. Return to the Installation Dashboard and click Apply Changes. BOSH is redeployed.

Create DNAT Rule for Harbor (NSX-T only)

If you integrate Harbor with Enterprise PKS in a NSX-T environment that uses NAT mode, the IP address for Harbor provided by Ops Manager is not publicly inaccessible, and you cannot access the Harbor UI from https://harbor_host_address:443. For more information about Nat mode, see NAT Topology in NSX-T Deployment Topologies for Enterprise PKS.

To access the Harbor UI, you must create a DNAT rule in the NSX-T Tier-0 router that maps the Harbor IP address to a routable IP address in your virtual network. For more information, see Create DNAT Rule on T0 Router for Harbor Registry in Creating the Enterprise PKS Management Plane.

Note: The IP address that your FQDN resolves to should be in the range of the NSX-T external-ip-pool (Inventory > Groups > IP Pools). If the IP address is not in this range, you must assign an IP address from the CIDR that is outside of the specified range in use for external-ip-pool.

If you are using Harbor with Enterprise PKS with NSX-T in NAT mode, create a DNAT rule for Harbor as follows:

  1. In the NSX Manager, select Routing > NAT > T0-Router.

  2. Click ADD.

  3. Configure the NAT rule as follows:

    • Priority: 1024
    • Action: DNAT
    • Protocol: Any Protocol
    • Destination IP: The external IP address that your FQDN resolves to
    • Translated IP: The IP address of the Harbor VM
    • Status: Enabled
    • Firewall Bypass: Enabled
  4. Click Save.

    NSX-T NAT Rule for Harbor

Monitor Harbor Using Wavefront

If you enabled Wavefront monitoring in the Harbor tile, there are additional steps to take to initiate monitoring with Wavefront.

  1. After Wavefront is configured and installed in the Harbor tile, go to your Wavefront portal URL (for example, https://longboard.wavefront.com) and login with your user name and password.

    Launch Wavefront

  2. Click Integrations and install the Linux Host.

  3. Click the Dashboard tab and select Install Dashboards.

    Choose Wavefront Integrations

  4. Go to Dashboards > All dashboards > Linux Host Dashboards.

  5. From here you can view the CPU, Memory and Disk usage of the Harbor VM.

    Wavefront Monitoring

For more information about monitoring with Wavefront, refer to the Wavefront documentation.

Next Steps