Using a9s Harbor

This topic describes how developers use a9s Harbor.

Use a9s Harbor as private Docker Registry

To use a9s Harbor as private Docker Registry, create a service instance and create a Service Key. For more information on managing service instances, see Managing Service Instances with the cf CLI.

View the a9s Harbor Service

After the service is installed, you can see the a9s-harbor and its service plans appear in your CF marketplace. Run cf marketplace to see the service listing:

$ cf marketplace
Getting services from marketplace in org test / space test as admin...
OK
service               plans   description
a9s-harbor            harbor  [Beta] This is a service creating and managing dedicated Harbor servers.

Create a Service Instance

To provision a Harbor service, run cf create-service. For example:

$ cf create-service a9s-harbor harbor my-harbor-service

Depending on your infrastructure and service broker utilization, it may take several minutes to create the service instance.

Run the cf services command to view the creation status. This command displays a list of all your service instances. To view the status of a specific service instance, run cf service NAME-OF-YOUR-SERVICE.

Create a Service Key

After your Harbor service is created, run cf create-service-key NAME-OF-YOUR-SERVICE NAME-OF-SERVICE-KEY in order to create a Service Key for you Harbor Service:

$ cf create-service-key my-harbor-service my-service-key

If you want to create a Harbor user with the admin role privilege, you need to set the custom paramter has_admin_role to true, for example:

$ cf create-service-key my-harbor-service my-service-key -c '{ "has_admin_role": true }'

Obtain Service Instance Access Credentials

After a Service Key is created, the credentials of your Harbor service can be displayed by running cf service-key NAME-OF-YOUR-SERVICE NAME-OF-SERVICE-KEY:

$ cf service-key my-harbor-service my-service-key
Getting key my-service-key for service instance my-harbor-service as admin...
OK

{
  "dashboard_url": "EXAMPLE_DASHBOARD_URL",
  "username": "EXAMPLE_USERNAME",
  "password": "EXAMPLE_PASSWORD",
  "has_admin_role": false,
  "port": 443,
  "project": "default",
  "cacrt": "EXAMPLE_CERTIFICATE",
  "host": "EXAMPLE_HOST_INTERNAL",
  "uri": "EXAMPLE_URI_INTERNAL"
}

Connect to Harbor with Docker CLI

For using the newly created Harbor service as private Docker Hub with your Docker CLI, simply use the following command and insert username as well as password when asked: docker login EXAMPLE_DASHBOARD_URL

Push Images

Now that your Docker CLI is connected with the Harbor service as private Docker Hub, you can push images using the following instructions:

First, add new tag to any Docker image with the following command: docker tag image-name DASHBOARD_URL_WITHOUT_HTTPS/PROJECT/image-name. Example: docker tag my-image 8bdb157c-26c4-4eae-b0b4-701c8fcd1844.system.example.com/test-project/my-image

Then, use the following command to push the image: docker push DASHBOARD_URL_WITHOUT_HTTPS/PROJECT/image-name. Example: docker push 8bdb157c-26c4-4eae-b0b4-901c8fcd1844.system.exemple.com/test/my-image

Pull Images

For Pulling images from Harbor we use the following command: docker pull docker push DASHBOARD_URL_WITHOUT_HTTPS/PROJECT/image-name.

Using Harbor with Notary

The Notary server can be used for image signing by setting the following environmental variables: export DOCKER_CONTENT_TRUST_SERVER=https://notary-DASHBOARD_URL export DOCKER_CONTENT_TRUST=1

More information is available at: Notary Documentation

Use Harbor with Kubernetes

If you want to make a deployment based on an Image from Harbor please have a look at this.

Delete an a9s Harbor Service Instance

Before you can delete a service instance, you must delete all existing Service Key associated to that service instance.

List Service Keys for Service Instance

Run cf service-keys NAME-OF-YOUR-SERVICE to list all Service Keys for the respective service.

$ cf service-keys my-harbor-service

Getting keys for service instance my-harbor-service as admin...

name
my-service-key

Delete Service Keys for Service Instance

Run cf delete-service-key to delete the service key.

$ cf cf delete-service-key my-harbor-service my-service-key

Delete a Service Instance

After deleting the service keys, you can run cf delete-service to delete the service:

$ cf delete-service my-harbor-service

It may take several minutes to delete the service. Deleting a service deprovisions the corresponding infrastructure resources. Run the cf services command to view the deletion status.

Upgrade the Service Instance to another Service Plan

Once created, you can upgrade your service instance to another, larger service plan. A larger service plan provides more CPU, RAM and storage. For more information, see the Update a Service Instance of the Managing Service Instances with the cf CLI topic.

$ cf update-service my-harbor-service -p a-bigger-plan

Here are the plans you can upgrade to depending on the one you are currently using:

TODO when out of beta and there is more than just one plan.

Cloud Foundry Application Security Groups

This topic describes how to check whether a security group was created.

Each a9s Data Service will automatically create and update Cloud Foundry security groups in order to protected service instances to be accessed by applications not running in the same Cloud Foundry applications space. To get a better understanding about Security Groups you can have a look on the Understanding Application Security Groups topic.

Get Service Instance GUID

Run cf service INSTANCE_NAME --guid to get the guid of the service instance.

$ cf my-harbor-service --guid
ca16f111-5073-40b7-973a-156c75dd3028

Check available Security Groups

To see all available security groups use cf security-groups.

$ cf security-groups
Getting security groups as demo@anynines.com
OK

     Name                                         Organization     Space
#0   public_networks
#1   dns
#2   tcp_open
#3   guard_432fb752-876d-443b-a311-a075f4df2237   demonstrations   demo
#4   guard_ca16f111-5073-40b7-973a-156c75dd3028   demonstrations   demo

There you can see a security group named guard_ca16f111-5073-40b7-973a-156c75dd3028 was successfully created.

NOTE: in some circumstances the connection between the application and the service instance is not possible, in this case check if a security group was created.

Access Service Dashboard

It is possible to access the dashboard of your Harbor service instance. There you need to create a service key, which is described in the section Create a Service Key.

After creating a service key, you can simply call the Dashboard by pasting the dashboard_url into your browser.

Set a Custom Service Dashboard Domain

You can set a custom route for the Harbor application.

This works by passing your prefered host in the service configuration at the time of creation or update of the service. You will need to use the public_host custom parameter for that.

First, you will need to find a suitable domain from your Cloud Foundry installation. You can find the list of your Cloud Foundry's available domains with the command cf domains.

$ cf domains
Getting domains in org system as dev@example.com...
name                 status   type   details
apps.example.com     shared
system.example.com   owned

Given the Cloud Foundry domain system.example.com, you could set a custom host my-custom-host.system.example.com with the following command:

$ cf create-service a9s-harbor harbor-cluster-medium my-medium-cluster -c '{"public_host":"my-custom-host.system.example.com"}'
Creating service instance my-medium-cluster in org system / space staging as dev@example.com...
OK

Create in progress. Use 'cf services' or 'cf service my-medium-cluster' to check
operation status.

You can read the documentation of cf create-service and cf update-service for finer information on how to best pass custom parameters for those functions with the commands cf help create-service or cf help update-service.

Once you've created or updated your service with your custom host, this one will be used to host the Harbor application. You can verify this by creating a service key for the service instance:

$ cf create-service-key my-medium-cluster my-svc-key
Creating service key my-svc-key for service instance my-medium-cluster as dev@example.com...
OK
$ cf service-key my-medium-cluster my-svc-key
{
 "dashboard_url": "https://my-custom-host.system.example.com",
 "username": "a9s4d06eb4e154ab5"
 "password": "79acf84d70c2e0ae4c09",
 "has_admin_role": false,
 "port": 443,
 "project": "default",
 "cacrt": "-----BEGIN CERTIFICATE-----\nMIIDPDCCAiSgAwIBAgITBwHCvYoMBmB+7uiYvO0PcjT8vzANBgkqhkiG9w0BAQsF\nADAuMSwwKgYDVQQDDCNDZXJ0aWZpY2F0ZSBhdXRob3JpdHkgZm9yIG1zZDQ2YWQ2\nYzAeFw0xOTA3MDgxMTM5MTNaFw0yOTA3MDUxMTM5MTNaMC4xLDAqBgNVBAMMI0Nl\ncnRpZmljYXRlIGF1dGhvcml0eSBmb3IgbXNkNDZhZDZjMIIBIjANBgkqhkiG9w0B\nAQEFAAOCAQ8AMIIBCgKCAQEA6q5rSihLAhoJM0PLGshYizqGRNa9/UCXsao/UVQ0\nFm4luGHZZjCFkgBsOS4TS7GwJdvwnSIhj7eW9VOC6c16d2WzURak3Cge7HlNO/4o\nr3hrheaWCLFz3YbysqnzQLw/V1EBLFvkHE02hhUTSy/R5y4OPWww0Yvup+T4iSHM\nLKdIkqyDptPrC/4adcH89dcyD/EXNyl5gwaEykwfD0THH3xVTeLUQSlh5fh1+Pvb\nPWgsEqETr5vXJ9KuP0iRbETJy0llT3oHF63EaAg6FTo7L5s0x9gLM9Y8tWb98RJq\nT0vgEEatrjhPSox3Ih4Bh8ibb0hpRc/zblRKwD5n0JqwQQIDAQABo1MwUTAPBgNV\nHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSQV4w3ZU5v8v8Kvwotnayub0fDgTAfBgNV\nHSMEGDAWgBSQV4w3ZU5v8v8Kvwotnayub0fDgTANBgkqhkiG9w0BAQsFAAOCAQEA\nmS0T/A6f9ov/r5MdYiuA31jfHiO0T5fyHv751t6TwPS3QP65sZcS+Cb8vjl5eUnb\n9t3PjqwGPRgWpro9O9DNPtqJARJuyLDgIKZtl5vwkH+Wlaj24yqU14jBrgBabK/z\ngeMExWC0FP992RdM3OpaeGgB5MyLVAFx1W3pC0pBUFP+0lNxqPvzStfBX8Jfzkls\n1FoKjAUPly8tTupuwaTbtCzPB8gswYimJjeHCID79vqcRarCm7fOFpvCVEMmNVnj\nX0Tia/SSbftnoKWVA0QzYQPxGYyiMmwGvHm57h35VYhm3NJ/PdNt8N0uTRa13O1a\nr2FRBb2q7S/YPmS2AgzuzQ==\n-----END CERTIFICATE-----\n",
 "host": "msd46ad6c-harbor-app-0.node.dc1.consul.dsf2",
 "uri": "https://msd46ad6c-harbor-app-0.node.dc1.consul.dsf2",
}

Setup Disk Usage Alerts

Each service comes with the a9s Parachute. This component monitors ephemeral and persistent disk usage. See the a9s Parachute documentation how to configure the component.