Using a9s Harbor
This topic describes how developers use a9s Harbor.
Use a9s Harbor as private Docker Registry
To use a9s Harbor as private Docker Registry, create a service instance and create a Service Key. For more information on managing service instances, see Managing Service Instances with the cf CLI.
View the a9s Harbor Service
After the service is installed, you can see the a9s-harbor and its service plans appear in your CF marketplace. Run cf marketplace to see the service listing:
$ cf marketplace
Getting services from marketplace in org test / space test as admin...
OK
service plans description
a9s-harbor harbor [Beta] This is a service creating and managing dedicated Harbor servers.
Create a Service Instance
To provision a Harbor service, run cf create-service. For example:
cf create-service a9s-harbor harbor my-harbor-service
Depending on your infrastructure and service broker utilization, it may take several minutes to create the service instance.
Run the cf services command to view the creation status. This command displays a list of all your service instances. To view the status of a specific service instance, run cf service NAME-OF-YOUR-SERVICE.
Create a Service Key
After your Harbor service is created, run cf create-service-key NAME-OF-YOUR-SERVICE NAME-OF-SERVICE-KEY in order to create a Service Key for you Harbor Service:
cf create-service-key my-harbor-service my-service-key
If you want to create a Harbor user with the admin role privilege, you need
to set the custom paramter has_admin_role to true, for example:
cf create-service-key my-harbor-service my-service-key -c '{ "has_admin_role": true }'
Obtain Service Instance Access Credentials
After a Service Key is created, the credentials of your Harbor service can be displayed by running cf service-key NAME-OF-YOUR-SERVICE NAME-OF-SERVICE-KEY:
$ cf service-key my-harbor-service my-service-key
Getting key my-service-key for service instance my-harbor-service as admin...
OK
{
"dashboard_url": "EXAMPLE_DASHBOARD_URL",
"username": "EXAMPLE_USERNAME",
"password": "EXAMPLE_PASSWORD",
"has_admin_role": false,
"port": 443,
"project": "default",
"cacrt": "EXAMPLE_CERTIFICATE",
"host": "EXAMPLE_HOST_INTERNAL",
"uri": "EXAMPLE_URI_INTERNAL"
}
Connect to Harbor with Docker CLI
For using the newly created Harbor service as private Docker Hub with your Docker CLI, simply use the following command and insert username as well as password when asked:
docker login EXAMPLE_DASHBOARD_URL
Push Images
Now that your Docker CLI is connected with the Harbor service as private Docker Hub, you can push images using the following instructions:
First, add new tag to any Docker image with the following command:
docker tag image-name DASHBOARD_URL_WITHOUT_HTTPS/PROJECT/image-name
Example:
docker tag my-image 8bdb157c-26c4-4eae-b0b4-701c8fcd1844.system.example.com/test-project/my-image
Then, use the following command to push the image:
docker push DASHBOARD_URL_WITHOUT_HTTPS/PROJECT/image-name
Example:
docker push 8bdb157c-26c4-4eae-b0b4-901c8fcd1844.system.example.com/test-project/my-image
Pull Images
For Pulling images from Harbor we use the following command:
docker pull DASHBOARD_URL_WITHOUT_HTTPS/PROJECT/image-name
Example:
docker pull 8bdb157c-26c4-4eae-b0b4-901c8fcd1844.system.example.com/test-project/my-image
Using Harbor with Notary
The Notary server can be used for image signing by setting the following environmental variables:
export DOCKER_CONTENT_TRUST_SERVER=https://notary-DASHBOARD_URL
export DOCKER_CONTENT_TRUST=1
More information is available at: Notary Documentation
Notary With Self-Signed Certificates
In order to use Notary with self-signed certificates, you need to trust the CA which created the certificate, on your local system. You can use the following command to retrieve the certificate in PEM format:
openssl s_client -showcerts -connect {DASHBOARD_URL_WITHOUT_HTTPS}:443 < /dev/null 2> /dev/null | openssl x509 -outform PEM > CA.pem
The file CA.pem can then be imported to the local TLS certificate trust
store. Please refer to the documentation of your Operating System how to
achieve this.
Use Harbor with Kubernetes
If you want to make a deployment based on an Image from Harbor please have a look at this.
Delete an a9s Harbor Service Instance
Before you can delete a service instance, you must delete all existing Service Key associated to that service instance.
List Service Keys for Service Instance
Run cf service-keys NAME-OF-YOUR-SERVICE to list all Service Keys for the respective service.
$ cf service-keys my-harbor-service
Getting keys for service instance my-harbor-service as admin...
name
my-service-key
Delete Service Keys for Service Instance
Run cf delete-service-key to delete the service key.
cf delete-service-key my-harbor-service my-service-key
Delete a Service Instance
After deleting the service keys, you can run cf delete-service to delete the service:
cf delete-service my-harbor-service
It may take several minutes to delete the service. Deleting a service deprovisions the corresponding infrastructure resources.
Run the cf services command to view the deletion status.
Upgrade the Service Instance to another Service Plan
Once created, you can upgrade your service instance to another, larger service plan. A larger service plan provides more CPU, RAM and storage. For more information, see the Update a Service Instance of the Managing Service Instances with the cf CLI topic.
cf update-service my-harbor-service -p a-bigger-plan
Cloud Foundry Application Security Groups
This topic describes how to check whether a security group was created.
Each a9s Data Service will automatically create and update Cloud Foundry security groups in order to protected service instances to be accessed by applications not running in the same Cloud Foundry applications space. To get a better understanding about Security Groups you can have a look on the Understanding Application Security Groups topic.
Get Service Instance GUID
Run cf service INSTANCE_NAME --guid to get the guid of the service instance.
$ cf my-harbor-service --guid
ca16f111-5073-40b7-973a-156c75dd3028
Check available Security Groups
To see all available security groups use cf security-groups.
$ cf security-groups
Getting security groups as demo@anynines.com
OK
Name Organization Space
#0 public_networks
#1 dns
#2 tcp_open
#3 guard_432fb752-876d-443b-a311-a075f4df2237 demonstrations demo
#4 guard_ca16f111-5073-40b7-973a-156c75dd3028 demonstrations demo
There you can see a security group named guard_ca16f111-5073-40b7-973a-156c75dd3028
was successfully created.
NOTE: in some circumstances the connection between the application and the service instance is not possible, in this case check if a security group was created.
Access Service Dashboard
It is possible to access the dashboard of your Harbor service instance. There you need to create a service key, which is described in the section Create a Service Key.
After creating a service key, you can simply call the Dashboard by pasting the
dashboard_url into your browser.
Set a Custom Service Dashboard Domain
You can set a custom route for the Harbor application.
This works by passing your prefered host in the service configuration at the
time of creation or update of the service. You will need to use the
public_host custom parameter for that.
First, you will need to find a suitable domain from your Cloud Foundry
installation. You can find the list of your Cloud Foundry's available domains
with the command cf domains.
$ cf domains
Getting domains in org system as dev@example.com...
name status type details
apps.example.com shared
system.example.com owned
Given the Cloud Foundry domain system.example.com, you could set a custom
host my-custom-host.system.example.com with the following command:
$ cf create-service a9s-harbor harbor-cluster-medium my-medium-cluster -c '{"public_host":"my-custom-host.system.example.com"}'
Creating service instance my-medium-cluster in org system / space staging as dev@example.com...
OK
Create in progress. Use 'cf services' or 'cf service my-medium-cluster' to check
operation status.
You can read the documentation of cf create-service and cf update-service
for finer information on how to best pass custom parameters for those functions
with the commands cf help create-service or cf help update-service.
Once you've created or updated your service with your custom host, this one will be used to host the Harbor application. You can verify this by creating a service key for the service instance:
$ cf create-service-key my-medium-cluster my-svc-key
Creating service key my-svc-key for service instance my-medium-cluster as dev@example.com...
OK
$ cf service-key my-medium-cluster my-svc-key
{
"dashboard_url": "https://my-custom-host.system.example.com",
"username": "a9s4d06eb4e154ab5"
"password": "79acf84d70c2e0ae4c09",
"has_admin_role": false,
"port": 443,
"project": "default",
"cacrt": "-----BEGIN CERTIFICATE-----\nMIIDPDCCAiSgAwIBAgITBwHCvYoMBmB+7uiYvO0PcjT8vzANBgkqhkiG9w0BAQsF\nADAuMSwwKgYDVQQDDCNDZXJ0aWZpY2F0ZSBhdXRob3JpdHkgZm9yIG1zZDQ2YWQ2\nYzAeFw0xOTA3MDgxMTM5MTNaFw0yOTA3MDUxMTM5MTNaMC4xLDAqBgNVBAMMI0Nl\ncnRpZmljYXRlIGF1dGhvcml0eSBmb3IgbXNkNDZhZDZjMIIBIjANBgkqhkiG9w0B\nAQEFAAOCAQ8AMIIBCgKCAQEA6q5rSihLAhoJM0PLGshYizqGRNa9/UCXsao/UVQ0\nFm4luGHZZjCFkgBsOS4TS7GwJdvwnSIhj7eW9VOC6c16d2WzURak3Cge7HlNO/4o\nr3hrheaWCLFz3YbysqnzQLw/V1EBLFvkHE02hhUTSy/R5y4OPWww0Yvup+T4iSHM\nLKdIkqyDptPrC/4adcH89dcyD/EXNyl5gwaEykwfD0THH3xVTeLUQSlh5fh1+Pvb\nPWgsEqETr5vXJ9KuP0iRbETJy0llT3oHF63EaAg6FTo7L5s0x9gLM9Y8tWb98RJq\nT0vgEEatrjhPSox3Ih4Bh8ibb0hpRc/zblRKwD5n0JqwQQIDAQABo1MwUTAPBgNV\nHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSQV4w3ZU5v8v8Kvwotnayub0fDgTAfBgNV\nHSMEGDAWgBSQV4w3ZU5v8v8Kvwotnayub0fDgTANBgkqhkiG9w0BAQsFAAOCAQEA\nmS0T/A6f9ov/r5MdYiuA31jfHiO0T5fyHv751t6TwPS3QP65sZcS+Cb8vjl5eUnb\n9t3PjqwGPRgWpro9O9DNPtqJARJuyLDgIKZtl5vwkH+Wlaj24yqU14jBrgBabK/z\ngeMExWC0FP992RdM3OpaeGgB5MyLVAFx1W3pC0pBUFP+0lNxqPvzStfBX8Jfzkls\n1FoKjAUPly8tTupuwaTbtCzPB8gswYimJjeHCID79vqcRarCm7fOFpvCVEMmNVnj\nX0Tia/SSbftnoKWVA0QzYQPxGYyiMmwGvHm57h35VYhm3NJ/PdNt8N0uTRa13O1a\nr2FRBb2q7S/YPmS2AgzuzQ==\n-----END CERTIFICATE-----\n",
"host": "msd46ad6c-harbor-app-0.node.dc1.consul.dsf2",
"uri": "https://msd46ad6c-harbor-app-0.node.dc1.consul.dsf2",
}
Setup Disk Usage Alerts
Each service comes with the a9s Parachute. This component monitors ephemeral and persistent disk usage. See the a9s Parachute documentation how to configure the component.