Harbor Registry
Purpose: For platform engineers, shows how to configure Harbor storage backends, replication rules, vulnerability scanning, and access control.
What Harbor Does
Harbor is a private container registry that stores, signs, and scans container images. It provides vulnerability scanning via Trivy, image replication across registries, role-based access control, and OIDC integration with Keycloak. In openCenter, Harbor is a required enterprise service for supply chain security.
How It's Deployed
Harbor is deployed via FluxCD from openCenter-gitops-base as a HelmRelease:
openCenter-gitops-base/applications/base/services/harbor/
├── namespace.yaml
├── source.yaml # HelmRepository for goharbor charts
├── helmrelease.yaml
└── helm-values/
└── hardened-values.yaml
Customer overlay:
applications/overlays/<cluster>/services/harbor/
├── kustomization.yaml
└── override-values.yaml
Harbor depends on cert-manager for TLS certificates. Ensure cert-manager is deployed and a ClusterIssuer is available before enabling Harbor.
Key Configuration
Storage Backend
Harbor stores images on the cluster's persistent storage by default. Configure the storage backend in override-values.yaml:
# applications/overlays/<cluster>/services/harbor/override-values.yaml
persistence:
persistentVolumeClaim:
registry:
storageClass: ${STORAGE_CLASS}
size: 100Gi
database:
storageClass: ${STORAGE_CLASS}
size: 10Gi
For S3-compatible object storage:
persistence:
imageChartStorage:
type: s3
s3:
region: us-east-1
bucket: harbor-images
accesskey: <from-sops-secret>
secretkey: <from-sops-secret>
Vulnerability Scanning
Harbor uses Trivy as its built-in scanner. Scanning is enabled by default in the base values. To configure scan-on-push:
trivy:
enabled: true
resources:
requests:
cpu: 200m
memory: 512Mi
limits:
memory: 1Gi
Images are scanned automatically on push. View scan results in the Harbor UI or via the API.
OIDC Integration with Keycloak
Configure Harbor to authenticate users via Keycloak OIDC:
externalURL: https://harbor.${CLUSTER_DOMAIN}
harborAdminPassword: <from-sops-secret>
OIDC settings are configured in the Harbor UI after deployment:
- Navigate to Administration → Configuration → Authentication.
- Set Auth Mode to OIDC.
- Set the OIDC Endpoint to your Keycloak realm URL (e.g.,
https://keycloak.example.com/realms/opencenter). - Set Client ID and Client Secret from the Keycloak client configured for Harbor.
- Set Group Claim Name to
groupsto map Keycloak groups to Harbor roles.
Image Replication
Replication rules sync images between Harbor instances or from external registries (Docker Hub, Quay, ghcr.io):
- In the Harbor UI, go to Administration → Registries and add the remote endpoint.
- Go to Administration → Replications and create a rule specifying source, destination, trigger (manual, scheduled, or event-based), and filters.
This is useful for air-gap preparation — replicate images to a connected Harbor, then transfer to the disconnected site.
Verification
# Check Harbor pods
kubectl get pods -n harbor
# Verify Harbor HelmRelease
flux get helmreleases -n flux-system | grep harbor
# Test registry access
docker login harbor.${CLUSTER_DOMAIN}
docker pull harbor.${CLUSTER_DOMAIN}/library/nginx:latest
# Check Trivy scanner status
curl -s https://harbor.${CLUSTER_DOMAIN}/api/v2.0/systeminfo | jq '.with_trivy'
Common Customizations
- Storage size: Increase PVC sizes in
override-values.yamlbased on expected image volume. - Garbage collection: Schedule GC jobs in Harbor UI to reclaim storage from deleted images.
- Robot accounts: Create robot accounts for CI/CD pipelines that push images without user credentials.
- Image signing: Enable Cosign/Notation integration for image signature verification.
- Resource limits: Adjust Trivy scanner resources for clusters with high scan throughput.