0

I'm trying to use Harbor registry with SCDF 2.9.1 in microk8s 1.18.20.
I successfully configure SCDF to retrieve the Docker Labels of my apps by adding this in SCDF server Config Map :

spring:
  cloud:
    dataflow:
      container:
        registry-configurations:
          harbor:
            registry-host: myhost
            authorization-type: dockeroauth2
            user: myuser
            secret: mypwd
            disable-ssl-verification: true
            extra:
              "registryAuthUri" : 'https://myhost/service/token?service=harbor-registry&scope=repository:{repository}:pull'

Then for pulling images I created a secret with this command line (after configuring my local Docker daemon) :

microk8s.kubectl create secret generic harbor-credentials \
    --from-file=.dockerconfigjson=/home/myuser/.docker/config.json \
    --type=kubernetes.io/dockerconfigjson

And change Skipper and SCDF Config Map to use it with :

spring.cloud.skipper.server.platform.kubernetes.accounts.default.imagePullSecret=harbor-credentials
spring.cloud.dataflow.task.platform.kubernetes.accounts.default.imagePullSecret=harbor-credentials

But when I try to deploy my app in a stream, I get this error when pulling the image :

Head "https://myhost/v2/scdf/myapp/manifests/latest": x509: certificate signed by unknown authority

How and where do I have to configure Harbor self-signed certificate so that SCDF/Skipper can deploy applications ?
Also ideally I would prefer to remove disable-ssl-verification: true for Docker Labels too

CEDDM
  • 19
  • 5

1 Answers1

0

The solution is quite simple : I only had to copy the Harbor ca.crt file (downloaded from Harbor UI) in the /ets/ssl/certs directory.

You can also create the secret directly without configuring Docker daemon with something like :

microk8s.kubectl create secret docker-registry harbor-credentials \
    --docker-server=hostname \
    --docker-username='user' \
    --docker-password=pwd

Additionally if you want to use Harbor as a proxy for OCI images from docker.io, you can configure SCDF all at once by adding these properties during installation (after configuring Harbor proxy cache project dockerhub-proxy of course) :

global.imageRegistry = hostname/dockerhub-proxy
global.imagePullSecrets = [harbor-credentials]

In this case, your user should have rights to pull on every Harbor projects you need.
Then all images will be pulled from Harbor including kafka, skipper, zookeeper, etc ...

EDIT : I share a more elegant way to configure Harbor credentials through K8S secret : add the secret as a volume like this.
The container registry is automatically configured. If you need to add options, you add it in the config map like this :

spring:
  cloud:
    dataflow:
      container:
        registry-configurations:
          harbor:
            registry-host: myhost
            disable-ssl-verification: true

Mapping between the secret and the additional configuration is made based on the registry-host and the docker-server property in the secret if I understood it well

All of this can be made at once with the Helm chart (since v5.0.1) with a YAML like that :

server:
  configuration:
    containerRegistries:
      harbor:
        registry-host: hostname
        disable-ssl-verification: true
  extraVolumes:
    - name: harbor
      secret:
        secretName: harbor-credentials
  extraVolumeMounts:
    - name: harbor
      readOnly: true
      mountPath: /etc/secrets/harbor
global:
  imageRegistry: hostname/dockerhub-proxy
  imagePullSecrets: [harbor-credentials]
deployer:
  imagePullSecrets: [harbor-credentials]
CEDDM
  • 19
  • 5