- Enable Helm stable catalog
- Deploy a postgresql app with the following answers:
#if no pv available, set: persistence.enabled=false
service.type=NodePort
postgresqlUsername=postgres
postgresqlPassword=postgres
-
Get
<nodeIP>:<nodePort>
of the postgresql service for further configuration. -
kubectl exec into postgresql pod
$ export PGPASSWORD=postgres
$ psql -U postgres
CREATE DATABASE db_registry;
CREATE DATABASE db_clair;
CREATE DATABASE db_notary_server;
CREATE DATABASE db_notary_signer;
- Enable Global Registry with
database Type: external
SSL Mode: disable
Host for PostgreSQL: <nodeIP>
Port for PostgreSQL: <nodePort>
Username: postgres
Password: postgres
Core Database: db_registry
Clair Database: db_clair
Notary Server Database: db_notary_server
Notary Signer Database: db_notary_signer
Result:
- Harbor funcions well.
- No postgres workload is created in global registry app
- You can see tables created in the postgresql:
psql -U postgres;
\c db_registry
\dt
- Go to AWS RDS service
- Click
Create Database
- Select
PostgreSQL
type engine, clickNext
- Choose
Dev/Test
and clickNext
- Enable
Free Tier
option, fill in name, username, password in the settings, clickNext
- Use the default settings and click
Create Database
- Click the db instance from databases console, GET endpoint/port for further configuration
- Click security group of the db, configure inbound rule(e.g. ALL TCP with Source 0.0.0.0/0) so that it is accessible externally.
- Create databases for registry, as describe in step 4 in the helm chart case.
- Enable Global Registry with the Database configurations and check.
- Enable Helm stable catalog
- Deploy a redis app with the following answers:
#if no pv available, set: persistence.enabled=false
master.service.type=NodePort
password=testredis
-
Get
<nodeIP>:<nodePort>
of the redis service for further configuration. -
Enable Global Registry with
Redis Type: external
Password: testredis
Host for Redis: <nodeIP>
Port for Redis: <nodePort>
Jobservice Database index: 1
Registry Database index: 2
Notary Server Database: db_notary_server
Notary Signer Database: db_notary_signer
- Do a docker push to & docker pull from Global Registry
Result:
- Harbor funcions well.
- No Redis workload is created in global registry app
- Check cache data in redis
$ redis-cli -h <nodeIP> -p <nodePort>
AUTH testredis
# 0 is the index for Harbor core cache, it is not configurable due to Harbor limitation(https://github.com/goharbor/harbor/issues/4641#issuecomment-415707592)
select 0
KEYS *
select 1
KEYS *
select 2
KEYS *
Notes
Elasticache is designed to be used within EC2 instances. It needs a NAT node to make it accessible outside EC2 which is harder to set up. As it is provider specific this case should be tested with lower priority. For validation purpose the easy way is to create a elasticache cluster and the EC2 instance in the same VPC.
- Go to AWS ElasticCache service
- Choose
Redis
in navigation bar - Click
Create
- Input name, choose node type(small size for testing)
- Click Create
- Check security groups:
- The security group of the redis instance should have inbound rules to expose the port.
- The security group of the redis should be added to the EC2 instances running local cluster.
- When Redis is ready Get the endpoint.
- Follow Step 4-5 in the helm chart case to use the redis and check.
Notes
Redis AUTH is an opt-in configuration and it requires enabling
Encryption in-transit
(TLS) option first. From my testing the redis client Harbor uses does not work with that. So we need to make password field of external Redis optional. To workaround before that set arbitrary value to the password field and setredis.external.password=""
in advanced answers.