The following section should be added to or exist in your local params.yaml file:
harbor:
harbor-cn: harbor.<shared-cluster domain name>
notary-cn: notary.<shared-cluster domain name>
Harbor Registry should be installed in the shared services cluster, as it is going to be available to all users. We need to ensure we are in the correct context before proceeding.
CLUSTER_NAME=$(yq r $PARAMS_YAML shared-services-cluster.name)
kubectl config use-context $CLUSTER_NAME-admin@$CLUSTER_NAME
Prepare the YAML manifests for the related Harbor K8S objects. Manifest will be output into harbor/generated/
in case you want to inspect.
./harbor/00-generate_yaml.sh $(yq r $PARAMS_YAML shared-services-cluster.name)
Create the Harbor namespace and certificate. Wait for the certificate to be ready.
kubectl apply -f generated/$CLUSTER_NAME/harbor/01-namespace.yaml
kubectl apply -f generated/$CLUSTER_NAME/harbor/02-certs.yaml
watch kubectl get certificate -n harbor
helm repo add harbor https://helm.goharbor.io
helm upgrade --install harbor harbor/harbor -f generated/$CLUSTER_NAME/harbor/harbor-values.yaml --namespace harbor
- All harbor pods are in a running state:
kubectl get po -n harbor
- Certificate is True and Ingress created:
kubectl get cert,ing -n harbor
- Open a browser and navigate to https://<$HARBOR_CN>. The default user is admin and pwd is Harbor12345
open https://$(yq r $PARAMS_YAML harbor.harbor-cn)
-
Log into your Okta account you created as part of the Okta Setup Lab. The URL should be in your
params.yaml
file under okta.auth-server-fqdn. -
Choose Applications (top menu) > Add Application > Create New App > Web, Click Next.
-
Complete the form as follows, and then click Done.
- Give your app a name:
Harbor
- Remove Base URL
- Login redirect URIs:
https://<harbor.harbor-cn from $PARAMS_YAML>/c/oidc/callback
# - Logout redirect URIs:
https://<harbor.harbor-cn from $PARAMS_YAML>/c/oidc/logout
- Grant type allowed:
Authorization Code
-
Capture
Client ID
andClient Secret
for use later -
On the top left, Choose the arrow next to Developer Console and choose
Classic UI
-
Choose Applications (top menu) > Applications > Pick your app > Sign On tab > Edit OpenID Connect ID Token section
- Groups claim type =>
Filter
- Groups claim filter => groups Matches regex .*
-
Log-in to Harbor as admin and password Harbor12345
-
On the right hand nav, select Administration -> Configuration
-
Choose Authentication tab, and then complete the form as follows:
- Auth Mode:
OIDC
- OIDC Provider Name:
Okta
- OIDC Endpoint:
https://<okta.auth-server-fqdn from $PARAMS_YAML>/oauth2/default
- OIDC Client ID: Value copied from Okta console
- OIDC Client Secret: Value copied from Okta console
- Group Claim Name:
groups
- OIDC Scope:
openid,profile,email,groups,offline_access
- Verify Certificate:
checked
- Click
Test OIDC Server
, then clickSave
-
Logout of Harbor
-
In an incognito window, access Harbor UI: https://<harbor.harbor-cn from $PARAMS_YAML>. You will now see a
Login Via OIDC Provider
button on the login page.
open https://$(yq r $PARAMS_YAML harbor.harbor-cn)
-
Click
Login Via OIDC Provider
button, you will be redirected to Okta login page. -
Login as
alana
, you will be redirected back to Harbor. But this time it will ask you to provide a local harbor username to associate with your Okta profile. -
You are now logged in with standard user privileges.
-
On top right of the page, click on your name, and select
User Profile
. The resulting window contains yourCLI secret
. This is the secret you must use to login to harbor using the docker cli. -
Now login with docker cli. Use your Okta username and your
CLI secret
from Harbor
docker login https://$(yq r $PARAMS_YAML harbor.harbor-cn) -u alana
-
Now logout of Harbor UI. Log back in as
admin
and passwordHarbor12345
-
On the right hand nav, select Administration -> Users
-
Select
alana
user and click theSet as Admin
button -
Next time
alana
logs in, she will have admin privileges.