Supervisor Series: Ep 2. Deploying Contour and Harbor as Supervisor Services
A private cloud platform requires more than just modern runtimes (VM and Kubernetes) to meet the needs of workloads. The number of both required services and value add services evolves as workloads and business needs change. Utilizing the Supervisor as a IaaS platform layer you can provide the required services directly through vCenter. Using the Supervisor Service framework, you can deploy and manage a set of curated services, such as S3, OCI Image registry, L7 Ingress, Backup and Recovery, and Certificate Management, or deploy your own in-house platform services to enable platform consumers to quickly meet their workload needs.
In this episode, we will deploy Contour - a L7 Ingress controller, and Harbor – an OCI Image registry, which we will use to store our application images.
About Contour and Harbor
Contour is an Ingress controller for Kubernetes that works by deploying the Envoy proxy as a reverse proxy and load balancer. The contour package is a prerequisite for Harbor and must be installed first.
Harbor is an open source trusted cloud native registry project that stores, signs, and scans content. Harbor extends the open source Docker Distribution by adding the functionalities usually required by users such as security, identity and management. Having a registry closer to the build and run environment can improve the image transfer efficiency. Harbor supports replication of images between registries, and also offers advanced security features such as user management, access control and activity auditing.
You can download all installation packages and sample configuration files from https://github.com/vsphere-tmm/Supervisor-Services/blob/main/README.md
To complete this deployment, we will need following files:
- contour.yml
- controur-data-values.yml
- harbor.yml
- harbor-data-values.yml
Deploy Contour
In Workload Management view, click on Services.
Click on Add New Service and select the contour.yml file to register the Contour package with vCenter.
Once Contour is added, click on Actions and select Install on Supervisors.
Check the box next to Supervisor-1 and paste in content of the contour-data-values.yml file into the YAML Service Config window. For demo purposes you can use the default values, these will be used for configuration of the service.
A new service namespace will be created for each Supervisor Service. Supervisor Services utilize vSphere Pods which will be visible in your inventory.
Click on the svc-contour namespace and select the Compute tab to verify that all vSphere pods are running.
Click on the Network and select Services to obtain the External IP which will be used to access the Harbor repository. Add this IP address to your DNS server for the FQDN you will access Harbor on - for example harbor.vmw.lab. This FQDN will be specified in harbor-data-values.yaml file later.
Deploy Harbor Image Registry
Return to Worklod Management, Services and click on Add New Service.
Select harbor.yml to upload the Harbor package and register it with vCenter.
Open harbor-data-values.yml and modify the following values at minimum:
- hostname – enter a hostname that will be used to access the registry, we will use harbor.vmw.lab in this demo. This has to match the DNS record we created earlier.
- harborAdminPassword – change the admin password
- storageClass – change the storage class name to match your environment in all 5 PersistentVolumeClaims, in this demo we use k8s-storage-policy
harbor-data-values.yml:
#! The FQDN for accessing Harbor admin UI and Registry service.
hostname: harbor.vmw.lab
#! The network port of the Envoy service in Contour or other Ingress Controller.
port:
https: 443
#! Do not change tlsSecretLabels. It is required for TKG integration to work.
tlsCertificate:
tlsSecretLabels: {"managed-by": "vmware-vRegistry"}
#! [Required] The initial password for the Harbor admin account. This is applied
#! only during installation. Future updates to the password should be done
#! using the Harbor UI or API.
harborAdminPassword: Harbor12345
#! [Required] The secret key used for encryption. Must be a string of 16 chars.
secretKey: 0123456789ABCDEF
database:
#! [Required] The initial password of the postgres database.
password: change-it
core:
replicas: 1
#! [Required] Secret is used when core server communicates with other components.
secret: change-it
#! [Required] The XSRF key. Must be a string of 32 chars.
xsrfKey: 0123456789ABCDEF0123456789ABCDEF
jobservice:
replicas: 1
#! [Required] Secret is used when job service communicates with other components.
secret: change-it
registry:
replicas: 1
#! [Required] Secret is used to secure the upload state from client
#! and registry storage backend.
#! See: https://github.com/docker/distribution/blob/master/docs/configuration.md#http
secret: change-it
notary:
#! Notary is unsupported on vSphere Supervisor Clusters.
enabled: false
#! Specify another StorageClass in the "storageClass" or set "existingClaim"
#! if you have already existing persistent volumes to use
persistence:
persistentVolumeClaim:
registry:
#! Specify the "storageClass" used to provision the volume.
#! Please use what is available in your environment.
storageClass: "k8s-storage-policy"
subPath: ""
accessMode: ReadWriteOnce
size: 10Gi
jobservice:
storageClass: "k8s-storage-policy"
subPath: ""
accessMode: ReadWriteOnce
size: 1Gi
database:
storageClass: "k8s-storage-policy"
subPath: ""
accessMode: ReadWriteOnce
size: 1Gi
redis:
storageClass: "k8s-storage-policy"
subPath: ""
accessMode: ReadWriteOnce
size: 1Gi
trivy:
storageClass: "k8s-storage-policy"
subPath: ""
accessMode: ReadWriteOnce
size: 5Gi
#! The metrics used by core, registry and exporter
metrics:
enabled: true
core:
path: /metrics
port: 8001
registry:
path: /metrics
port: 8001
exporter:
path: /metrics
port: 8001
#! Note: IPv6 is not supported on Supervisor. Including it will cause harbor-portal to fail.
network:
ipFamilies: ["IPv4"]
Once Harbor is added, click on Actions and select Install on Supervisors.
Check the box next to Supervisor-1 and paste in the content of the modified harbor-data-values.yml.
Click into the svc-harbor namespace and wait until all vSphere Pods are in running state.
Note: some pods may fail during the deployment and get automatically recreated, this is a standard Kubernetes behaviour. You can verify the deployment is fully finished by looking at Deployments and making sure Available matches Desired state.
You can now login to your Harbor instance using the FQDN, username, and password defined in harbor-data-values.yml.
To obtain the Registry certificate, click into Library and download the certificate.
We will now create a new project that will hold our application images. We will use these images in the next episode of Supervisor Series.
In Harbor, go to Projects and click on New Project. Enter 3ta into Project Name field. You could check the Public checkbox to make your repository publicly available. In this demo we will keep the repository private.
Carvel Tools
Carvel provides a set of reliable, single-purpose, composable tools that aid in your application building, configuration, and deployment to Kubernetes, which can be downloaded from http://carvel.dev
We will use imgpkg to manipulate our images, a tool that packages your Kubernetes configuration and dependent OCI images as one OCI artifact: a bundle.
Follow the installation instructions to install carvel tools on your management machine.
Pushing images to Harbor Image Registry
Login to your management machine where you have installed the Carvel tools. In this demo, we use a Ubuntu VM.
Run the following commands to copy application images into a local tar file:
- imgpkg copy -i jswolf059/developer-utilities-backend:latest --to-tar=/tmp/backend.tar
- imgpkg copy -i jswolf059/developer-utilities-frontend:latest --to-tar=/tmp/frontend.tar
Create a ca.crt file in following path and paste in the registry certificate you have downloaded earlier:
- sudo vi /etc/docker/certs.d/harbor.vmw.lab/ca.crt
Note: if this is your first time connecting to the Harbor instance you may need to login using docker login command:
- docker login harbor.vmw.lab
Use imgpkg copy to upload the local tar files to the Harbor image registry:
- imgpkg copy --tar /tmp/backend.tar --to-repo=harbor.vmw.lab/3ta/backend --registry-ca-cert-path /etc/docker/certs.d/harbor.vmw.lab/ca.crt
- imgpkg copy --tar /tmp/frontend.tar --to-repo=harbor.vmw.lab/3ta/frontend --registry-ca-cert-path /etc/docker/certs.d/harbor.vmw.lab/ca.crt
Back in Harbor, verify that both backend and frontend bundles have been added to the 3ta project.
See this episode in action
Before you go
In this episode, we have shown you how you can deploy Contour and Harbor as Supervisor Services. We also uploaded container images to Harbor in preparation for the next episode.
For more episodes visit the Supervisor Series Activity Path.
Subscribe to our VMware vSphere YouTube channel to get notified as soon as we release new episodes.
Thank you and see you soon!