# Harbor HA on Kubernetes Installation Guide 本文件說明如何使用 Helm 在 Kubernetes 上部署高可用 (HA) 的 Harbor Registry,並整合現有的 PostgreSQL Cluster 與 NFS Storage。 --- ## 1. 架構說明 * **部署方式**: Helm Chart (`goharbor/harbor`) * **Database**: 外部 PostgreSQL Cluster (`10.10.0.83` VIP) * **Redis**: 內部 Redis Cluster (由 Helm 管理) * **Storage**: NFS (`nfs-airflow` StorageClass) * **Ingress**: NodePort + 外部 HAProxy (`10.10.0.83`) --- ## 2. 前置準備 ### 2.1 建立資料庫 Harbor 需要多個資料庫。請在 PostgreSQL Primary 節點上執行: ```bash # 連線至 DB psql -h 10.10.0.83 -p 5000 -U postgres ``` ```sql -- 建立使用者 CREATE USER harbor WITH PASSWORD 'harbor_password'; -- 建立資料庫 CREATE DATABASE registry OWNER harbor; CREATE DATABASE notary_server OWNER harbor; CREATE DATABASE notary_signer OWNER harbor; CREATE DATABASE trivy OWNER harbor; -- 授權 (若有需要) GRANT ALL PRIVILEGES ON DATABASE registry TO harbor; GRANT ALL PRIVILEGES ON DATABASE notary_server TO harbor; GRANT ALL PRIVILEGES ON DATABASE notary_signer TO harbor; GRANT ALL PRIVILEGES ON DATABASE trivy TO harbor; ``` ### 2.2 安裝 Helm Chart Repo ```bash helm repo add harbor https://helm.goharbor.io helm repo update ``` --- ## 3. 配置 Values.yaml 建立 `values-harbor.yml`,配置高可用參數與外部連線。 ```bash vi values-harbor.yml ``` ```yaml expose: type: nodePort tls: enabled: true autoRedirect: true # 指定 NodePort,方便 HAProxy 轉發 (範圍需在 K8s NodePort range 內 30000-32767) nodePort: http: 30002 https: 30003 externalURL: https://10.10.0.83:443 # HAProxy VIP persistence: persistentVolumeClaim: registry: storageClass: "nfs-airflow" # 使用 Airflow 建立的 SC size: 50Gi accessMode: ReadWriteMany jobservice: storageClass: "nfs-airflow" size: 1Gi accessMode: ReadWriteMany database: storageClass: "nfs-airflow" # 若使用內建 DB 才需要 size: 1Gi redis: storageClass: "nfs-airflow" size: 1Gi trivy: storageClass: "nfs-airflow" size: 5Gi # 使用外部 PostgreSQL database: type: external external: host: "10.10.0.83" port: "5000" username: "harbor" password: "harbor_password" coreDatabase: "registry" # Notary 相關功能若啟用需配置以下 DB # notaryServerDatabase: "notary_server" # notarySignerDatabase: "notary_signer" # 使用內建 Redis (HA) redis: type: internal internal: image: repository: goharbor/redis-photon tag: v2.5.0 nodeSelector: {} # 元件複本數 (HA) portal: replicas: 2 core: replicas: 2 jobservice: replicas: 2 registry: replicas: 2 # 關閉內建 DB/Redis 的持久化 (若希望完全無狀態) # 但 Redis 建議還是要持久化 ``` --- ## 4. 部署 Harbor ```bash # 建立 Namespace kubectl create namespace harbor # 安裝 helm install harbor harbor/harbor \ --namespace harbor \ -f values-harbor.yml \ --version 1.12.0 # 建議指定穩定版本 ``` 檢查 Pod 狀態: ```bash kubectl get pods -n harbor -w ``` 等待所有 Pod 狀態為 `Running`。 --- ## 5. 配置 HAProxy 為了讓外部能透過 VIP 存取 Harbor,需在 **所有 HAProxy 節點** (`/etc/haproxy/haproxy.cfg`) 加入轉發規則。 ### 5.1 修改 `haproxy.cfg` 新增以下 Listener: ```haproxy # Harbor HTTP frontend harbor_http bind *:80 mode tcp default_backend harbor_http_back backend harbor_http_back mode tcp balance roundrobin server node1 10.10.0.85:30002 check server node2 10.10.0.87:30002 check server node3 10.10.0.89:30002 check # Harbor HTTPS frontend harbor_https bind *:443 mode tcp default_backend harbor_https_back backend harbor_https_back mode tcp balance roundrobin server node1 10.10.0.85:30003 check server node2 10.10.0.87:30003 check server node3 10.10.0.89:30003 check ``` ### 5.2 重啟 HAProxy ```bash sudo systemctl restart haproxy ``` --- ## 6. 驗證 1. 開啟瀏覽器存取 `https://10.10.0.83`。 2. 預設帳號: `admin`,預設密碼: `Harbor12345` (可於 values.yaml 修改)。 3. 測試 Docker Login: ```bash docker login 10.10.0.83 ``` 4. 推送 Image 測試: ```bash docker tag nginx:alpine 10.10.0.83/library/nginx:hah docker push 10.10.0.83/library/nginx:hah ```