Centrally Managing Cloud Native Artifacts with Harbor
Let’s start with few cases:
- Do you have to work under private network and host docker images internally?
- Are you hit by rate limit of docker hub and want to maintain cache of it?
- Are you hosting docker images on multiple cloud provider(AWS, GCP, Azure etc.) and want a centralized solution?
- Docker registry image doesn’t have granular access control, so want to meet compliance by implementing RBAC?
- Looking for a single solution to host and scan vulnerabilities in docker images
- Want to centralize artifacts like, docker, CNAB based packages, helm chart?
If any of the above cases you are looking for, Harbor could be a solution. Harbor is a cloud native artifact repository which can store different types of artifacts by standardizing to the OCI format. It helps in delivering compliance, performance, and interoperability for maintaining consistently and also securely managing artifacts with vulnerability scanning.
I was looking for a solution to simply host private docker images and saw the Artifact Registry which was not so fit for my use case because of compliance and have to attach multiple pieces like vulnerability scanning, image signing, single authentication token etc.
Why I Was Amazed Checking the Features of Harbor?
- Role-based Access Control: Access can be provided to repositories in granular level: Guest, Developer, Master, Project Admin. Each user will have own set of token with specific access defined for each repository.
- Integrated Image Scanning: Harbor integrates with Clair, a
vulnerability static analysis for containers out of the box which makes it easier to scan the artifact and act accordingly based on the the scan result.
- Centralized Caching: Harbor can be used a cache server of public cloud providers’ docker registry(ECR, GCR, Docker hub) which will save along with elimination of pull limitation on docker hub. The centralized image repository makes it a single point of interaction for Kubernetes cluster as well. Not only caching, Harbor-to-Harbor replication feature makes it possible to replicate resources between Harbor and Docker Hub, Docker Registry, and the Huawei Cloud registry.
- Support for Other Cloud Native Artifacts: Harbor is not just a docker registry but being OCI complaints, it supports cloud native artifacts like container images, Helm charts, OPAs, Singularity — and works with CNAB(Cloud Native Application Bundles).
- OpenID Connect: Harbor is integrated with existing enterprise identity solutions to provide single sign-on (SSO) for developers and users. OpenID Connect (OIDC), which is an authentication layer on top of OAuth 2.0, allows Harbor to verify the identity of users based on authentication performed by an external authorization server or identity provider.
- API Integration: Harbor integrates swagger UI so that all APIs can be invoked through the Harbor interface
Harbor can be installed both ways: on a bare metal instance with docker and inside Kubernetes cluster. There is one script installation process as well as helm chart for deploying the stack inside k8s cluster on this doc.
Installation with docker is also pretty straight forward with quick install script. We will need to generate SSL certificate for security reason.
Helm Charts Repository
Just like a repository for docker images, Harbor is also a home for Helm Charts integrated with RBAC. Adding a new chart is possible both through UI and helm cli.