debian-mirror-gitlab/doc/user/project/integrations/harbor.md

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

109 lines
4.3 KiB
Markdown
Raw Normal View History

2022-05-07 20:08:51 +05:30
---
2022-11-25 23:54:43 +05:30
stage: Manage
2022-05-07 20:08:51 +05:30
group: Integrations
2022-11-25 23:54:43 +05:30
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
2022-05-07 20:08:51 +05:30
---
2023-04-23 21:23:45 +05:30
# Harbor **(FREE)**
2022-05-07 20:08:51 +05:30
2022-06-21 17:19:12 +05:30
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/80999) in GitLab 14.9.
2023-05-27 22:25:52 +05:30
You can use Harbor as the container registry for your GitLab project.
2022-05-07 20:08:51 +05:30
2023-05-27 22:25:52 +05:30
[Harbor](https://goharbor.io/) is an open-source registry that can help you manage artifacts across cloud-native compute platforms like Kubernetes and Docker.
2022-05-07 20:08:51 +05:30
2023-05-27 22:25:52 +05:30
The Harbor integration can help you if you need GitLab CI/CD and a container image repository.
2022-05-07 20:08:51 +05:30
## Prerequisites
In the Harbor instance, ensure that:
- The project to be integrated has been created.
2023-03-17 16:20:25 +05:30
- The authenticated user has permission to pull, push, and edit images in the Harbor project.
2022-05-07 20:08:51 +05:30
## Configure GitLab
GitLab supports integrating Harbor projects at the group or project level. Complete these steps in GitLab:
2022-10-11 01:57:18 +05:30
1. On the top bar, select **Main menu > Projects** and find your project.
2022-05-07 20:08:51 +05:30
1. On the left sidebar, select **Settings > Integrations**.
1. Select **Harbor**.
1. Turn on the **Active** toggle under **Enable Integration**.
1. Provide the Harbor configuration information:
- **Harbor URL**: The base URL of Harbor instance which is being linked to this GitLab project. For example, `https://harbor.example.net`.
2022-07-23 23:45:48 +05:30
- **Harbor project name**: The project name in the Harbor instance. For example, `testproject`.
2022-05-07 20:08:51 +05:30
- **Username**: Your username in the Harbor instance, which should meet the requirements in [prerequisites](#prerequisites).
- **Password**: Password of your username.
1. Select **Save changes**.
After the Harbor integration is activated:
2022-08-27 11:52:29 +05:30
- The global variables `$HARBOR_USERNAME`, `$HARBOR_HOST`, `$HARBOR_OCI`, `$HARBOR_PASSWORD`, `$HARBOR_URL`, and `$HARBOR_PROJECT` are created for CI/CD use.
2022-05-07 20:08:51 +05:30
- The project-level integration settings override the group-level integration settings.
2022-10-11 01:57:18 +05:30
## Security considerations
### Secure your requests to the Harbor APIs
2022-05-07 20:08:51 +05:30
For each API request through the Harbor integration, the credentials for your connection to the Harbor API use
2022-06-21 17:19:12 +05:30
the `username:password` combination. The following are suggestions for safe use:
2022-05-07 20:08:51 +05:30
- Use TLS on the Harbor APIs you connect to.
- Follow the principle of least privilege (for access on Harbor) with your credentials.
- Have a rotation policy on your credentials.
2022-08-27 11:52:29 +05:30
2022-10-11 01:57:18 +05:30
### CI/CD variable security
Malicious code pushed to your `.gitlab-ci.yml` file could compromise your variables, including
`$HARBOR_PASSWORD`, and send them to a third-party server. For more details, see
[CI/CD variable security](../../../ci/variables/index.md#cicd-variable-security).
2022-08-27 11:52:29 +05:30
## Examples of Harbor variables in CI/CD
### Push a Docker image with kaniko
For more information, see [Use kaniko to build Docker images](../../../ci/docker/using_kaniko.md).
```yaml
docker:
stage: docker
image:
name: gcr.io/kaniko-project/executor:debug
entrypoint: ['']
script:
- mkdir -p /kaniko/.docker
- echo "{\"auths\":{\"${HARBOR_HOST}\":{\"auth\":\"$(echo -n ${HARBOR_USERNAME}:${HARBOR_PASSWORD} | base64)\"}}}" > /kaniko/.docker/config.json
- >-
/kaniko/executor
--context "${CI_PROJECT_DIR}"
--dockerfile "${CI_PROJECT_DIR}/Dockerfile"
--destination "${HARBOR_HOST}/${HARBOR_PROJECT}/${CI_PROJECT_NAME}:${CI_COMMIT_TAG}"
rules:
- if: $CI_COMMIT_TAG
```
### Push a Helm chart with an OCI registry
Helm supports OCI registries by default. OCI is supported in [Harbor 2.0](https://github.com/goharbor/harbor/releases/tag/v2.0.0) and later.
Read more about OCI in Helm's [blog](https://helm.sh/blog/storing-charts-in-oci/) and [documentation](https://helm.sh/docs/topics/registries/#enabling-oci-support).
```yaml
helm:
stage: helm
image:
name: dtzar/helm-kubectl:latest
entrypoint: ['']
variables:
# Enable OCI support (not required since Helm v3.8.0)
HELM_EXPERIMENTAL_OCI: 1
script:
# Log in to the Helm registry
- helm registry login "${HARBOR_URL}" -u "${HARBOR_USERNAME}" -p "${HARBOR_PASSWORD}"
# Package your Helm chart, which is in the `test` directory
- helm package test
# Your helm chart is created with <chart name>-<chart release>.tgz
# You can push all building charts to your Harbor repository
- helm push test-*.tgz ${HARBOR_OCI}/${HARBOR_PROJECT}
```