What access type should I choose to managed Harbor?¶
When creating a managed Harbor, you need to choose an access type. Currently, there are two supported types: Ingress and NodePort.
The table below explains the advantages and disadvantages of these two access types:
| Ingress | NodePort | |
|---|---|---|
| Advantages |
|
|
| Disadvantages |
|
|
Tip
- In production environments, we recommend using the Ingress method because Ingress supports the use of HTTPS protocols. You can use self-signed certificates or purchase certificates to avoid the need for configuring non-secure repositories when pulling images.
- In testing environments, we recommend using the NodePort method because it doesn't depend on any components and allows for quick service startup for demos and trials.
Ingress¶
Prerequisites:
- The cluster must have an Ingress component installed, such as Nginx, Traefik, HAProxy, etc. For specific installation methods, please refer to the Ingress documentation.
- The cluster must have a DNS service installed, such as CoreDNS, KubeDNS, Bind, etc. For specific installation methods, please refer to the DNS documentation.
- The cluster must have a LoadBalancer component installed, such as MetalLB and F5. For specific installation methods, please refer to the LoadBalancer documentation.
Ingress Flow
Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster. Traffic routing is controlled by rules defined on Ingress resources. The following diagram illustrates the flow of using Ingress in managed Harbor:
flowchart LR
subgraph cluster[Cluster]
direction LR
ingress[Ingress] -->|Routing Rules| harbor[Harbor Service]
harbor --> pod1[Pod]
harbor --> pod2[Pod]
end
client([Client]) -.->|Expose Services via LB or NodePort| ingress
classDef plain fill:#ddd,stroke:#fff,stroke-width:1px,color:#000;
classDef k8s fill:#326ce5,stroke:#fff,stroke-width:1px,color:#fff;
classDef cluster fill:#fff,stroke:#bbb,stroke-width:1px,color:#326ce5;
class client plain;
class ingress,harbor,pod1,pod2 k8sFor private cloud, after deploying managed Harbor with Ingress, you need to add domain name resolution to the DNS service. This maps the domain name to the IP address of the LoadBalancer, allowing users to access Harbor using the domain name. Adding DNS domain name resolution requires separate operations inside and outside the Kubernetes cluster, as described below:
Adding DNS domain name resolution inside the Kubernetes cluster¶
In the Kubernetes cluster, you need to add DNS domain name resolution in the CoreDNS component. Follow these steps:
-
Access the CoreDNS ConfigMap:
-
Edit the ConfigMap and add the
harbor.example.comresolution to the LoadBalancer IP address:Note
harbor.example.comis a user-defined domain name, and the LoadBalancer IP address is the Ingress IP address. -
Save and exit. This will recreate the CoreDNS Pod:
Adding DNS domain name resolution outside the Kubernetes cluster¶
Outside the cluster, you can deploy a separate CoreDNS component to handle DNS domain name resolution and configure the domain name. Follow the same steps as described above.
If the domain name is public, the above steps are not necessary as public domain names are already resolved.
NodePort¶
NodePort is a way to access services in a Kubernetes cluster. It opens a port on each Node and forwards traffic to the port of the Service. The following diagram illustrates the flow of using NodePort in Kubernetes:
flowchart LR
subgraph cluster[Cluster]
direction LR
harbor[Harbor Service]
harbor --> pod1[Pod]
harbor --> pod2[Pod]
end
client([Client]) -.->|Expose Services via NodePort| harbor
classDef plain fill:#ddd,stroke:#fff,stroke-width:1px,color:#000;
classDef k8s fill:#326ce5,stroke:#fff,stroke-width:1px,color:#fff;
classDef cluster fill:#fff,stroke:#bbb,stroke-width:1px,color:#326ce5;
class client plain;
class ingress,harbor,pod1,pod2 k8s