Integrate Harbor into Pipelines

This tutorial demonstrates how to integrate Harbor into KubeSphere pipelines.

Prerequisites

Install Harbor

It is highly recommended that you install Harbor through the App Store of KubeSphere. Alternatively, install Harbor manually through Helm3.

  1. helm repo add harbor https://helm.goharbor.io
  2. # For a quick start, you can expose Harbor by nodeport and disable tls.
  3. # Set externalURL to one of your node ip and make sure it can be accessed by jenkins.
  4. helm install harbor-release harbor/harbor --set expose.type=nodePort,externalURL=http://$ip:30002,expose.tls.enabled=false

Get Harbor Credentials

  1. After Harbor is installed, visit <NodeIP>:30002 and log in to the console with the default account and password (admin/Harbor12345). Click Projects in the left navigation pane and click NEW PROJECT on the Projects page.

  2. In the displayed dialog box, set a name (ks-devops-harbor) and click OK.

  3. Click the project you just created, and click NEW ROBOT ACCOUNT under the Robot Accounts tab.

  4. In the displayed dialog box, set a name (robot-test) for the robot account and click SAVE. Make sure you select the checkbox for pushing artifact in Permissions.

  5. In the displayed dialog box, click EXPORT TO FILE to save the token.

Enable Insecure Registry

You have to configure Docker to disregard security for your Harbor registry.

  1. Run the vim /etc/docker/daemon.json command on your host to edit the daemon.json file, enter the following contents, and save the changes.

    1. {
    2.   "insecure-registries" : ["103.61.38.55:30002"]
    3. }

    Note

    Make sure you replace 103.61.38.55:30002 with your Harbor registry address. The default location of the daemon.json file is /etc/docker/daemon.json on Linux or C:\ProgramData\docker\config\daemon.json on Windows.

  2. Run the following commands to restart Docker for the changes to take effect.

    1. sudo systemctl daemon-reload
    2. sudo systemctl restart docker

    Note

    It is suggested that you use this solution for isolated testing or in a tightly controlled, air-gapped environment. For more information, refer to Deploy a plain HTTP registry. After you finish the above operations, you can also use the images in your Harbor registry when deploying workloads in your project. You need to create an image Secret for your Harbor registry, and then select your Harbor registry and enter the absolute path of your images in Container Settings under the Container Image tab to search for your images.

Create Credentials

  1. Log in to KubeSphere as project-regular, go to your DevOps project and create credentials for Harbor in Credentials under DevOps Project Settings.

  2. On the Create Credentials page, set a credential ID (robot-test) and select Username and password for Type. The Username field must be the same as the value of name in the JSON file you just downloaded and enter the value of token in the file for Password/Token.

  3. Click OK to save it.

Create a Pipeline

  1. Go to the Pipelines page and click Create. In the Basic Information tab, enter a name (demo-pipeline) for the pipeline and click Next.

  2. Use default values in Advanced Settings and click Create.

Edit the Jenkinsfile

  1. Click the pipeline to go to its details page and click Edit Jenkinsfile.

  2. Copy and paste the following contents into the Jenkinsfile. Note that you must replace the values of REGISTRY, HARBOR_NAMESPACE, APP_NAME, and HARBOR_CREDENTIAL with your own values.

    ``` pipeline {
    agent {

    1. node {
    2.   label 'maven'
    3. }

    }

    environment {

    1. // the address of your harbor registry
    2. REGISTRY = '103.61.38.55:30002'
    3. // the project name
    4. // make sure your robot account have enough access to the project
    5. HARBOR_NAMESPACE = 'ks-devops-harbor'
    6. // docker image name
    7. APP_NAME = 'docker-example'
    8. // ‘robot-test’ is the credential ID you created on the KubeSphere console
    9. HARBOR_CREDENTIAL = credentials('robot-test')

    }

    stages {

    1. stage('docker login') {
    2.   steps{
    3.     container ('maven') {
    4.       // replace the Docker Hub username behind -u and do not forget ''. You can also use a Docker Hub token. 
    5.       sh '''echo $HARBOR_CREDENTIAL_PSW | docker login $REGISTRY -u 'robot$robot-test' --password-stdin'''
    6.         }
    7.       }  
    8.     }
    10. stage('build & push') {
    11.   steps {
    12.     container ('maven') {
    13.       sh 'git clone https://github.com/kstaken/dockerfile-examples.git'
    14.       sh 'cd dockerfile-examples/rethinkdb && docker build -t $REGISTRY/$HARBOR_NAMESPACE/$APP_NAME:devops-test .'
    15.       sh 'docker push  $REGISTRY/$HARBOR_NAMESPACE/$APP_NAME:devops-test'
    16.       }
    17.     }
    18.   }
    19. }

    }

  1. ```
  3. Note
  5. You can pass the parameter to `docker login -u` via Jenkins credentials with environment variables. However, every Harbor robot account's username contains a "$" character, which will be converted into "$$" by Jenkins when used by environment variables. [Learn more](https://number1.co.za/rancher-cannot-use-harbor-robot-account-imagepullbackoff-pull-access-denied/).

Run the Pipeline

Save the Jenkinsfile and KubeSphere automatically creates all stages and steps on the graphical editing panel. Click Run to run the pipeline. If everything goes well, the image is pushed to your Harbor registry by Jenkins.