Overview of Harbor architecture and components

Overview of Harbor Architecture and Components in Cloud Infrastructure

Architectural Overview of Cloud Infrastructure

We can categorize the architecture of Harbor into several components that interact seamlessly to provide a comprehensive container registry solution. These components fall into the following categories:

• Consumers: This category includes all clients and client interfaces that interact with Harbor.
• Fundamental Services: These are the core functionalities that are part of the Harbor project, along with key third-party projects that are essential to the overall package.
• Data Access Layer: This layer consists of various data stores that Harbor utilizes.
• Identity Providers: These are external authentication provider extensions that integrate with Harbor.
• Scan Providers: This includes external image CVE scanner extensions that Harbor can utilize.
• Replicated Registry Providers: These are external image replication extensions that Harbor can leverage for image management.

The following sections will explore these components in detail, providing insights into their roles and functionalities within the Harbor architecture.

Key Components of Harbor in Cloud Infrastructure

Harbor Core

The Harbor Core is the heart of the Harbor architecture. It comprises several modules that provide key capabilities. These capabilities include API management, authentication, and authorization. The core also supports multitenancy, configuration management, and artifact management.

In a Kubernetes deployment, the core modules are deployed as a Kubernetes deployment resource named my-harbor-core, which is exposed as a Kubernetes service resource with the same name.

Harbor Job Service

The Job Service is an asynchronous task execution engine. It exposes REST APIs for other components to submit job requests. For example, it manages jobs related to image scanning. This microservice is deployed as a Kubernetes deployment resource named my-harbor-jobservice.

Harbor Portal

The Harbor Portal is the graphical user interface (GUI) for users to interact with the Harbor registry. It provides sophisticated screens for managing images and performing administrative tasks. Harbor supports all operations via a REST API interface for automation purposes. The portal is deployed as a Kubernetes deployment resource named my-harbor-portal.

Harbor Registry in Cloud Infrastructure

The Harbor Registry is based on the open-source project Distribution. It implements the standards defined by the OCI Distribution Specification. The registry is responsible for packing, shipping, storing, and delivering container images. It is deployed as a Kubernetes deployment resource named my-harbor-registry.

PostgreSQL Database

Harbor uses PostgreSQL as its main database to store configurations and metadata. This includes data related to projects, users, policies, scanners, charts, and images. It is deployed as a stateful set on Kubernetes called my-harbor-postgresql.

Redis Cache

Redis is utilized as a key-value store to cache metadata required by the job service. It is also deployed as a stateful set on Kubernetes, named my-harbor-redis-master.

Trivy Scanner

Trivy is the default image CVE scanner integrated with Harbor. It scans images for known vulnerabilities and produces detailed reports. Trivy is deployed as a Kubernetes deployment resource named my-harbor-trivy.

Notary

Notary provides content trust capabilities through image signing. It consists of two main components: the Notary server and the Notary signer. The server stores content metadata and ensures its validity. The signer manages private signing keys and performs signing operations. These components are deployed as my-harbor-notary-server and my-harbor-notary-signer.

Chart Museum

Harbor supports storing Helm charts through Chart Museum, an open-source project for Helm chart repositories. It is deployed as a Kubernetes deployment resource named my-harbor-chartmuseum.

Data Access Layer in Cloud Infrastructure

The Data Access Layer in Harbor consists of various data stores that manage the storage and retrieval of container images and associated metadata. This layer is crucial for ensuring that data is efficiently accessed and managed. It provides a seamless experience for users interacting with the Harbor registry.

Identity Providers

Harbor supports integration with external identity providers for authentication. This includes LDAP/Active Directory services and OpenID Connect (OIDC) providers. By integrating with these identity providers, Harbor can manage user accounts and authentication requests, enhancing security and usability.

Scan Providers

Harbor allows for the integration of external image scanning tools. While Trivy is the default scanner, Harbor supports other scanners such as Clair, Anchore, Aqua, DoSec, Sysdig Secure, and Tensor Security. This extensibility allows organizations to choose their preferred scanning solution based on specific needs.

Replicated Registry Providers in Cloud Infrastructure

Harbor supports image replication across different registries. This feature is useful for organizations that require controlled access to images from multiple sources. By configuring replication rules, Harbor can pull images from external repositories like Docker Hub and push them to internal registries. This ensures that users have access to authorized images without directly accessing external sources.

Security Features

Harbor is designed with security in mind. It provides several features to enhance the security posture of container images, including:

• Image Scanning: Harbor scans images for vulnerabilities. It provides detailed reports, allowing users to identify and remediate security issues before deployment.
• Role-Based Access Control (RBAC): Harbor implements RBAC to manage user permissions at both the project and system levels.
• Image Signing: By integrating with Notary, Harbor allows users to sign images, ensuring that only verified images are deployed in production environments.
• Policy Enforcement: Harbor enables administrators to create policies that restrict the use of images based on their vulnerability status.

Operational Control in Cloud Infrastructure with Harbor

Harbor provides operational control features for effective registry management. These features include:

• Multi-Tenancy: Harbor supports multi-tenancy, allowing different teams to manage their own projects and resources while sharing the same Harbor instance.
• Storage Quotas: Administrators can configure storage quotas for different teams to monitor and control resource usage.
• Webhook Configurations: Harbor allows for webhook configurations to trigger CI/CD pipelines based on specific events.
• Garbage Collection: Harbor includes a garbage collection routine to clean up untagged artifacts.

Getting Started with Harbor in Cloud Infrastructure

Users can deploy Harbor on a Kubernetes cluster using Helm charts to get started. The installation process involves adding the Bitnami Helm repository, creating a namespace for Harbor, and deploying the Helm chart. Once deployed, users can access the Harbor portal and begin managing their container images.

1. Add Bitnami Helm Repository:

   helm repo add bitnami https://charts.bitnami.com/bitnami

2. Create a Namespace:

   kubectl create namespace harbor

3. Install Harbor:

   helm install my-harbor bitnami/harbor -n harbor

4. Access Harbor: After installation, users can access the Harbor portal and log in with the provided credentials.

Conclusion

Harbor is a powerful and flexible container registry that provides a comprehensive solution for managing container images within cloud infrastructure. Its architecture comprises various components and services, enabling organizations to enhance their security posture. By leveraging Harbor’s capabilities, teams can ensure that their container images are secure, compliant, and readily accessible for deployment in cloud-native environments. Additionally, Harbor supports Docker Registry Caching, optimizing image retrieval and reducing network latency for more efficient container management.

In summary, Harbor stands out as a mature, community-driven project that meets the needs of modern container management. It also provides the extensibility and security features necessary for today’s enterprise environments. As organizations continue to adopt cloud-native technologies, Harbor will play a critical role in managing and securing their containerized applications within cloud infrastructure.