Skip to Content

Setting up a Harbor registry in an air-gapped environment and synchronizing it with BMC Helix DTR

The container images for BMC Helix Intelligent Integrations on-premises gateway are hosted on the BMC Helix Docker Trusted Registry (DTR), which is available at hub.docker.com. You can access these images from an environment that is disconnected or physically isolated from unsecured networks, such as the public internet. Such environments are called air-gapped environments.

Warning
Important
  • The instructions provided in this topic use Harbor as a container registry product, which is an open-source registry that secures artifacts with policies and role-based access control. However, you can use other registry products.
  • BMC Helix does not supply or support Harbor or any other registry product. You can install, configure, and maintain any registry product according to your requirements.

Before you begin

  • Download the key to access the container images from the BMC Electronic Product Distribution (EPD) site. 
    For more information, see Downloading the container access key.

  • Make sure that your system meets the following requirements to set up a Harbor registry:

    Requirement

    Description

    Software

    To learn about software requirements for Harbor, see Harbor Installation Prerequisites in the Harbor documentation.
    Important: Make sure the software versions match the version of Harbor that you want to install.

    Network port

    • Port 443 with HTTPS protocol
    • Port 4443 with HTTPS protocol
    • Port 80 with HTTP protocol

    Hardware

    Minimum 4 CPUs with 8 GB memory and 50 GB disk space

To set up a Harbor registry in an air-gapped environment and synchronize it with BMC Helix DTR

  1. Set up a Harbor registry in a local network and synchronize it with BMC Helix DTR:
    1. Create a Harbor registry:

      1. In your local system, download Harbor by using the following command:
        wget https://github.com/goharbor/harbor/releases/download/v<version>/harbor-offline-installer-v<version>.tgz
        For example:
        wget https://github.com/goharbor/harbor/releases/download/v2.1.4/harbor-offline-installer-v2.1.4.tgz

      2. Run the following command to unzip the TAR file:
        tar xvzf harbor-offline-installer*.tgz

      3. Go to the Harbor directory by using the following command:
        cd harbor

      4. Copy the configuration template by using the following command:
        cp harbor.yml.tmpl harbor.yml

      5. In the harbor.yml file, update the values for the following parameters:
        • hostname: Specify the name of the system where you want to install Harbor.
        • harbor_admin_password: Specify the password for the Harbor system administrator.
          The harbor.yml file contains a default password harbor_admin_password. You can modify the password if needed.
        • database password: Specify the root password for the local database.
          The harbor.yml file contains a default database password. You can modify the password.

      6. Configure Harbor registry by using self-signed SSL certificates.
        See Configure HTTPS Access to Harbor in the Harbor documentation.

      7. Add the Harbor certificate to the trust store on all your Kubernetes or OpenShift nodes.
        Follow the Kubernetes or OpenShift documentation appropriate for your distribution.

      8. Run the following command to install the Harbor registry:
        ./install.sh

      9. Log in to verify that you can access the Harbor registry.
        Use the admin username and password to log in.

        Warning
        Important

        The default Harbor installation does not include Notary and Clair services that are used for vulnerability scanning.

    2. Configure the Harbor registry:
      1. In the Harbor admin UI, from the Administration menu, select Registries.

      2. Click NEW ENDPOINT, and enter the following information:

        • Provider: Docker Registry
        • Endpoint URLhttps://registry-1.docker.io
        • Access ID: Support user ID that you use to log in to EPD.
        • Access Secret: The Personal Access Token (PAT) that you generated from Docker.
          For information on generating the token, see Downloading the container access key.
          The following figure shows a sample configuration:
          harbor_registry_configuration.png
      3. Click OK.
        The configuration is saved, and the configuration status is displayed as Healthy.registry_configuration_status.png
      4. Note the configuration to use it in a replication rule to synchronize your local Harbor registry and BMC Helix DTR.
    3. Synchronize the local Harbor registry with BMC Helix DTR:
      1. Log on to the local Harbor registry.
      2. Perform the following steps to create a new project:
        1. Select Projects and then click NEW PROJECT.
        2. In the New Project window, specify the following values:
          • Project Name: Enter a name; for example, helixiigw.
          • Access Level: Select the Public option.
        3. Click OK.
      3. Log on to the controller host where kubectl, Helm, and Docker Engine are installed.
      4. Log on to BMC Helix DTR by using the login command and the credentials created when generating the token.
        For information on generating the token, see Downloading the container access key.
      5. Log on to the local Harbor registry. 
        docker login <localHarborHost> -u <userName> - p <password>
      6. Create a temporary directory on the controller host.
      7. Download the attached script, push_to_custom_repo.sh, and copy it to the temporary directory.
      8. Grant the execute permission on the script:
        chmod -Rf 755 push_to_custom_repo.sh

      9. Open the script by using a text editor and update the following parameters:

        Parameter

        Description

        ENVIRONMENT

        Specify one of the following values:

        • KUBERNETES
        • OPENSHIFT

        IMAGE_REGISTRY_HOST

        Specify the host name of your local Harbor registry.

        Important: Do not specify the host path name; specify only the host name.

        For example, IMAGE_REGISTRY_HOST=value-investing.cluster.abc.com.

        IMAGE_REGISTRY_PROJECTSpecify the name of the project that you created; for example, helixiigw.

        IMAGE_REGISTRY_ORG

        Specify a name for the local Harbor registry org. For example, IIGW01.

        Images are synced to the local Harbor registry in the following format: 

        IMAGE_REGISTRY_HOST/IMAGE_REGISTRY_PROJECT/IMAGE_REGISTRY_ORG:<imageName>-<tag>.

        For example, value-investing.cluster.abc.com/helixiigw/IIGW01:hii-mediator-service-26.1.0-104GAB11SHA91a358b1

      10. Run the script by using the following command:
        ./push_to_custom_repo.sh

      11. After the container images are successfully uploaded, delete them from the controller host Docker registry:
        docker image prune -a

  2. Set up a Harbor registry in an air-gapped environment or DMZ:

    1. Create a Harbor registry:

      1. In your local system, download Harbor by using the following command:
        wget https://github.com/goharbor/harbor/releases/download/v<version>/harbor-offline-installer-v<version>.tgz

        For example:
        wget https://github.com/goharbor/harbor/releases/download/v2.1.4/harbor-offline-installer-v2.1.4.tgz

      2. Run the following command to unzip the TAR file:
        tar xvzf harbor-offline-installer*.tgz

      3. Go to the Harbor directory by using the following command:
        cd harbor

      4. Copy the configuration template by using the following command:
        cp harbor.yml.tmpl harbor.yml

      5. In the harbor.yml file, update the values for the following parameters:
        • hostname: Specify the name of the host where you want to install Harbor.
        • harbor_admin_password: Specify the password for the Harbor system administrator.
          The harbor.yml file contains a default password harbor_admin_password. You can modify the password if needed.
        • database password: Specify the root password for the local database.
          The harbor.yml file contains a default database password, which you can modify.

      6. Configure Harbor registry by using self-signed SSL certificates.
        See Configure HTTPS Access to Harbor in the Harbor documentation.

      7. Add the Harbor certificate to the trust store on all your Kubernetes or OpenShift nodes.
        Follow the Kubernetes or OpenShift documentation appropriate for your distribution.

      8. Run the following command to install the Harbor registry:
        ./install.sh

      9. Log in to verify that you can access the Harbor registry.
        Use the admin username and password to log in.

        Warning
        Important

        The default Harbor installation does not include Notary and Clair services that are used for vulnerability scanning.

  3. Configure the Harbor registry:
    1. In the Harbor admin UI, from the Administration menu, select Registries.
    2. Click NEW ENDPOINT, and enter the following information:
      1. Provider: Docker Registry
      2. Endpoint URLhttps://registry-1.docker.io.
      3. Access ID: Support user ID that you use to log in to EPD.
      4. Access Secret: The Personal Access Token (PAT) that you generated from Docker.
        For information on generating the token, see Downloading the container access key.

        The following figure shows a sample configuration:
        harbor_registry_configuration.png

      5. Click OK.

      6. The configuration is saved, and the configuration status is displayed as Healthy:

        registry_configuration_status.png

      7. Note the configuration to use it in a replication rule to synchronize your Harbor registry in an air-gapped environment with the local Harbor registry.

  4. Set up a proxy to enable communication between the local Harbor registry and the Harbor registry in an air-gapped environment or DMZ.

  5. Synchronize your Harbor registry in an air-gapped environment or DMZ with your local Harbor registry:

    1. Log in to the Harbor registry in a DMZ:
      docker login <HarborHost> -u <userName> - p <password>
    2. Perform the following steps to create a new project:
      1. Select Projects and then click NEW PROJECT.
      2. In the New Project window, specify the following values:
        • Project Name: Enter a name; for example, HelixIIDMZ.
        • Access Level: Select the Public option.
      3. Click OK.
    3. Create a temporary directory on the controller host.
    4. Download the attached script, push_to_custom_repo.sh, and copy it to the temporary directory.
    5. Grant the execute permission on the script:
      chmod -Rf 755 push_to_custom_repo.sh

    6. Open the script by using a text editor and update the following parameters:

      Parameter

      Description

      ENVIRONMENT

      Specify one of the following values:

      • KUBERNETES
      • OPENSHIFT

      IMAGE_REGISTRY_HOST

      Specify the host name of your Harbor registry in the air-gapped environment or DMZ.

      Important: Do not specify the host path name; specify only the host name.

      For example, IMAGE_REGISTRY_HOST=value-consuming.cluster.abc.com.

      IMAGE_REGISTRY_PROJECTSpecify the name of the project that you created in the Harbor registry in the air-gapped environment or DMZ; for example, HelixIIDMZ.

      IMAGE_REGISTRY_ORG

      Specify a name for your Harbor registry in the air-gapped environment or DMZ, for example, IIGWDMZ.

      Images are synced to the Harbor registry in the following format:

      IMAGE_REGISTRY_HOST/IMAGE_REGISTRY_PROJECT/IMAGE_REGISTRY_ORG:<imageName>-<tag>.

      For example, value-consuming.cluster.abc.com/HelixIIDMZ/IIGWDMZ:hii-mediator-service-26.1.0-104GAB11SHA91a358b1

      SOURCE_DOCKER_REPO

      Specify the host name of your local Harbor registry.

      Important: Do not specify the host path name; specify only the host name.

      For example, IMAGE_REGISTRY_HOST=value-investing.cluster.abc.com.

      SOURCE_DOCKER_PROJECTSpecify the name of the project that you created in your local Harbor registry; for example, helixiigw.
      SOURCE_DOCKER_ORGSpecify the name that you provided for the local Harbor registry org, for example, IIGW01.

    7. Run the script by using the following command:
      ./push_to_custom_repo.sh

    8. After the container images are successfully uploaded to the local Harbor registry, delete them from the controller host Docker registry:
      docker image prune -a

    Where to go from here

    Creating a namespace for the on-premises gateway deployment

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Helix Intelligent Integrations 26.1