Skip to content

Instantly share code, notes, and snippets.

@gitlawr
Last active June 5, 2019 14:54
Show Gist options
  • Save gitlawr/6b013ca2b87c53cffbac0c44c46a7c26 to your computer and use it in GitHub Desktop.
Save gitlawr/6b013ca2b87c53cffbac0c44c46a7c26 to your computer and use it in GitHub Desktop.
Using external PostgreSQL & Redis for Global Registry

Use external DB from Helm stable chart for Global Registry

Steps:

  1. Enable Helm stable catalog
  2. Deploy a postgresql app with the following answers:
#if no pv available, set: persistence.enabled=false
service.type=NodePort
postgresqlUsername=postgres
postgresqlPassword=postgres
  1. Get <nodeIP>:<nodePort> of the postgresql service for further configuration.

  2. kubectl exec into postgresql pod

$ export PGPASSWORD=postgres
$ psql -U postgres
CREATE DATABASE db_registry;
CREATE DATABASE db_clair;
CREATE DATABASE db_notary_server;
CREATE DATABASE db_notary_signer;
  1. Enable Global Registry with
database Type: external
SSL Mode: disable
Host for PostgreSQL: <nodeIP>
Port for PostgreSQL: <nodePort>
Username: postgres
Password: postgres
Core Database: db_registry
Clair Database: db_clair
Notary Server Database: db_notary_server
Notary Signer Database: db_notary_signer

Result:

  1. Harbor funcions well.
  2. No postgres workload is created in global registry app
  3. You can see tables created in the postgresql:
psql -U postgres;
\c db_registry
\dt

Use external DB from RDS for Global Registry

  1. Go to AWS RDS service
  2. Click Create Database
  3. Select PostgreSQL type engine, click Next
  4. Choose Dev/Test and click Next
  5. Enable Free Tier option, fill in name, username, password in the settings, click Next
  6. Use the default settings and click Create Database
  7. Click the db instance from databases console, GET endpoint/port for further configuration
  8. Click security group of the db, configure inbound rule(e.g. ALL TCP with Source 0.0.0.0/0) so that it is accessible externally.
  9. Create databases for registry, as describe in step 4 in the helm chart case.
  10. Enable Global Registry with the Database configurations and check.

Use external Redis from Helm stable chart for Global Registry:

Steps

  1. Enable Helm stable catalog
  2. Deploy a redis app with the following answers:
#if no pv available, set: persistence.enabled=false
master.service.type=NodePort
password=testredis
  1. Get <nodeIP>:<nodePort> of the redis service for further configuration.

  2. Enable Global Registry with

Redis Type: external
Password: testredis
Host for Redis: <nodeIP>
Port for Redis: <nodePort>
Jobservice Database index: 1
Registry Database index: 2
Notary Server Database: db_notary_server
Notary Signer Database: db_notary_signer
  1. Do a docker push to & docker pull from Global Registry

Result:

  1. Harbor funcions well.
  2. No Redis workload is created in global registry app
  3. Check cache data in redis
$ redis-cli -h <nodeIP> -p <nodePort>
AUTH testredis
# 0 is the index for Harbor core cache, it is not configurable due to Harbor limitation(https://github.com/goharbor/harbor/issues/4641#issuecomment-415707592)
select 0
KEYS *
select 1
KEYS *
select 2
KEYS *

Use AWS ElasticCache for Global Registry

Notes

Elasticache is designed to be used within EC2 instances. It needs a NAT node to make it accessible outside EC2 which is harder to set up. As it is provider specific this case should be tested with lower priority. For validation purpose the easy way is to create a elasticache cluster and the EC2 instance in the same VPC.

  1. Go to AWS ElasticCache service
  2. Choose Redis in navigation bar
  3. Click Create
  4. Input name, choose node type(small size for testing)
  5. Click Create
  6. Check security groups:
  • The security group of the redis instance should have inbound rules to expose the port.
  • The security group of the redis should be added to the EC2 instances running local cluster.
  1. When Redis is ready Get the endpoint.
  2. Follow Step 4-5 in the helm chart case to use the redis and check.

Notes

Redis AUTH is an opt-in configuration and it requires enabling Encryption in-transit(TLS) option first. From my testing the redis client Harbor uses does not work with that. So we need to make password field of external Redis optional. To workaround before that set arbitrary value to the password field and set redis.external.password="" in advanced answers.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment