Harbor
DETAILS: Tier: Free, Premium, Ultimate Offering: GitLab.com, Self-managed, GitLab Dedicated
You can use Harbor as the container registry for your GitLab project.
Harbor is an open-source registry that can help you manage artifacts across cloud-native compute platforms like Kubernetes and Docker.
The Harbor integration can help you if you need GitLab CI/CD and a container image repository.
Prerequisites
In the Harbor instance, ensure that:
- The project to be integrated has been created.
- The authenticated user has permission to pull, push, and edit images in the Harbor project.
Configure GitLab
GitLab supports integrating Harbor projects at the group or project level. Complete these steps in GitLab:
-
On the left sidebar, select Search or go to and find your project.
-
Select Settings > Integrations.
-
Select Harbor.
-
Under Enable integration, select the Active checkbox.
-
Provide the Harbor configuration information:
-
Harbor URL: The base URL of Harbor instance which is being linked to this GitLab project. For example,
https://harbor.example.net
. -
Harbor project name: The project name in the Harbor instance. For example,
testproject
. - Username: Your username in the Harbor instance, which should meet the requirements in prerequisites.
- Password: Password of your username.
-
Harbor URL: The base URL of Harbor instance which is being linked to this GitLab project. For example,
-
Select Save changes.
After the Harbor integration is activated:
- The global variables
$HARBOR_USERNAME
,$HARBOR_HOST
,$HARBOR_OCI
,$HARBOR_PASSWORD
,$HARBOR_URL
, and$HARBOR_PROJECT
are created for CI/CD use. - The project-level integration settings override the group-level integration settings.
Security considerations
Secure your requests to the Harbor APIs
For each API request through the Harbor integration, the credentials for your connection to the Harbor API use
the username:password
combination. The following are suggestions for safe use:
- Use TLS on the Harbor APIs you connect to.
- Follow the principle of least privilege (for access on Harbor) with your credentials.
- Have a rotation policy on your credentials.
CI/CD variable security
Malicious code pushed to your .gitlab-ci.yml
file could compromise your variables, including
$HARBOR_PASSWORD
, and send them to a third-party server. For more details, see
CI/CD variable security.
Examples of Harbor variables in CI/CD
Push a Docker image with kaniko
For more information, see Use kaniko to build Docker images.
docker:
stage: docker
image:
name: gcr.io/kaniko-project/executor:debug
entrypoint: ['']
script:
- mkdir -p /kaniko/.docker
- echo "{\"auths\":{\"${HARBOR_HOST}\":{\"auth\":\"$(echo -n ${HARBOR_USERNAME}:${HARBOR_PASSWORD} | base64)\"}}}" > /kaniko/.docker/config.json
- >-
/kaniko/executor
--context "${CI_PROJECT_DIR}"
--dockerfile "${CI_PROJECT_DIR}/Dockerfile"
--destination "${HARBOR_HOST}/${HARBOR_PROJECT}/${CI_PROJECT_NAME}:${CI_COMMIT_TAG}"
rules:
- if: $CI_COMMIT_TAG
Push a Helm chart with an OCI registry
Helm supports OCI registries by default. OCI is supported in Harbor 2.0 and later. Read more about OCI in Helm's blog and documentation.
helm:
stage: helm
image:
name: dtzar/helm-kubectl:latest
entrypoint: ['']
variables:
# Enable OCI support (not required since Helm v3.8.0)
HELM_EXPERIMENTAL_OCI: 1
script:
# Log in to the Helm registry
- helm registry login "${HARBOR_URL}" -u "${HARBOR_USERNAME}" -p "${HARBOR_PASSWORD}"
# Package your Helm chart, which is in the `test` directory
- helm package test
# Your helm chart is created with <chart name>-<chart release>.tgz
# You can push all building charts to your Harbor repository
- helm push test-*.tgz ${HARBOR_OCI}/${HARBOR_PROJECT}