How to Deploy and Operate an Enterprise‑Grade Harbor Registry on Kubernetes

Deployment Overview

Prerequisites : Install Helm and have a running Kubernetes cluster. Add the Harbor Helm chart repository: helm repo add harbor https://helm.goharbor.io Configure Helm values : Create a values.yaml that defines the exposure method, persistence, admin credentials, and TLS settings. Example excerpt:

expose:
  type: ingress
  ingress:
    hosts:
      core: harbor.example.com
    tls:
      enabled: true
      secretName: harbor-tls

persistence:
  enabled: true
  resourcePolicy: "keep"
  persistentVolumeClaim:
    registry:
      size: 100Gi
      storageClass: nfs-client

harborAdminPassword: "MyStrongPassword123!"

tls:
  enabled: true
  certSource: secret
  secretName: harbor-tls

Install Harbor : Deploy with Helm using the custom values file.

helm install harbor harbor/harbor -f values.yaml

Validate and integrate : Ensure all pods are Running. Create a Docker registry secret for workloads that need to pull images from Harbor.

kubectl get pods -n harbor
kubectl create secret docker-registry harbor-registry-secret \
  --docker-server=HARBOR_URL \
  --docker-username=USERNAME \
  --docker-password=PASSWORD \
  --docker-email=EMAIL \
  -n NAMESPACE

Key Configuration Details

1. External Access (expose.type)

Choose the appropriate exposure method in values.yaml: ingress – recommended for production; requires an Ingress controller, a DNS name, and TLS. NodePort – useful for testing or bare‑metal clusters. ClusterIP – internal‑only access. LoadBalancer – for cloud environments where the provider provisions a public IP.

2. Persistent Storage

Harbor stores registry data, Helm charts, and logs; persistence must be enabled.

Two common patterns:

PVC (recommended) – a standard PersistentVolumeClaim backed by a storage class.

persistence:
  enabled: true
  resourcePolicy: "keep"
  persistentVolumeClaim:
    registry:
      size: 100Gi
      storageClass: nfs-client

External object storage – S3, OSS, GCS, etc., for large‑scale deployments.

persistence:
  imageChartStorage:
    type: s3
    s3:
      region: cn-hangzhou
      bucket: harbor-registry
      accesskey: ACCESS_KEY
      secretkey: SECRET_KEY
      regionendpoint: https://oss-cn-hangzhou.aliyuncs.com

3. Admin Password & TLS

Set a strong password for the built‑in admin account and enable HTTPS. Use a certificate from a trusted CA in production; self‑signed certificates are acceptable only for test environments.

4. High‑Availability Enhancements

Enable Notary for image signing and Trivy for vulnerability scanning.

notary:
  enabled: true
trivy:
  enabled: true
  ignoreUnfixed: true
  severity: HIGH,CRITICAL

Integrate LDAP (or OIDC) for centralized authentication.

harbor:
  ldap:
    enabled: true
    url: ldap://ldap.example.com
    searchDN: "cn=admin,dc=example,dc=com"
    searchPassword: LDAP_PASSWORD
    baseDN: "dc=example,dc=com"

Use external PostgreSQL and Redis (Sentinel or Cluster) for data and cache resilience.

database:
  type: external
  external:
    host: postgres-svc
    port: 5432
    username: harbor
    password: POSTGRES_PASSWORD
    coreDatabase: registry
redis:
  type: external
  external:
    addr: redis-ha:6379
    password: REDIS_PASSWORD

Expose Prometheus metrics and configure log rotation.

metrics:
  enabled: true
  path: /metrics
  port: 8001
log:
  level: info
  local:
    rotateCount: 10
    rotateSize: 200M

CI/CD Integration

Push images from pipelines after authenticating to Harbor, and optionally use Harbor as a Helm chart repository.

docker login my-harbor.domain.com -u admin -p HARBOR_PASSWORD
docker push my-harbor.domain.com/project/app:latest

helm repo add my-harbor https://my-harbor.domain.com/chartrepo/project \
  --username admin --password HARBOR_PASSWORD

Performance & HA Recommendations

Set replicaCount > 1 for core, portal, and jobservice and expose them via Ingress load balancing.

Deploy Redis Sentinel or Cluster mode for cache redundancy.

Use an external primary‑replica PostgreSQL instance or a managed RDS service.

Store container images and Helm charts on S3/OSS compatible object storage.

Scale CPU and memory resources according to workload, e.g.:

core:
  replicaCount: 2
  resources:
    requests:
      cpu: 500m
      memory: 1Gi

Troubleshooting

Pod fails to start : Verify PVC binding, storage class, and certificate paths. Use kubectl describe pod and check container logs.

Image pull fails (HTTP→HTTPS) : Ensure the client accesses Harbor over HTTPS. For temporary testing you may add the registry to insecure-registries, but never in production.

Harbor unreachable : Confirm that firewall rules allow the NodePort or Ingress ports and that DNS resolves to the correct address.