Levelling up your geek-fu
istio kubernetes

Run Harbor v2 with Istio mTLS behind a VirtualService

by funkypenguin 1 min read

Harbor is an open source registry which can store and manage access to your OCI (Docker) images, helm charts, and other OCI artifacts.

Istio is a service mesh which ensures that traffic between participating pods is encrypted and authenticated with mutual TLS.

Harbor maintains a helm chart, which either deploys an ingress or an nginx instance, to forward various paths to the underlying components of Harbor.

If (like us) you're using Istio IngressGateways to terminate incoming HTTPS traffic, neither of these solutions currently work well.

The obvious solution is to do away with both the Ingress and the nginx instance, and instead use an Istio VirtualService for path-matching the to the various services.

Here's what the VirtualService looks like:

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  creationTimestamp: "2022-06-29T22:53:41Z"
  generation: 17
  labels:
    kustomize.toolkit.fluxcd.io/name: istio-system-elpenguino-net
    kustomize.toolkit.fluxcd.io/namespace: flux-system
  name: harbor
  namespace: harbor
  resourceVersion: "10596813"
  uid: 601d5907-e352-4604-9210-a67a7ab31485
spec:
  gateways:
  - istio-ingressgateway.istio-system.svc.cluster.local
  hosts:
  - registry.elpenguino.net
  http:
  - match:
    - uri:
        prefix: /api/
    route:
    - destination:
        host: harbor-core
        port:
          number: 80
  - match:
    - uri:
        prefix: /service/
    route:
    - destination:
        host: harbor-core
        port:
          number: 80
  - match:
    - uri:
        prefix: /chartrepo
    route:
    - destination:
        host: harbor-core
        port:
          number: 80
  - match:
    - uri:
        prefix: /c/
    route:
    - destination:
        host: harbor-core
        port:
          number: 80
  - match:
    - uri:
        prefix: /v1/
    route:
    - destination:
        host: harbor-core
        port:
          number: 80
  - match:
    - uri:
        prefix: /v2/
    route:
    - destination:
        host: harbor-core
        port:
          number: 80
  - name: portal
    route:
    - destination:
        host: harbor-portal
        port:
          number: 80
    timeout: 30s

And when deploying via helm, we disable the ingress, and then just set nginx.replicas=0 Β to disable nginx as well.

The above isn't working with the official chart yet (I have a PR waiting), but has been confirmed working by a handful of fellow, long-suffering Harbor+Istio users!

If you don't want to manually hack your services to make this work until the PR is merged, my forked (and fixed) chart is available here, and you can perform an install like this:

helm repo add harbor-haxxor https://funkypenguin.github.io/harbor-helm
helm install my-release harbor-haxxor/harbor --set nginx.replicas=0
The link has been copied!
You’ve successfully subscribed to πŸ§‘β€πŸ’» Funky Penguin
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Your link has expired
Success! Check your email for magic link to sign-in.