Run Harbor v2 with Istio mTLS behind a VirtualService
Harbor is an open source registry which can store and manage access to your OCI (Docker) images, helm charts, and other OCI artifacts.
Istio is a service mesh which ensures that traffic between participating pods is encrypted and authenticated with mutual TLS.
Harbor maintains a helm chart, which either deploys an ingress or an nginx instance, to forward various paths to the underlying components of Harbor.
If (like us) you're using Istio IngressGateways to terminate incoming HTTPS traffic, neither of these solutions currently work well.
The obvious solution is to do away with both the Ingress and the nginx instance, and instead use an Istio VirtualService for path-matching the to the various services.
Here's what the VirtualService looks like:
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
creationTimestamp: "2022-06-29T22:53:41Z"
generation: 17
labels:
kustomize.toolkit.fluxcd.io/name: istio-system-elpenguino-net
kustomize.toolkit.fluxcd.io/namespace: flux-system
name: harbor
namespace: harbor
resourceVersion: "10596813"
uid: 601d5907-e352-4604-9210-a67a7ab31485
spec:
gateways:
- istio-ingressgateway.istio-system.svc.cluster.local
hosts:
- registry.elpenguino.net
http:
- match:
- uri:
prefix: /api/
route:
- destination:
host: harbor-core
port:
number: 80
- match:
- uri:
prefix: /service/
route:
- destination:
host: harbor-core
port:
number: 80
- match:
- uri:
prefix: /chartrepo
route:
- destination:
host: harbor-core
port:
number: 80
- match:
- uri:
prefix: /c/
route:
- destination:
host: harbor-core
port:
number: 80
- match:
- uri:
prefix: /v1/
route:
- destination:
host: harbor-core
port:
number: 80
- match:
- uri:
prefix: /v2/
route:
- destination:
host: harbor-core
port:
number: 80
- name: portal
route:
- destination:
host: harbor-portal
port:
number: 80
timeout: 30s
And when deploying via helm, we disable the ingress, and then just set nginx.replicas=0
Β to disable nginx as well.
The above isn't working with the official chart yet (I have a PR waiting), but has been confirmed working by a handful of fellow, long-suffering Harbor+Istio users!
If you don't want to manually hack your services to make this work until the PR is merged, my forked (and fixed) chart is available here, and you can perform an install like this:
helm repo add harbor-haxxor https://funkypenguin.github.io/harbor-helm
helm install my-release harbor-haxxor/harbor --set nginx.replicas=0