{"id":30229667,"url":"https://github.com/max-pfeiffer/harbor-turnkey","last_synced_at":"2025-08-14T21:48:44.784Z","repository":{"id":302890221,"uuid":"1013766877","full_name":"max-pfeiffer/harbor-turnkey","owner":"max-pfeiffer","description":"Harbor as a turnkey solution: running on a Kubernetes single node cluster using Talos Linux and Proxmox VE. Provisioning with OpenTofu.","archived":false,"fork":false,"pushed_at":"2025-08-11T10:42:00.000Z","size":72,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-08-11T11:42:23.240Z","etag":null,"topics":["harbor","kubernetes","proxmox","proxmox-ve","step-ca","talos-linux"],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/max-pfeiffer.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-07-04T12:35:06.000Z","updated_at":"2025-08-11T10:56:15.000Z","dependencies_parsed_at":"2025-08-11T11:27:55.860Z","dependency_job_id":null,"html_url":"https://github.com/max-pfeiffer/harbor-turnkey","commit_stats":null,"previous_names":["max-pfeiffer/proxmox-talos-harbor-opentofu"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/max-pfeiffer/harbor-turnkey","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/max-pfeiffer%2Fharbor-turnkey","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/max-pfeiffer%2Fharbor-turnkey/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/max-pfeiffer%2Fharbor-turnkey/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/max-pfeiffer%2Fharbor-turnkey/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/max-pfeiffer","download_url":"https://codeload.github.com/max-pfeiffer/harbor-turnkey/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/max-pfeiffer%2Fharbor-turnkey/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":270488352,"owners_count":24592445,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-14T02:00:10.309Z","response_time":75,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["harbor","kubernetes","proxmox","proxmox-ve","step-ca","talos-linux"],"created_at":"2025-08-14T21:48:42.858Z","updated_at":"2025-08-14T21:48:44.699Z","avatar_url":"https://github.com/max-pfeiffer.png","language":"HCL","funding_links":[],"categories":["Table of Contents"],"sub_categories":[],"readme":"# Harbor Turnkey\nThis infrastructure as code (IaC) project installs [Harbor](https://goharbor.io/) on a single node Kubernetes cluster.\nIt uses [Talos Linux](https://www.talos.dev/) as an operating system for running Kubernetes and\n[Proxmox VE](https://www.proxmox.com/en/products/proxmox-virtual-environment/overview) as hypervisor.\nThe provisioning is done with [OpenTofu](https://opentofu.org/).\n\nIt's meant to be a standalone, turnkey solution: so after installing, you will have Harbor available and ready to use\nimmediately. For making this happen, I had to do some design decisions:\n* IaC: every piece of infrastructure is declarative\n  * Proxmox VE: installation of this hypervisor itself is a manual task, but everything else can be done fully\n    declarative using APIs and a Terraform/OpenTofu provider \n  * Talos Linux/Kubernetes: both can be configured fully declarative using APIs and Terraform/OpenTofu providers\n* Local storage for Kubernetes applications on the node: data storage needs to happen without other infrastructure\n  dependencies like NFS or Ceph. Providing storage for a Kubernetes cluster can be rather complex if it needs to be\n  highly available, and not everyone has a NFS share available or runs a Ceph cluster like me. So I choose to statically\n  provision the volumes on the node with Talos Linux and configured\n  [local PersistentVolumes](https://kubernetes.io/docs/concepts/storage/volumes/#local).\n  This way it can be installed and run anywhere. Plus, I consider the data which will be stored here as\n  ephemeral, as the container images can be easily pulled or reproduced again.\n* Certificate authority (CA): bootstrapping and running a standalone CA is necessary to issue TLS certificates \n \n## Prerequisites\n* [Proxmox VE](https://www.proxmox.com/en/products/proxmox-virtual-environment/overview) with some resources available\n  (default: 2 CPUs, 8GB RAM, 275GB disk space)\n* [OpenTofu installed locally](https://opentofu.org/docs/intro/install/)\n* [Step CLI installed locally](https://smallstep.com/docs/step-cli/installation/)\n* Docker Hub account\n\n## Usage\nFirst clone the repo. The provisioning with [OpenTofu](https://opentofu.org/) needs to be done in two steps:\n1. Create the VM on Proxmox hypervisor and install Kubernetes\n2. Install Harbor and all other applications in the Kubernetes cluster\n\n### Install Virtual Machine with Talos Linux on Proxmox\nGo to `proxmox` subdirectory and create a `configuration.auto.tfvars` file using the example:\n```shell\n$ cp configuration.auto.tfvars.example configuration.auto.tfvars \n```\nThen add the configuration as it suits your needs to the new file. \n\nCreate the virtual machine, install and configure Talos Linux:\n```shell\n$ tofu init\n$ tofu plan\n$ tofu apply\n```\nThen grab the kubeconfig and store it in some appropriate space (or merge with your already existing kubeconfig file):\n```shell\n$ tofu output -raw kubeconfig \u003e ~/.kube/harbor-config\n```\nIn the next step you will need to reference this kubeconfig file in your `configuration.auto.tfvars` of the OpenTofu\n`kubernetes` module.\n\n### Configure Kubernetes Cluster and Install Applications\nFor bootstrapping the CA [install the step cli tool](https://smallstep.com/docs/step-cli/installation/) on your machine. Then generate your `bootstrap.yaml`:\n```shell\n$ cd kubernetes\n$ ./bootstrap_step_certificates.sh\nChoose a password for your CA keys and first provisioner.\n✔ [leave empty and we'll generate one]: \n```\nThis will result in an interactive process where you need to enter the password used for root CA and provisioner\nGenerate and capture the password, this needs to go into `configuration.auto.tfvars` as `root_ca_password`. The script\nuses the step cli tool to generate the file `kubernetes/helm_values/step-certificates-bootstrap.yaml` which is used to\nbootstrap the Step CA in the cluster.\n\nIn `kubernetes` subdirectory create a `configuration.auto.tfvars` file using the example:\n```shell\n$ cp configuration.auto.tfvars.example configuration.auto.tfvars \n```\nThen apply your configuration to the new file. \n\nInstall Harbor and all other applications into the Kubernetes cluster:\n```shell\n$ tofu init\n$ tofu plan\n$ tofu apply\n```\nAfter everything was provisioned with OpenTofu, [Harbor](https://goharbor.io/) is available locally under the IP\naddress and domain which you configured earlier. You can now log in with username `admin` and your\n`harbor_admin_password` which you specified in `configuration.auto.tfvars`.\n\nYou might want to add a DNS entry for it and add the root CA to your local trust store. You can do this conveniently\nwith Step CLI:\n```shell\n$ tofu output -raw root_ca_crt \u003e root_ca.crt\n$ step certificate install root-ca.crt\n```\n\n### Configure Kubernetes Cluster with the new Harbor Image Cache\nThe objective is to have Harbor available as container image cache eventually. So the last step is to configure\nthe image cache for your Kubernetes nodes. As this is specific to the container runtime and registry you are using, I\nneed to exclude instructions here. For those using Talos Linux for running their cluster, [this is straight forward and\nwell documented](https://www.talos.dev/v1.10/talos-guides/configuration/pull-through-cache/#using-harbor-as-a-caching-registry).\n\n## Information Sources\n* [Talos Linux documentation](https://www.talos.dev/v1.8/)\n* [Talos Linux Image Factory](https://factory.talos.dev/)\n* Terraform providers/modules\n  * Baremetal provisioning\n    * [terraform-provider-proxmox](https://github.com/Telmate/terraform-provider-proxmox)\n    * [terraform-provider-talos](https://github.com/siderolabs/terraform-provider-talos)\n  * Kubernetes\n    * [terraform-provider-kubernetes](https://github.com/hashicorp/terraform-provider-kubernetes)\n    * [terraform-provider-helm](https://github.com/hashicorp/terraform-provider-helm)\n  * Applications\n    * [terraform-provider-harbor](https://github.com/goharbor/terraform-provider-harbor)\n* Helm charts:\n  * [metallb](https://github.com/metallb/metallb/tree/main/charts/metallb) \n  * Certificate Authority\n    * [step-certificates](https://artifacthub.io/packages/helm/smallstep/step-certificates)\n    * [step-issuer](https://artifacthub.io/packages/helm/smallstep/step-issuer)\n  * [cert-manager](https://artifacthub.io/packages/helm/cert-manager/cert-manager)\n  * [ingress-nginx](https://artifacthub.io/packages/helm/ingress-nginx/ingress-nginx)\n  * [Harbor](https://github.com/goharbor/harbor-helm)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmax-pfeiffer%2Fharbor-turnkey","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmax-pfeiffer%2Fharbor-turnkey","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmax-pfeiffer%2Fharbor-turnkey/lists"}