Using Harbor with the VMware Event Broker Appliance
The vCenter Event Broker Appliance (VEBA) is still one of my favorite open source projects these days and it is evolving rapidly and continuously through the great work of the two main contributors Michael Gasch and William Lam as well as through the valuable feedback from the community. I´m very proud to be part of the “inner circle” of folks who meet on a regular basis to discuss everything #VEBA and the keyword here is also feedback.
Version 0.3 was recently with big updates announced which can be viewed via the following link: Big updates to the vCenter Event Broker Appliance (VEBA) Fling
Just to name a few updates:
- VMware Event Router implementation
- AWS EventBridge support
- New event playload structure - cloudevents.io
Pulling images from Harbor fails
I was still testing the new version in my lab but this time I wanted to add another great open source project as a playmate to the round, the enterprise container image registry Harbor. VEBA ist using OpenFaaS® as the built-in event processor and you define the function configuration in a YAML file, the stack.yml.
A closer look into the stack.yml file shows us that the official VMware repository is used. We only see the repository name vmware/, the image name veba-powercli-tagging as well as the tag :latest. This means that when no registry is configured at this point, the Docker default applies, which is then Docker Hub.
Instead of pulling the appropriate image(s) from Docker Hub, I wanted to use Harbor this time. In order to implement this, I have to replace the original image specification in the stack.yml and point to my Harbor instance, the corresponding project and the image with tag.
Create a project in Harbor
Before we continue with the deployment of a function and what I´ve observed when VEBA is trying to pull the images from Harbor, I´d like to give you a short intoduction “How to create a project in Harbor”.
- Login with admin, select Projects and give it a name.
- Go to Members and add a new User to the project.
- The last step for now is to mark the project as Public so it is accessible to everyone and no
docker loginis required before. I also enable the Automatically scan image on push option, to let Clair immediately scan images when they are pushed.
Optional: Authentiction with LDAP
The following settings are not required but I wanted to authenticate Active-Directory users and groups to my project(s). I think it could be helpful to see a working configuration.
If everything is configured correctly, you should be able to add one or more AD groups to your project.
Push an image to Harbor
For this demonstration I´m going to pick the vSphere Tagging Function example. Let´s create the veba-powercli-tagging image from the Dockerfile which is located in the following directory: vcenter-event-broker-appliance/examples/powercli/tagging/template/powercli/.
We can build, tag and push the image in two ways:
The Docker way - docker cli
Change into the directory were the Dockerfile is located, create a fresh new image out of it and directly assign it with a tag subsequently:
|
|
Login into Harbor with an assigned user or a user of an assigned group:
|
|
After a successful login, push the image to your project:
|
|
The OpenFaaS way - faas-cli
The use of the faas-cli makes the above described steps a little bit more comfortable and by the end, the faas-cli is using the native docker commands as well. To build as well as to tag the image, we just need to execute faas-cli build -f stack.yml. This command will pick the image specification from the stack.yml and will hand it over automatically.
Same result here:
|
|
You still need to login to Harbor if you want to execute the push command, otherwise you will receive the following error:
|
|
Login and execute faas-cli push -f stack.yml. The image will be pushed into your project.
Deploy a function to VEBA
I don´t need to stress this topic in detail here because everything you need to be ready for take off 🚀 with VEBA is well documented on the Github page and if you miss something or need a more comprehensive insight on VEBA, visit this blog series by Patrick Kraemer. Assuming the corresponding image is available in Harbor and the stack.yml is adapted accordingly (see Figure II), you can proceed with the steps provided on Github (LINK). Update the stack.yml and the vc-tag-config.json with your environment information.
I´m curious and therefore I established a ssh connection to my VEBA appliance. By executing kubectl -n openfaas-fn get pods, I can see how the deployment of the pod runs and the following is not what we want to see as a result:
|
|
I validated this behavior by executing docker images and observed that no image has been downloaded from Harbor. Troubleshooting often means, if an automatic process fails, go the manual way step by step. Consequently, the next step is to download the image manually.
|
|
Interesting!
This is not based on the fact that I have not done a docker login before, as this is not necessary since we have made our project publicly available.
Following the official Docker documentation, this behavior is expected: Verify repository client with certificates
In order to retrieve the needed certificate information you can simply run the following openssl command:
|
|
|
|
I´ve also created a little script which downloads the root certificate from Harbor, creates the relevant directories, puts the certificate into them and restarts the docker service.
You can download the script HERE and copy it via scp into your VEBA appliance.
|
|
Make it executable with chmod +x docker_harbor_cert.sh and run it. The other option without using scp is, to establish a ssh connection and to copy and execute the neccessary lines directly.
The script
|
|
VEBA is now able to pull and run the image from Harbor.
|
|