Instructions to update authentication within Harbor on Photon OS.
In order to switch authentication modes you must delete all the users.
docker exec -it harbor-db bash
psql -U postgres
\c registry
select * from harbor_user;
delete from harbor_user where user_id > 2;
This may not be allowed because there's a constraint on the project table for owner_id.
update project set owner_id=1;
Afterwards, refresh the Administration > Configuration page and the Auth Mode dropdown should now be editable.
Reference: Harbor FAQs · goharbor/harbor Wiki (github.com)
This is specific to VMware Photon OS.
cat organized_chain.crt >> /etc/pki/tls/certs/ca-bundle.crt
Prerequisites:
- There are no local DB users listed in Harbor under Administration > Users. Otherwise, delete them using the instructions under Switch Authentication Modes.
- From the Harbor instance, be sure you can access the OpenID Configuration; the URL that ends with
/.well-known/openid-configuration- If this fails, attempt to run the
curlcommand with the-kparameter to verify that the issue is not related to TLS; if it is, Add CA within Harbor - If the issue does not appear to be TLS-related then be sure you can ping or trace route to the OIDC provider and verify you can access the port via
netcatorTest-NetConnection(PowerShell)
- If this fails, attempt to run the
- Create a client within Keycloak
- Be sure to enable Client authentication and enable Service accounts roles
- Disable Direct access grants since it's not required
- Once the client has been created, add the following:
- Settings > Access settings > Valid redirect URLs > Update this with the URL from Harbor OIDC Settings
- Client scopes > Add client scope > Add > groups; Assign Type to Default
- Admin credentials to log into Harbor
- Log into Harbor with your admin credentials.
- Navigate to Administration > Configuration
- Switch the Auth mode to OIDC
- Set the following values:
| Key | Value | Notes |
|---|---|---|
| OIDC Provider Name | Keycloak | Any identifier is fine |
| OIDC Endpoint | <OIDC configuration URL> | Do not include /.well-known/openid-configuration portion or the trailing slash |
| OIDC Client ID | <Client ID> | Retrieve from OIDC |
| OIDC Client Secret | <Client Credentials> | Retrieve from OIDC |
| Group Claim Name | groups | Required to setup users with admin rights |
| OIDC Admin Group | Harbor Admins | Group reserved for admins in Keycloak |
| OIDC Scope | openid,offline_access | Comma-delimited with no spaces; Additional scopes may be added if they are not included by default, e.g., profile or email |
| Verify Certificate | Unchecked | Certificate must be added to the immutable Docker image for this to be enabled (Out of scope) |
| Automatic onboarding | Checked | |
| Username Claim | preferred_username | Common field used for username defined in Keycloak |
- Update the Keycloak Client with the correct Redirect URI
- Click on the Test OIDC Server button
- If no errors, then Save. Otherwise, check the logs for any errors by logging into your instance of Harbor and executing the following command:
docker logs harbor-core [--tail=10] [-f]