Skip to content

Migrate helm chart to oci registry in Harbor

stonezdj(Daojun Zhang) edited this page Mar 5, 2024 · 30 revisions

Migrate steps

This guide explains how to migrate your Helm chart files(chartmuseum) to OCI chart files.

Make sure that the source Harbor registry version is v2.7.x or lower before proceeding with the migration. If you have already upgraded the source Harbor registry to version 2.8, please refer to this procedure to complete the migration.

  • If you're using Harbor with docker-compose, skip to step 5.
  • If you're using Harbor-helm, follow steps 1-5.
  1. Set up a new Harbor registry(temp Harbor registry) on your local machine using the online/offline installer, or use an existing one with version v2.7.x . Make sure not to install this registry instance on Kubernetes.

  2. Log in to the temp Harbor registry and create a new registry point to the source Harbor registry.

  3. Create a replication rule to copy all helm charts of the source Harbor registry to the temp Harbor registry.

  4. Once replication is complete, all your Helm chart files should be available in the /data/chart_storage directory.

  5. To convert and push the OCI Helm charts to the source Harbor registry, run the following command in a terminal:

docker run -it --rm -v <path_to_chart_storage_directory>:/chart_storage \
-v <path_to_the_source_harbor_registry_root.ca>:/usr/local/share/ca-certificates/harbor_ca.crt \
 goharbor/migrate-chart:1.1.0 --hostname <the_hostname_of_source_harbor_registgry> --password <the_admin_password_of_source_harbor_registgry>

After the command completes, check the <path_to_chart_storage_directory>/migration_errors.txt file to see if there are any error. If there are some oci artifact with the same repository name and tag exist in the registry, it skips to push the new image to the registry. If there are no error, all Helm charts should be pushed to Harbor successfully.

Verify

To verify that the migration was successful, follow these steps:

  1. Install the Helm chart with OCI registry and verify that it works:
helm install myrelease oci://<the_hostname_of_source_harbor_registgry>/<project>/<helm_reponame> --version <chart_version>
  1. The new Helm chart can be pushed to the source Harbor with this command:
helm push harbor-1.7.3.tgz  oci://<the_hostname_of_source_harbor_registgry>/<project>/

Questions

Question 1: Previous helm cli(chart-museum repo) support helm search, how to search helm chart in oci registry?

The cli helm search is not supported, we could search helm chart in Harbor UI. filter artifact by Type and select "CHART", all helm charts are listed in the current repository.

chart

Question 2: Our charts are signed, how to push/verify the provenance file with oci registry?

The helm push command pushes the provenance file if it exists in the same directory, and the helm pull command could download the provenance file if it is a signed chart. and also you could run helm verify on the chart

helm pull oci://<harbor fqdn>/helm-test/harbor --version 1.7.3
# the previous keyring to sign the chart is exported to secring.gpg
helm verify harbor-1.7.3.tgz --keyring=secring.gpg

Question 3: If my Harbor instance is upgrade to 2.8 already, How to migrate the helm chart to Harbor with OCI helm chart?

  1. Create a pod with this my-pod.yaml
apiVersion: v1
kind: Pod
metadata:
  name: my-pod
spec:
  containers:
  - name: busybox
    image: busybox
    command:
      - sleep
      - infinity
    volumeMounts:
    - name: chartmuseum-data
      mountPath: /chart_storage
  volumes:
  - name: chartmuseum-data
    persistentVolumeClaim:
      claimName: <chartmuseum PVC name>

The should be replaced with the previous chartmuseum PVC name.

kubectl create -f my-pod.yaml
  1. Run the following command to copy the chart data to local:
kubectl cp my-pod:/chart_storage <path to local dir>
  1. Check if chart files are stored in the /chart_storage, then delete the temporary pod, and run migrate step 5.
kubectl delete pod my-pod --force