spectrocloud · lennessyy · Dec 13, 2023 · Nov 17, 2023 · Nov 20, 2023 · Nov 29, 2023
diff --git a/docs/docs-content/clusters/edge/networking/kubevip.md b/docs/docs-content/clusters/edge/networking/kubevip.md
@@ -9,6 +9,7 @@ tags: ["edge"]
 
 You can use kube-vip to provide a virtual IP address for your cluster and use it to expose a service of type `LoadBalancer` on the external network. You can have kube-vip dynamically request IP addresses or use a static IP address. 
 
+
 Kube-vip supports DHCP environments and can request additional IP address from the DHCP server automatically. Using kube-vip, you can expose services inside your cluster externally with a virtual IP address even if you do not have control over your host's network. Kube-vip can also act as a load balancer for both your control plane and Kubernetes services of type `LoadBalancer`.
 
 ## Limitations
@@ -63,9 +64,11 @@ However, Palette has configured values for the following parameters and they can
   | `svc_enable` | Enables kube-vip to handle traffic for services of type LoadBalancer. |
   | `vip_serviceinterface` | Specifies the NIC that kube-vip will use for handling traffic to LoadBalancer-type services. If your cluster has network overlay enabled, or if your host has multiple NICs and you want to publish services on a different NIC than the one used by Kubernetes, you should specify the name of the NIC as the value of this parameter. If this parameter is not specified and you have set `svc_enable` to `true`, kube-vip will use the NIC you specified in `vip_interface` to handle traffic to LoadBalancer-type services.  |
 
-8. Next, in layer of your cluster profile that has the service you want to expose, add two parameters `loadBalancerIP: IP_ADDRESS` and `loadBalancerClass: kube-vip.io/kube-vip-class` to the service spec. 
+
+8. Next, in layer of your cluster profile that has the service you want to expose, add two parameters `loadBalancerIP: IP_ADDRESS` and `loadBalancerClass: kube-vip.io/kube-vip-class` to the service spec. The following example manifest displays the usage of these two parameters.
 
   If you are deploying in a DHCP environment, use `0.0.0.0` as the value for the `loadBalancerIP` parameter. If you want kube-vip to use a static IP, specify the IP address and make sure it's unused by other hosts in the network. The following example manifest displays the usage of these two parameters.
+
    ```yaml {7-8}
     apiVersion: v1
     kind: Service

diff --git a/docs/docs-content/clusters/edge/networking/local-registry.md b/docs/docs-content/clusters/edge/networking/local-registry.md
@@ -0,0 +1,59 @@
+---
+sidebar_label: "Enable Local Harbor Image Registry"
+title: "Enable Local Harbor Image Registry"
+description: "Guide to enabling a local harbor registry on an Edge deployment."
+hide_table_of_contents: false
+sidebar_position: 60
+tags: ["edge"]
+---
+
+Palette Edge allows you to provision a local Harbor image registry as part of your Edge deployment. When your Edge cluster is created for the first time, all images downloaded from external registries are stored locally in the Harbor registry, including your provider images and all packs used by your cluster. Subsequent image pulls from the cluster are made to the local Harbor registry. This allows your Edge cluster to reboot containers or add new nodes without being connected to the external network. 
+
+
+![Local Harbor Registry Architecture](/clusters_edge_networking_local_harbor_architecture.png)
+
+## Prerequisites
+
+- At least one Edge host registered with your Palette account with an AMD64 or x86_64 processor architecture. 
+
+- Each of your Edge hosts must have at least 4 CPUs and 8 GB of RAM.
+
+- At least 160 GB of persistent storage. The actual amount of storage required depends on the size of your images. 
+
+- An Edge cluster profile. For information about how to create a cluster profile for Edge, refer to [Model Edge Cluster Profile](../site-deployment/model-profile.md).
+
+## Enable Local Harbor Registry
+
+1. Log in to [Palette](https://console.spectrocloud.com).
+
+2. Navigate to the left **Main Menu** and select **Profiles**.
+
+3. Select the profile you plan to use for deployment and create a new version of the profile.
+
+4. If the profile does not already have a storage layer, click **Add New Pack** to add a storage pack. You can choose any storage pack for your storage layer. 
+
+5. Click **Add New Pack** and search for the **Harbor Edge Native Config** pack. Add the pack to your cluster profile. For more information about the pack and its parameters, refer to [Harbor Edge Native Config pack documentation](../../../integrations/harbor-edge.md).
+
+6. In the `harbor-config.storage` parameter, make sure you allocate enough storage in the `registry` field to store all your images.
+
+7. Click **Save Changes**.
+
+8. Deploy a new Edge cluster with your updated profile. Or if you have an active cluster, update the cluster to use the new version of the cluster profile. The initial download of the images still requires a connection to the external network, but subsequent images pulls will be from the local harbor registry. 
+
+## Validation
+
+1. Log in to [Palette](https://console.spectrocloud.com).
+
+2. From the left **Main Menu**, navigate to **Clusters**. Choose your Edge cluster.
+
+3. Navigate to the **Nodes** tab, in the **Private Ips** column, you can find the IP addresses of your Edge hosts. 
+
+4. Ensure you have network access to your Edge hosts. Open a new tab in your browser and navigate to `https://NODE_IP:30003` and replace `NODE_IP` with any IP address in your cluster. NodePort-type services are exposed on the same port on all nodes in your cluster. If you changed the HTTPS port in the configurations, replace the port with the HTTPS port you used. 
+
+5. If you didn't provide a certificate or used a self-signed certificate, your browser might warn you about an unsafe connection. Dismiss the warning, and you will be directed to Harbor's web UI. If you are using Google Chrome, you can click anywhere in your browser tab and type `thisisunsafe` using your keyboard to dismiss the warning. 
+
+6. Type in your credentials to log in to Harbor. The username is always `admin`. The password is what you configured during cluster creation. If you don't know your password, refer to [Retrieve Harbor Credentials](../../../integrations/harbor-edge.md#retrieve-harbor-credentials) to retrieve your password.  
+
+7. In the **Projects** view, select the **spectro-images** project.
+
+8. Confirm that all images required by the cluster are stored in the project. 
diff --git a/docs/docs-content/clusters/edge/networking/networking.md b/docs/docs-content/clusters/edge/networking/networking.md
@@ -14,4 +14,6 @@ This section describes solutions offered by Palette Edge to navigate different n
 ## Resources
 
 - [Publish Cluster Services with Kube-vip](kubevip.md)
-- [Enable Overlay Network](vxlan-overlay.md)
+- [Enable Overlay Network](vxlan-overlay.md)
+- [Enable Local Harbor Image Registry](local-registry.md)
+
diff --git a/docs/docs-content/clusters/edge/networking/vxlan-overlay.md b/docs/docs-content/clusters/edge/networking/vxlan-overlay.md
@@ -56,7 +56,7 @@ You will not be able to change the network overlay configurations after the clus
 5. Give the cluster a name, description, and tags. Click on **Next**.
 
 6. Select a cluster profile. If you don't have a cluster profile for Edge Native, refer to the [Create Edge Native Cluster Profile](../site-deployment/model-profile.md) guide. Click on **Next** after you have selected a cluster profile.
-
+ 
 7. In the network layer of your cluster profile, specify the name of the Network Interface Controllers (NIC) on your Edge hosts to be `scbr-100`. This is the name of the interface Palette creates on your Edge devices to establish the overlay network.
 
     The following are the sections of the packs you need to change depending on which CNI pack you are using:

diff --git a/docs/docs-content/clusters/edge/site-deployment/stage.md b/docs/docs-content/clusters/edge/site-deployment/stage.md
@@ -171,13 +171,13 @@ You will create a Virtual Machine Disk (VMDK) from the Edge Installer ISO and up
   nohup make vmdk &
   ```
 
-    :::info
+  :::info
 
-    If you are using a *Tenant Registration Token* for auto-registration, you can omit the environment variable `REGISTRATION_URL`. 
+  If you are using a *Tenant Registration Token* for auto-registration, you can omit the environment variable `REGISTRATION_URL`. 
 
-    :::
+  :::
 
-    A VMDK file was generated in the **stylus-image-builder/images** folder. Rename this VMDK to a preferred installer name. Ensure the VMDK file retains the `.vmdk` extension.
+  A VMDK file was generated in the **stylus-image-builder/images** folder. Rename this VMDK to a preferred installer name. Ensure the VMDK file retains the `.vmdk` extension.
 
 
 6. Transfer the VMDK to a datastore in your VMware environment. Review the commands below and ensure you replace the placeholders with the respective values from your environment.

diff --git a/docs/docs-content/integrations/harbor-edge.md b/docs/docs-content/integrations/harbor-edge.md
@@ -0,0 +1,194 @@
+---
+sidebar_label: 'harbor-edge'
+title: 'Harbor Edge Native Config'
+description: 'Harbor Edge Native Config pack in Spectro Cloud'
+hide_table_of_contents: true
+type: "integration"
+category: ['system-app', 'registry']
+sidebar_class_name: "hide-from-sidebar"
+logoUrl: 'https://registry.spectrocloud.com/v1/harbor/blobs/sha256:5cf19a83449d41a6eb2398194dd4563d31d371074375255ba8a2fc4feff4ef33?type=image/png'
+tags: ['packs', 'harbor-edge-native-config', 'system-app']
+---
+
+Harbor is an open-source registry that secures artifacts with policies and role-based access control. You can install Harbor on your Edge clusters and use it to store all the images used by the cluster, including your provider images and all packs used by your cluster. After the initial download, the cluster can pull images from Harbor instead of an external registry, allowing your cluster to reboot containers or add new nodes without a connection to the external network.
+
+
+## Versions Supported
+
+:::info
+The Harbor Edge-Native Config pack is a system application pack. When you provision a cluster with a profile that includes this pack, Palette automatically chooses the latest version of Harbor supported by Palette to install on the cluster. You cannot manually choose a version of this pack.  
+:::
+
+<Tabs>
+<TabItem value="1.0.0" label="1.0.0">
+
+### Prerequisites
+
+- All Edge devices in your cluster must have at least 4 CPUs and 8 GB of RAM.
+
+- At least 160 GB of persistent storage volume for the cluster. The actual volume required depends on the size of the images used by your cluster. 
+
+- A Container Storage Interface (CSI) pack is required in your cluster profile. 
+
+### Parameters
+
+:::tip
+You can use a macro to avoid providing credentials in plain text. For more information about macros, refer to [Macros guide](../clusters/cluster-management/macros.md).
+:::
+
+| **Parameter** | **Description**  |
+|---------------|------------------|
+| `harbor-config.auth.password` | Specifies the password used with the default user name `admin` to authenticate with the Harbor image registry. You cannot change the username. If you don't provide password, a random password is generated and saved to a secret in the cluster named `registry-info` in the `cluster_CLUSTER_UID` namespace, where `CLUSTER_UID` is the unique ID for your cluster. You find this namespace by listing all namespaces in your cluster. This password is automatically configured to be used internally inside the cluster for image pulls, and you would only need it for accessing the Harbor registry from outside the cluster.|
+| `harbor-config.auth.certs` | Specifies the certificate and private key used for authentication with Harbor. The common name or subject alternative name must include the host name `spectro.registry.local` and the Edge cluster's virtual IP address. If you don't provide a certificate or private key, Palette generates a certificate and a private key to use internally within the cluster. You can find the certificate in a secret named `harbor-tls` in the `harbor` namespace. |
+| `harbor-config.service.serviceType` | Specifies the service type for the Harbor service. The default service type is NodePort. |
+| `harbor-config.service.harbor` | Specifies the ports that harbor is exposed on. |
+| `harbor-config.storage` | Specifies the size of the Harbor's persistent volume claim in GB. You can configure persistent volume claims for `registry`, `jobService`, `database`, `redis`, and `trivy`. |
+| `harbor-config.service.metrics.enabled` | Specify whether to enable metrics on Harbor. For more information about the kinds of metrics that are exposed, refer to [Harbor metrics documentation](https://goharbor.io/docs/main/administration/metrics/). |
+
+### Usage
+
+#### Enable Harbor to Protect Against Outage
+You can use Harbor in an Edge cluster that is connected to external networks. Harbor stores all container images downloaded from the internet and future image pulls from the cluster will be from the local harbor registry. If your cluster experiences an internet outage, it can still reboot containers or add new nodes using images stored locally in Harbor. For more information, refer to [Deploy a Cluster with a Local Harbor Registry](../clusters/edge/networking/local-registry.md).
+
+#### Log in to Harbor Web UI
+
+With Harbor enabled on your Edge cluster, you can log in to Harbor via its web UI. By default, the Harbor service is accessible as a NodePort-type service with HTTPS enabled on port `30003`. You can use the following steps to log in to Harbor via the web UI. 
+
+
+1. Log in to [Palette](https://console.spectrocloud.com).
+
+2. From the left **Main Menu**, navigate to **Clusters**. Choose your Edge cluster.
+
+3. Navigate to the **Nodes** tab, in the **Private Ips** column, you can find the IP addresses of your Edge hosts. 
+
+4. Ensure you have network access to your Edge hosts. Open a new tab in your browser and navigate to `https://NODE_IP:30003` and replace `NODE_IP` with any IP address in your cluster. NodePort-type services are exposed on the same port on all nodes in your cluster. If you changed the HTTPS port in the configurations, replace the port with the HTTPS port you used. 
+
+5. If you didn't provide a certificate or used a self-signed certificate, your browser might warn you about an unsafe connection. Dismiss the warning, and you will be directed to Harbor's web UI. If you use Google Chrome, you can click anywhere in your browser tab and type `this is unsafe` using your keyboard to dismiss the warning. 
+
+6. Type in `admin` as the username and your password to log in to Harbor. If you don't know your password, refer to [Retrieve Harbor Credentials](#retrieve-harbor-credentials) to retrieve your password.  
+
+
+#### Retrieve Harbor Credentials
+
+During cluster creation, Palette creates two secrets that store the password used to authenticate the `admin` user in Harbor and the X509 certificate used for TLS. You can access both of these credentials using the following steps:
+
+1. Configure kubectl to access your Kubernetes cluster. For more information, refer to [Access a Cluster with CLI](../clusters/cluster-management/palette-webctl.md). 
+
+2. Depending on the credential you want to retrieve, use the commands described below. 
+
+<Tabs>
+<TabItem value="password" label="Password">
+
+1. Issue the command `kubectl get namespaces` to get all namespaces. Look for a namespace called `cluster-CLUSTER-ID`, where `CLUSTER-ID` is a string of alphanumeric characters. This is the namespace where the secret for your Harbor password is stored. 
+
+2. Issue the following command to get the password of your Harbor user. Replace `CLUSTER-ID-NAMESPACE` with the namespace you identified in the previous step. This command outputs your password. 
+
+```shell
+kubectl get secret registry-info --namespace CLUSTER-ID-NAMESPACE --output jsonpath="{.data.SPECTRO_USER_PASSWORD}" | base64 --decode
+```
+
+</TabItem>
+
+<TabItem value="certificate" label="X509 certificate">
+Issue the following command to retrieve the certificate. 
+
+```shell
+kubectl get secret harbor-tls --namespace harbor --output jsonpath="{.data.tls\.crt}" | base64 --decode
+```
+
+</TabItem>
+
+<TabItem value="private-key" label="Private key">
+Issue the following command to retrieve the private key.
+
+```shell
+kubectl get secret harbor-tls --namespace harbor --output jsonpath="{.data.tls\.key}" | base64 --decode
+```
+
+</TabItem>
+</Tabs>
+
+#### Push and Pull Images to Harbor
+
+You can use the following steps to push images to and pull images from the Harbor registry. 
+
+:::info
+If you didn't provide a certificate or are using a self-signed certificate, Docker will refuse to connect to the registry unless you configure Docker to trust the certificate authority or use a insecure connection for your Harbor registry. You can configure Docker to use a insecure connection by adding a line `"insecure-registries": ["REGISTRY_URL"]` in your Docker `daemon.json` file. For more information about `daemon.json`, refer to [Docker documentation](https://docs.docker.com/config/daemon/). 
+:::
+
+1. Log in to [Palette](https://console.spectrocloud.com).
+
+2. From the left **Main Menu**, navigate to **Clusters**. Choose your Edge cluster.
+
+3. Navigate to the **Nodes** tab, in the **Private Ips** column, you can find the IP addresses of your Edge hosts. 
+
+4. Ensure you have network access to your Edge hosts. Log in to Harbor from your command-line interface. The following example uses Docker, but you can use any other image management tool. Replace `NODE_IP` with the IP address of any of the nodes and replace `HARBOR_PASSWORD` with the password of your Harbor user. If you don't know your password, refer to [Retrieve Harbor Credentials](#retrieve-harbor-credentials). 
+
+   ```shell
+   docker login NODE_IP:30003 --user admin --password HARBOR_PASSWORD
+   ```
+
+5. After a successful login, you can start to pull and push images. 
+
+  <Tabs>
+  <TabItem value="pull-image" label="Pull images">
+   To pull an image from the Harbor registry, issue the following command. 
+
+   ```shell
+   docker pull REGISTRY_URL/PROJECT_NAME/IMAGE_NAME:TAG
+   ```
+
+   For example, the following command pulls the image for `kube-vip` from the Harbor registry.
+
+   ```shell
+   docker pull 10.10.137.220:30003/spectro-images/gcr.io/spectro-images-public/kube-vip/kube-vip:v0.6.3
+   ```
+  </TabItem>
+
+  <TabItem value="push-image" label="Push images">
+  To push an image to the Harbor registry, first tag the image with your registry URL. 
+
+  ```shell
+  docker tag LOCAL_IMAGE:LOCAL_IMAGE_TAG REGISTRY_URL/PROJECT_NAME/IMAGE_NAME:TAG
+  ```
+
+  After tagging the image, you can push it to the Harbor registry.
+
+  ```shell
+  docker push REGISTRY_URL/PROJECT_NAME/IMAGE_NAME:TAG
+  ```
+
+  For example, the following commands tag the local image `alpine:latest` and push it to the Harbor registry. 
+
+  ```
+  docker tag alpine:latest 10.10.137.220:30003/spectro-images/alpine:latest
+  docker push 10.10.137.220:30003/spectro-images/alpine:latest
+  ```
+  </TabItem>
+  </Tabs>
+
+</TabItem>
+</Tabs>
+
+## Terraform
+
+You can reference the Harbor Edge-Native Config pack in Terraform with a data resource.
+
+```hcl
+data "spectrocloud_registry" "public_registry" {
+  name = "Public Repo"
+}
+
+data "spectrocloud_pack_simple" "harbor-edge-native-config" {
+  name    = "harbor-edge-native-config"
+  version = "1.0.0"
+  type = "helm"
+  registry_uid = data.spectrocloud_registry.public_registry.id
+}
+```
+
+## Resources
+
+- [Deploy a Cluster with a Local Harbor Registry](../clusters/edge/networking/local-registry.md)
+
+- [Harbor documentation](https://goharbor.io/docs/2.4.0/install-config/)
diff --git a/static/assets/docs/images/clusters_edge_networking_local_harbor_architecture.png b/static/assets/docs/images/clusters_edge_networking_local_harbor_architecture.png