Quick Start Guide on Installing Harbor on OpenShift

Example guide on how to deploy Harbor on OpenShift 4.x. This guide was tested with OpenShift Developer Sandbox version 4.20.

Prerequisites

• OpenShift 4.x cluster with access to a namespace
• oc CLI logged in to the cluster
• helm CLI installed (v3.x)

Overview

Harbor on OpenShift requires special configuration due to OpenShift's Security Context Constraints (SCC). This deployment uses:

• External PostgreSQL (official postgres image from Docker Hub)
• External Redis (Valkey - Redis compatible)
• OpenShift-compatible Harbor images from 8gears.container-registry.com

Deployment Steps

1. Create Image Pull Secret

oc create secret docker-registry harbor-pull-secret \
  --docker-server=8gears.container-registry.com \
  --docker-username='<username>' \
  --docker-password='<password>' \
  -n <namespace>

2. Deploy PostgreSQL

oc apply -f postgres.yaml -n <namespace>

3. Deploy Valkey (Redis)

# Add Valkey Helm repo
helm repo add valkey https://valkey.io/valkey-helm/
helm repo update

# Install Valkey with OpenShift-compatible settings
helm install redis valkey/valkey --version 0.8.1 \
  -n <namespace> \
  -f valkey-values.yaml

4. Deploy Harbor

# Install Harbor from 8gears OCI registry
helm install harbor oci://8gears.container-registry.com/8gcr/charts/harbor \
  --version 1.18.0 \
  -f values.yaml \
  -n <namespace>

5. Verify Deployment

oc get pods -n <namespace>

All pods should be in Running state:

• harbor-core
• harbor-jobservice
• harbor-portal
• harbor-registry
• harbor-trivy
• postgres
• redis-valkey

Access Harbor

Once all pods are running, access Harbor at:

https://harbor-<namespace>.apps.<cluster-domain>

Default credentials:

• Username: admin
• Password: Harbor12345 (change this!)

OpenShift-Specific Configuration

Security Context Constraints (SCC)

OpenShift enforces strict security policies. The key configuration in values.yaml:

# Disable pod-level securityContext so OpenShift SCC can assign UIDs
podSecurityContext:
  enabled: false

containerSecurityContext:
  runAsUser: null
  privileged: false
  allowPrivilegeEscalation: false
  seccompProfile:
    type: RuntimeDefault
  runAsNonRoot: false
  capabilities:
    drop:
      - ALL

External Database and Redis

Using external PostgreSQL and Redis avoids SCC issues with Harbor's internal database/redis images:

database:
  type: external
  external:
    host: "postgres"
    port: "5432"
    username: "harbor"
    password: "changeit"
    coreDatabase: "registry"
    sslmode: "disable"

redis:
  type: external
  external:
    addr: "redis-valkey:6379"

Files

File	Description
values.yaml	Harbor Helm chart values for OpenShift
valkey-values.yaml	Valkey (Redis) Helm chart values for OpenShift
postgres.yaml	PostgreSQL deployment manifest

Troubleshooting

Pods stuck in CreateContainerError

Check events for SCC issues:

oc get events -n <namespace> --sort-by='.lastTimestamp' | grep -i error

If you see runAsUser: Invalid value, ensure podSecurityContext.enabled: false is set.

ImagePullBackOff

Ensure the image pull secret is created and referenced in values.yaml:

imagePullSecrets:
  - name: harbor-pull-secret

Database Connection Issues

Verify PostgreSQL is running and accessible:

oc exec -it deploy/postgres -- psql -U harbor -d registry -c "SELECT 1"

Redis Connection Issues

Verify Valkey is running:

oc exec -it deploy/redis-valkey -- valkey-cli ping