# Harbor Container Registry Setup ## Overview Harbor is deployed as a production-ready container registry using: - **External PostgreSQL**: Uses existing `infra-postgres-rw` service in `data` namespace - **Internal Redis**: Deployed within Harbor namespace - **Longhorn Fast Storage**: All persistent volumes use `longhorn-fast` storage class - **Traefik Ingress**: Accessible at `https://registry.bk.glpx.pro` ## Configuration ### Database Connection Harbor uses the external PostgreSQL database: - **Host**: `infra-postgres-rw.data.svc.cluster.local` - **Port**: `5432` - **Database**: `harbor` - **Username**: `app` - **Password**: Stored in `infra-postgres-credentials` secret in `data` namespace ### Storage All components use `longhorn-fast` storage class: - **Registry**: 50Gi - **Job Service**: 1Gi - **Redis**: 2Gi - **Trivy**: 5Gi ### Access - **Web UI**: https://registry.bk.glpx.pro - **Default Admin**: `admin` / `Harbor12345!` (CHANGE IN PRODUCTION!) - **Registry Endpoint**: `registry.bk.glpx.pro` ## Integration with Woodpecker ### Configure Registry in Woodpecker ```bash # Add Harbor registry to Woodpecker repository woodpecker-cli repo registry add \ --hostname registry.bk.glpx.pro \ --username admin \ --password Harbor12345! ``` ### Use in Woodpecker Pipeline ```yaml steps: build: image: woodpeckerci/plugin-docker-buildx settings: registry: registry.bk.glpx.pro repo: registry.bk.glpx.pro/turash/backend tags: [latest, ${CI_COMMIT_SHA}] secrets: [docker_username, docker_password] ``` ## Integration with ArgoCD ArgoCD can pull images from Harbor. Configure image pull secrets: ```bash # Create registry secret kubectl create secret docker-registry harbor-registry-secret \ --docker-server=registry.bk.glpx.pro \ --docker-username=admin \ --docker-password=Harbor12345! \ --namespace=turash # Add to service account kubectl patch serviceaccount default -n turash \ -p '{"imagePullSecrets":[{"name":"harbor-registry-secret"}]}' ``` ## Production Checklist - [ ] Change `harborAdminPassword` to strong password - [ ] Change `secretKey` to secure random key - [ ] Enable SSL/TLS for database connection - [ ] Configure backup strategy for Harbor data - [ ] Set up monitoring and alerting - [ ] Configure retention policies for images - [ ] Enable vulnerability scanning (Trivy) - [ ] Set up replication for high availability ## Troubleshooting ### Check Harbor Status ```bash kubectl get pods -n harbor kubectl logs -n harbor deployment/harbor-core ``` ### Test Database Connection ```bash kubectl exec -it -n harbor deployment/harbor-core -- \ psql -h infra-postgres-rw.data.svc.cluster.local -U app -d harbor ``` ### Check Registry Access ```bash # Login to registry docker login registry.bk.glpx.pro -u admin -p Harbor12345! # Test push/pull docker pull alpine:latest docker tag alpine:latest registry.bk.glpx.pro/turash/test:latest docker push registry.bk.glpx.pro/turash/test:latest ``` ## Security Notes ⚠️ **IMPORTANT**: The current configuration uses default passwords. For production: 1. Generate strong passwords: ```bash openssl rand -base64 32 # For harborAdminPassword openssl rand -base64 32 # For secretKey ``` 2. Store secrets in Kubernetes secrets or external secret management 3. Enable RBAC and configure proper access controls 4. Enable audit logging 5. Configure network policies to restrict access