mukimovd/turash
1
0
Fork 0
mirror of https://github.com/SamyRai/turash.git synced 2025-12-26 23:01:33 +00:00
Code Issues 1 Actions Packages Projects Releases Wiki Activity
78d87ae345
turash/k8s/registry/README.md
Damir Mukimov 78d87ae345
Configure CI/CD pipeline with Harbor registry
2025-12-24 19:17:14 +01:00

135 lines
3.4 KiB
Markdown
Raw Blame History

# Harbor Container Registry Setup
## Overview
Harbor is deployed as a production-ready container registry using:
- **External PostgreSQL**: Uses existing `infra-postgres-rw` service in `data` namespace
- **Internal Redis**: Deployed within Harbor namespace
- **Longhorn Fast Storage**: All persistent volumes use `longhorn-fast` storage class
- **Traefik Ingress**: Accessible at `https://registry.bk.glpx.pro`
## Configuration
### Database Connection
Harbor uses the external PostgreSQL database:
- **Host**: `infra-postgres-rw.data.svc.cluster.local`
- **Port**: `5432`
- **Database**: `harbor`
- **Username**: `app`
- **Password**: Stored in `infra-postgres-credentials` secret in `data` namespace
### Storage
All components use `longhorn-fast` storage class:
- **Registry**: 50Gi
- **Job Service**: 1Gi
- **Redis**: 2Gi
- **Trivy**: 5Gi
### Access
- **Web UI**: https://registry.bk.glpx.pro
- **Default Admin**: `admin` / `Harbor12345!` (CHANGE IN PRODUCTION!)
- **Registry Endpoint**: `registry.bk.glpx.pro`
## Integration with Woodpecker
### Configure Registry in Woodpecker
```bash
# Add Harbor registry to Woodpecker repository
woodpecker-cli repo registry add <repo-id> \
--hostname registry.bk.glpx.pro \
--username admin \
--password Harbor12345!
```
### Use in Woodpecker Pipeline
```yaml
steps:
build:
image: woodpeckerci/plugin-docker-buildx
settings:
registry: registry.bk.glpx.pro
repo: registry.bk.glpx.pro/turash/backend
tags: [latest, ${CI_COMMIT_SHA}]
secrets: [docker_username, docker_password]
```
## Integration with ArgoCD
ArgoCD can pull images from Harbor. Configure image pull secrets:
```bash
# Create registry secret
kubectl create secret docker-registry harbor-registry-secret \
--docker-server=registry.bk.glpx.pro \
--docker-username=admin \
--docker-password=Harbor12345! \
--namespace=turash
# Add to service account
kubectl patch serviceaccount default -n turash \
-p '{"imagePullSecrets":[{"name":"harbor-registry-secret"}]}'
```
## Production Checklist
- [ ] Change `harborAdminPassword` to strong password
- [ ] Change `secretKey` to secure random key
- [ ] Enable SSL/TLS for database connection
- [ ] Configure backup strategy for Harbor data
- [ ] Set up monitoring and alerting
- [ ] Configure retention policies for images
- [ ] Enable vulnerability scanning (Trivy)
- [ ] Set up replication for high availability
## Troubleshooting
### Check Harbor Status
```bash
kubectl get pods -n harbor
kubectl logs -n harbor deployment/harbor-core
```
### Test Database Connection
```bash
kubectl exec -it -n harbor deployment/harbor-core -- \
psql -h infra-postgres-rw.data.svc.cluster.local -U app -d harbor
```
### Check Registry Access
```bash
# Login to registry
docker login registry.bk.glpx.pro -u admin -p Harbor12345!
# Test push/pull
docker pull alpine:latest
docker tag alpine:latest registry.bk.glpx.pro/turash/test:latest
docker push registry.bk.glpx.pro/turash/test:latest
```
## Security Notes
⚠️ **IMPORTANT**: The current configuration uses default passwords. For production:
1. Generate strong passwords:
```bash
openssl rand -base64 32 # For harborAdminPassword
openssl rand -base64 32 # For secretKey
```
2. Store secrets in Kubernetes secrets or external secret management
3. Enable RBAC and configure proper access controls
4. Enable audit logging
5. Configure network policies to restrict access
Reference in New Issue View Git Blame Copy Permalink