mukimovd/turash
1
0
Fork 0
mirror of https://github.com/SamyRai/turash.git synced 2025-12-26 23:01:33 +00:00
Code Issues 1 Actions Packages Projects Releases Wiki Activity
9416a80006
turash/k8s/registry/README.md
Damir Mukimov 78d87ae345
Configure CI/CD pipeline with Harbor registry
2025-12-24 19:17:14 +01:00

3.4 KiB
Raw Blame History

Harbor Container Registry Setup

Overview

Harbor is deployed as a production-ready container registry using:

  • External PostgreSQL: Uses existing infra-postgres-rw service in data namespace
  • Internal Redis: Deployed within Harbor namespace
  • Longhorn Fast Storage: All persistent volumes use longhorn-fast storage class
  • Traefik Ingress: Accessible at https://registry.bk.glpx.pro

Configuration

Database Connection

Harbor uses the external PostgreSQL database:

  • Host: infra-postgres-rw.data.svc.cluster.local
  • Port: 5432
  • Database: harbor
  • Username: app
  • Password: Stored in infra-postgres-credentials secret in data namespace

Storage

All components use longhorn-fast storage class:

  • Registry: 50Gi
  • Job Service: 1Gi
  • Redis: 2Gi
  • Trivy: 5Gi

Access

Integration with Woodpecker

Configure Registry in Woodpecker

# Add Harbor registry to Woodpecker repository
woodpecker-cli repo registry add <repo-id> \
  --hostname registry.bk.glpx.pro \
  --username admin \
  --password Harbor12345!

Use in Woodpecker Pipeline

steps:
  build:
    image: woodpeckerci/plugin-docker-buildx
    settings:
      registry: registry.bk.glpx.pro
      repo: registry.bk.glpx.pro/turash/backend
      tags: [latest, ${CI_COMMIT_SHA}]
    secrets: [docker_username, docker_password]

Integration with ArgoCD

ArgoCD can pull images from Harbor. Configure image pull secrets:

# Create registry secret
kubectl create secret docker-registry harbor-registry-secret \
  --docker-server=registry.bk.glpx.pro \
  --docker-username=admin \
  --docker-password=Harbor12345! \
  --namespace=turash

# Add to service account
kubectl patch serviceaccount default -n turash \
  -p '{"imagePullSecrets":[{"name":"harbor-registry-secret"}]}'

Production Checklist

  • Change harborAdminPassword to strong password
  • Change secretKey to secure random key
  • Enable SSL/TLS for database connection
  • Configure backup strategy for Harbor data
  • Set up monitoring and alerting
  • Configure retention policies for images
  • Enable vulnerability scanning (Trivy)
  • Set up replication for high availability

Troubleshooting

Check Harbor Status

kubectl get pods -n harbor
kubectl logs -n harbor deployment/harbor-core

Test Database Connection

kubectl exec -it -n harbor deployment/harbor-core -- \
  psql -h infra-postgres-rw.data.svc.cluster.local -U app -d harbor

Check Registry Access

# Login to registry
docker login registry.bk.glpx.pro -u admin -p Harbor12345!

# Test push/pull
docker pull alpine:latest
docker tag alpine:latest registry.bk.glpx.pro/turash/test:latest
docker push registry.bk.glpx.pro/turash/test:latest

Security Notes

⚠️ IMPORTANT: The current configuration uses default passwords. For production:

  1. Generate strong passwords:

    openssl rand -base64 32  # For harborAdminPassword
openssl rand -base64 32  # For secretKey

  2. Store secrets in Kubernetes secrets or external secret management

  3. Enable RBAC and configure proper access controls

  4. Enable audit logging

  5. Configure network policies to restrict access