devteam/sharenet
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix DinD Harbor cert registration

Browse source
This commit is contained in:
continuist 2025-07-04 18:32:08 -04:00
parent f3ebac14f0
commit 11b0715f71
1 changed files with 33 additions and 26 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

59
CI_CD_PIPELINE_SETUP_GUIDE.md
View file

@ -988,14 +988,14 @@ sudo journalctl -u forgejo-runner.service -f --no-pager
```bash ```bash
# Switch to CI_DEPLOY_USER (who has sudo access for Docker operations) # Switch to CI_SERVICE_USER (who has Docker group access)
sudo su - CI_DEPLOY_USER sudo su - CI_SERVICE_USER
# Navigate to the application directory # Navigate to the application directory
cd /opt/APP_NAME cd /opt/APP_NAME
# Start DinD container for isolated Docker operations # Start DinD container for isolated Docker operations
sudo docker run -d \ docker run -d \
--name ci-dind \ --name ci-dind \
--privileged \ --privileged \
-p 2375:2375 \ -p 2375:2375 \
@ -1005,7 +1005,7 @@ sudo docker run -d \
# Wait for a minute or two for DinD to be ready (wait for Docker daemon inside DinD) # Wait for a minute or two for DinD to be ready (wait for Docker daemon inside DinD)
# Test DinD connectivity # Test DinD connectivity
sudo docker exec ci-dind docker version docker exec ci-dind docker version
``` ```
**What this does**: **What this does**:
@ -1013,7 +1013,7 @@ sudo docker exec ci-dind docker version
- **Health checks**: Ensures DinD is fully ready before proceeding - **Health checks**: Ensures DinD is fully ready before proceeding
- **Simple setup**: Direct Docker commands for maximum flexibility - **Simple setup**: Direct Docker commands for maximum flexibility
**Why CI_DEPLOY_USER**: The CI_DEPLOY_USER handles deployment orchestration and has sudo access for Docker operations, following the principle of least privilege. **Why CI_SERVICE_USER**: The CI_SERVICE_USER is in the docker group and runs the CI pipeline, so it needs direct access to the DinD container for seamless CI/CD operations.
#### 7.2 Configure DinD for Harbor Registry #### 7.2 Configure DinD for Harbor Registry
@ -1023,20 +1023,35 @@ sudo docker exec ci-dind docker version
cd /opt/APP_NAME cd /opt/APP_NAME
# Copy Harbor certificate to DinD container # Copy Harbor certificate to DinD container
sudo docker cp /etc/ssl/registry/registry.crt ci-dind:/usr/local/share/ca-certificates/ docker cp /etc/ssl/registry/registry.crt ci-dind:/usr/local/share/ca-certificates/
sudo docker exec ci-dind update-ca-certificates
# Fix certificate ownership (crucial for CA certificate trust)
docker exec ci-dind chown root:root /usr/local/share/ca-certificates/registry.crt
# Update CA certificates
docker exec ci-dind update-ca-certificates
# Restart DinD container to pick up new CA certificates
docker restart ci-dind
# Wait for DinD to be ready again
sleep 30
# Login to Harbor from within DinD
echo "ci-user-password" | docker exec -i ci-dind docker login YOUR_CI_CD_IP -u ci-user --password-stdin
# Test Harbor connectivity from DinD (using certificate trust) # Test Harbor connectivity from DinD (using certificate trust)
sudo docker exec ci-dind docker pull alpine:latest docker exec ci-dind docker pull alpine:latest
sudo docker exec ci-dind docker tag alpine:latest YOUR_CI_CD_IP:80/test/alpine:latest docker exec ci-dind docker tag alpine:latest YOUR_CI_CD_IP/APP_NAME/test:latest
sudo docker exec ci-dind docker push YOUR_CI_CD_IP:80/test/alpine:latest docker exec ci-dind docker push YOUR_CI_CD_IP/APP_NAME/test:latest
# Clean up test image # Clean up test image
sudo docker exec ci-dind docker rmi YOUR_CI_CD_IP:80/test/alpine:latest docker exec ci-dind docker rmi YOUR_CI_CD_IP/APP_NAME/test:latest
``` ```
**What this does**: **What this does**:
- **Configures insecure registry**: Allows DinD to push to Harbor without SSL verification - **Configures certificate trust**: Properly sets up Harbor certificate trust in DinD
- **Fixes ownership issues**: Ensures certificate has correct ownership for CA trust
- **Tests connectivity**: Verifies DinD can pull, tag, and push images to Harbor - **Tests connectivity**: Verifies DinD can pull, tag, and push images to Harbor
- **Validates setup**: Ensures the complete CI/CD pipeline will work - **Validates setup**: Ensures the complete CI/CD pipeline will work
@ -1089,11 +1104,11 @@ docker exec ci-dind docker run --rm alpine:latest echo "DinD is working!"
# Test Harbor integration # Test Harbor integration
docker exec ci-dind docker pull alpine:latest docker exec ci-dind docker pull alpine:latest
docker exec ci-dind docker tag alpine:latest YOUR_CI_CD_IP:80/test/dind-test:latest docker exec ci-dind docker tag alpine:latest YOUR_CI_CD_IP/APP_NAME/dind-test:latest
docker exec ci-dind docker push YOUR_CI_CD_IP:80/test/dind-test:latest docker exec ci-dind docker push YOUR_CI_CD_IP/APP_NAME/dind-test:latest
# Clean up test # Clean up test
docker exec ci-dind docker rmi YOUR_CI_CD_IP:80/test/dind-test:latest docker exec ci-dind docker rmi YOUR_CI_CD_IP/APP_NAME/dind-test:latest
``` ```
**Expected Output**: **Expected Output**:
@ -1171,13 +1186,13 @@ sudo ufw allow 443/tcp # Harbor registry (public read access)
```bash ```bash
docker --version docker --version
docker compose --version docker compose version
``` ```
#### 9.2 Check Harbor Status #### 9.2 Check Harbor Status
```bash ```bash
cd /opt/APP_NAME/registry cd /opt/harbor/harbor
docker compose ps docker compose ps
``` ```
@ -1185,20 +1200,12 @@ docker compose ps
```bash ```bash
# Test Harbor API # Test Harbor API
curl -k https://localhost:8080/api/v2.0/health curl -k https://localhost/api/v2.0/health
# Test Harbor UI # Test Harbor UI
curl -k -I https://localhost curl -k -I https://localhost
``` ```
#### 9.4 Get Public Key for Production Server
```bash
cat ~/.ssh/id_ed25519.pub
```
**Important**: Copy this public key - you'll need it for the production server setup.
--- ---
## Part 2: Production Linode Setup ## Part 2: Production Linode Setup