diff --git a/CI_CD_PIPELINE_SETUP_GUIDE.md b/CI_CD_PIPELINE_SETUP_GUIDE.md index a226309..7f9ec84 100644 --- a/CI_CD_PIPELINE_SETUP_GUIDE.md +++ b/CI_CD_PIPELINE_SETUP_GUIDE.md @@ -662,19 +662,13 @@ curl -k -I https://localhost #### 5.10 Configure Harbor for Public Read, Authenticated Write -1. **Create a Public Project**: +1. **Create Application Project**: - Go to **Projects** → **New Project** - - Set **Project Name**: `public` + - Set **Project Name**: `APP_NAME` (replace with your actual application name) - Set **Access Level**: `Public` - Click **OK** -2. **Create a Private Project** (for authenticated writes): - - Go to **Projects** → **New Project** - - Set **Project Name**: `private` - - Set **Access Level**: `Private` - - Click **OK** - -3. **Create a User for CI/CD**: +2. **Create a User for CI/CD**: - Go to **Administration** → **Users** → **New User** - Set **Username**: `ci-user` - Set **Email**: `ci@example.com` @@ -682,6 +676,8 @@ curl -k -I https://localhost - Set **Role**: `Developer` - Click **OK** +**Note**: With a public project, anyone can pull images without authentication, but only authenticated users (like `ci-user`) can push images. This provides the perfect balance of ease of use for deployments and security for image management. + #### 5.11 Test Harbor Authentication and Access Model ```bash @@ -693,21 +689,21 @@ docker login YOUR_CI_CD_IP echo "FROM alpine:latest" > /tmp/test.Dockerfile echo "RUN echo 'Hello from Harbor test image'" >> /tmp/test.Dockerfile -# Build and tag test image for public project -docker build -f /tmp/test.Dockerfile -t YOUR_CI_CD_IP/public/test:latest /tmp +# Build and tag test image for APP_NAME project +docker build -f /tmp/test.Dockerfile -t YOUR_CI_CD_IP/APP_NAME/test:latest /tmp # Push to Harbor (requires authentication) -docker push YOUR_CI_CD_IP/public/test:latest +docker push YOUR_CI_CD_IP/APP_NAME/test:latest # Verify image is in Harbor curl -k https://localhost/v2/_catalog # Test public pull (no authentication required) docker logout YOUR_CI_CD_IP -docker pull YOUR_CI_CD_IP/public/test:latest +docker pull YOUR_CI_CD_IP/APP_NAME/test:latest # Clean up test image -docker rmi YOUR_CI_CD_IP/public/test:latest +docker rmi YOUR_CI_CD_IP/APP_NAME/test:latest ``` **Expected behavior**: @@ -719,16 +715,11 @@ docker rmi YOUR_CI_CD_IP/public/test:latest Your Harbor registry is now configured with the following access model: -**Public Projects** (like `public`): +**APP_NAME Project**: - ✅ **Pull (read)**: No authentication required - ✅ **Push (write)**: Requires authentication - ✅ **Web UI**: Accessible to view images -**Private Projects** (like `private`): -- ✅ **Pull (read)**: Requires authentication -- ✅ **Push (write)**: Requires authentication -- ✅ **Web UI**: Requires authentication - **Security Features**: - ✅ **Vulnerability scanning**: Automatic CVE scanning with Trivy - ✅ **Role-based access control**: Different user roles (admin, developer, guest) @@ -765,11 +756,11 @@ sudo systemctl restart docker Your Harbor registry is now configured with the following access model: #### **Public Read Access** -Anyone can pull images from public projects without authentication: +Anyone can pull images from the APP_NAME project without authentication: ```bash -# From any machine (public access to public projects) -docker pull YOUR_CI_CD_IP/public/backend:latest -docker pull YOUR_CI_CD_IP/public/frontend:latest +# From any machine (public access to APP_NAME project) +docker pull YOUR_CI_CD_IP/APP_NAME/backend:latest +docker pull YOUR_CI_CD_IP/APP_NAME/frontend:latest ``` #### **Authenticated Write Access** @@ -780,8 +771,8 @@ docker login YOUR_CI_CD_IP # Enter: ci-user and your-secure-password # Then push to Harbor -docker push YOUR_CI_CD_IP/public/backend:latest -docker push YOUR_CI_CD_IP/public/frontend:latest +docker push YOUR_CI_CD_IP/APP_NAME/backend:latest +docker push YOUR_CI_CD_IP/APP_NAME/frontend:latest ``` #### **Harbor Web UI Access** @@ -791,13 +782,13 @@ https://YOUR_CI_CD_IP ``` #### **Client Configuration** -For other machines to pull images from public projects, they only need: +For other machines to pull images from the APP_NAME project, they only need: ```bash # Add to /etc/docker/daemon.json on client machines { "insecure-registries": ["YOUR_CI_CD_IP"] } -# No authentication needed for pulls from public projects +# No authentication needed for pulls from APP_NAME project ``` #### **CI/CD Pipeline Configuration** @@ -805,7 +796,7 @@ For automated deployments, use the `ci-user` credentials: ```bash # In CI/CD pipeline echo "ci-user:your-secure-password" | docker login YOUR_CI_CD_IP --username ci-user --password-stdin -docker push YOUR_CI_CD_IP/public/backend:latest +docker push YOUR_CI_CD_IP/APP_NAME/backend:latest ``` ### Step 7: Set Up SSH for Production Communication @@ -1043,7 +1034,7 @@ docker compose ps curl -k https://localhost:8080/api/v2.0/health # Test Harbor UI -curl -k -I https://localhost:8080 +curl -k -I https://localhost ``` #### 11.4 Get Public Key for Production Server