devteam/sharenet
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update guide to create a single repository in Harbor for public reads and authenticated writes
Some checks are pending
CI/CD Pipeline / Test Backend (push) Waiting to run
Details
CI/CD Pipeline / Test Frontend (push) Waiting to run
Details
CI/CD Pipeline / Build and Push Docker Images (push) Blocked by required conditions
Details
CI/CD Pipeline / Deploy to Production (push) Blocked by required conditions
Details

Browse source
This commit is contained in:
continuist 2025-06-29 12:46:54 -04:00
parent c9aa37d6cf
commit 583b8c6c65
1 changed files with 21 additions and 30 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

51
CI_CD_PIPELINE_SETUP_GUIDE.md
View file

@ -662,19 +662,13 @@ curl -k -I https://localhost
#### 5.10 Configure Harbor for Public Read, Authenticated Write #### 5.10 Configure Harbor for Public Read, Authenticated Write
1. **Create a Public Project**: 1. **Create Application Project**:
- Go to **Projects** → **New Project** - Go to **Projects** → **New Project**
- Set **Project Name**: `public` - Set **Project Name**: `APP_NAME` (replace with your actual application name)
- Set **Access Level**: `Public` - Set **Access Level**: `Public`
- Click **OK** - Click **OK**
2. **Create a Private Project** (for authenticated writes): 2. **Create a User for CI/CD**:
- Go to **Projects** → **New Project**
- Set **Project Name**: `private`
- Set **Access Level**: `Private`
- Click **OK**
3. **Create a User for CI/CD**:
- Go to **Administration****Users** → **New User** - Go to **Administration****Users** → **New User**
- Set **Username**: `ci-user` - Set **Username**: `ci-user`
- Set **Email**: `ci@example.com` - Set **Email**: `ci@example.com`
@ -682,6 +676,8 @@ curl -k -I https://localhost
- Set **Role**: `Developer` - Set **Role**: `Developer`
- Click **OK** - Click **OK**
**Note**: With a public project, anyone can pull images without authentication, but only authenticated users (like `ci-user`) can push images. This provides the perfect balance of ease of use for deployments and security for image management.
#### 5.11 Test Harbor Authentication and Access Model #### 5.11 Test Harbor Authentication and Access Model
```bash ```bash
@ -693,21 +689,21 @@ docker login YOUR_CI_CD_IP
echo "FROM alpine:latest" > /tmp/test.Dockerfile echo "FROM alpine:latest" > /tmp/test.Dockerfile
echo "RUN echo 'Hello from Harbor test image'" >> /tmp/test.Dockerfile echo "RUN echo 'Hello from Harbor test image'" >> /tmp/test.Dockerfile
# Build and tag test image for public project # Build and tag test image for APP_NAME project
docker build -f /tmp/test.Dockerfile -t YOUR_CI_CD_IP/public/test:latest /tmp docker build -f /tmp/test.Dockerfile -t YOUR_CI_CD_IP/APP_NAME/test:latest /tmp
# Push to Harbor (requires authentication) # Push to Harbor (requires authentication)
docker push YOUR_CI_CD_IP/public/test:latest docker push YOUR_CI_CD_IP/APP_NAME/test:latest
# Verify image is in Harbor # Verify image is in Harbor
curl -k https://localhost/v2/_catalog curl -k https://localhost/v2/_catalog
# Test public pull (no authentication required) # Test public pull (no authentication required)
docker logout YOUR_CI_CD_IP docker logout YOUR_CI_CD_IP
docker pull YOUR_CI_CD_IP/public/test:latest docker pull YOUR_CI_CD_IP/APP_NAME/test:latest
# Clean up test image # Clean up test image
docker rmi YOUR_CI_CD_IP/public/test:latest docker rmi YOUR_CI_CD_IP/APP_NAME/test:latest
``` ```
**Expected behavior**: **Expected behavior**:
@ -719,16 +715,11 @@ docker rmi YOUR_CI_CD_IP/public/test:latest
Your Harbor registry is now configured with the following access model: Your Harbor registry is now configured with the following access model:
**Public Projects** (like `public`): **APP_NAME Project**:
- ✅ **Pull (read)**: No authentication required - ✅ **Pull (read)**: No authentication required
- ✅ **Push (write)**: Requires authentication - ✅ **Push (write)**: Requires authentication
- ✅ **Web UI**: Accessible to view images - ✅ **Web UI**: Accessible to view images
**Private Projects** (like `private`):
- ✅ **Pull (read)**: Requires authentication
- ✅ **Push (write)**: Requires authentication
- ✅ **Web UI**: Requires authentication
**Security Features**: **Security Features**:
- ✅ **Vulnerability scanning**: Automatic CVE scanning with Trivy - ✅ **Vulnerability scanning**: Automatic CVE scanning with Trivy
- ✅ **Role-based access control**: Different user roles (admin, developer, guest) - ✅ **Role-based access control**: Different user roles (admin, developer, guest)
@ -765,11 +756,11 @@ sudo systemctl restart docker
Your Harbor registry is now configured with the following access model: Your Harbor registry is now configured with the following access model:
#### **Public Read Access** #### **Public Read Access**
Anyone can pull images from public projects without authentication: Anyone can pull images from the APP_NAME project without authentication:
```bash ```bash
# From any machine (public access to public projects) # From any machine (public access to APP_NAME project)
docker pull YOUR_CI_CD_IP/public/backend:latest docker pull YOUR_CI_CD_IP/APP_NAME/backend:latest
docker pull YOUR_CI_CD_IP/public/frontend:latest docker pull YOUR_CI_CD_IP/APP_NAME/frontend:latest
``` ```
#### **Authenticated Write Access** #### **Authenticated Write Access**
@ -780,8 +771,8 @@ docker login YOUR_CI_CD_IP
# Enter: ci-user and your-secure-password # Enter: ci-user and your-secure-password
# Then push to Harbor # Then push to Harbor
docker push YOUR_CI_CD_IP/public/backend:latest docker push YOUR_CI_CD_IP/APP_NAME/backend:latest
docker push YOUR_CI_CD_IP/public/frontend:latest docker push YOUR_CI_CD_IP/APP_NAME/frontend:latest
``` ```
#### **Harbor Web UI Access** #### **Harbor Web UI Access**
@ -791,13 +782,13 @@ https://YOUR_CI_CD_IP
``` ```
#### **Client Configuration** #### **Client Configuration**
For other machines to pull images from public projects, they only need: For other machines to pull images from the APP_NAME project, they only need:
```bash ```bash
# Add to /etc/docker/daemon.json on client machines # Add to /etc/docker/daemon.json on client machines
{ {
"insecure-registries": ["YOUR_CI_CD_IP"] "insecure-registries": ["YOUR_CI_CD_IP"]
} }
# No authentication needed for pulls from public projects # No authentication needed for pulls from APP_NAME project
``` ```
#### **CI/CD Pipeline Configuration** #### **CI/CD Pipeline Configuration**
@ -805,7 +796,7 @@ For automated deployments, use the `ci-user` credentials:
```bash ```bash
# In CI/CD pipeline # In CI/CD pipeline
echo "ci-user:your-secure-password" | docker login YOUR_CI_CD_IP --username ci-user --password-stdin echo "ci-user:your-secure-password" | docker login YOUR_CI_CD_IP --username ci-user --password-stdin
docker push YOUR_CI_CD_IP/public/backend:latest docker push YOUR_CI_CD_IP/APP_NAME/backend:latest
``` ```
### Step 7: Set Up SSH for Production Communication ### Step 7: Set Up SSH for Production Communication
@ -1043,7 +1034,7 @@ docker compose ps
curl -k https://localhost:8080/api/v2.0/health curl -k https://localhost:8080/api/v2.0/health
# Test Harbor UI # Test Harbor UI
curl -k -I https://localhost:8080 curl -k -I https://localhost
``` ```
#### 11.4 Get Public Key for Production Server #### 11.4 Get Public Key for Production Server