devteam/sharenet
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update guide to create a single repository in Harbor for public reads and authenticated writes
Some checks are pending
CI/CD Pipeline / Test Backend (push) Waiting to run
Details
CI/CD Pipeline / Test Frontend (push) Waiting to run
Details
CI/CD Pipeline / Build and Push Docker Images (push) Blocked by required conditions
Details
CI/CD Pipeline / Deploy to Production (push) Blocked by required conditions
Details

Browse source
This commit is contained in:
continuist 2025-06-29 12:46:54 -04:00
parent c9aa37d6cf
commit 583b8c6c65
1 changed files with 21 additions and 30 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

51
CI_CD_PIPELINE_SETUP_GUIDE.md
View file

@ -662,19 +662,13 @@ curl -k -I https://localhost
#### 5.10 Configure Harbor for Public Read, Authenticated Write
1. **Create a Public Project**:
1. **Create Application Project**:
- Go to **Projects** → **New Project**
- Set **Project Name**: `public`
- Set **Project Name**: `APP_NAME` (replace with your actual application name)
- Set **Access Level**: `Public`
- Click **OK**
2. **Create a Private Project** (for authenticated writes):
- Go to **Projects** → **New Project**
- Set **Project Name**: `private`
- Set **Access Level**: `Private`
- Click **OK**
3. **Create a User for CI/CD**:
2. **Create a User for CI/CD**:
- Go to **Administration****Users** → **New User**
- Set **Username**: `ci-user`
- Set **Email**: `ci@example.com`
@ -682,6 +676,8 @@ curl -k -I https://localhost
- Set **Role**: `Developer`
- Click **OK**
**Note**: With a public project, anyone can pull images without authentication, but only authenticated users (like `ci-user`) can push images. This provides the perfect balance of ease of use for deployments and security for image management.
#### 5.11 Test Harbor Authentication and Access Model
```bash
@ -693,21 +689,21 @@ docker login YOUR_CI_CD_IP
echo "FROM alpine:latest" > /tmp/test.Dockerfile
echo "RUN echo 'Hello from Harbor test image'" >> /tmp/test.Dockerfile
# Build and tag test image for public project
docker build -f /tmp/test.Dockerfile -t YOUR_CI_CD_IP/public/test:latest /tmp
# Build and tag test image for APP_NAME project
docker build -f /tmp/test.Dockerfile -t YOUR_CI_CD_IP/APP_NAME/test:latest /tmp
# Push to Harbor (requires authentication)
docker push YOUR_CI_CD_IP/public/test:latest
docker push YOUR_CI_CD_IP/APP_NAME/test:latest
# Verify image is in Harbor
curl -k https://localhost/v2/_catalog
# Test public pull (no authentication required)
docker logout YOUR_CI_CD_IP
docker pull YOUR_CI_CD_IP/public/test:latest
docker pull YOUR_CI_CD_IP/APP_NAME/test:latest
# Clean up test image
docker rmi YOUR_CI_CD_IP/public/test:latest
docker rmi YOUR_CI_CD_IP/APP_NAME/test:latest
```
**Expected behavior**:
@ -719,16 +715,11 @@ docker rmi YOUR_CI_CD_IP/public/test:latest
Your Harbor registry is now configured with the following access model:
**Public Projects** (like `public`):
**APP_NAME Project**:
- ✅ **Pull (read)**: No authentication required
- ✅ **Push (write)**: Requires authentication
- ✅ **Web UI**: Accessible to view images
**Private Projects** (like `private`):
- ✅ **Pull (read)**: Requires authentication
- ✅ **Push (write)**: Requires authentication
- ✅ **Web UI**: Requires authentication
**Security Features**:
- ✅ **Vulnerability scanning**: Automatic CVE scanning with Trivy
- ✅ **Role-based access control**: Different user roles (admin, developer, guest)
@ -765,11 +756,11 @@ sudo systemctl restart docker
Your Harbor registry is now configured with the following access model:
#### **Public Read Access**
Anyone can pull images from public projects without authentication:
Anyone can pull images from the APP_NAME project without authentication:
```bash
# From any machine (public access to public projects)
docker pull YOUR_CI_CD_IP/public/backend:latest
docker pull YOUR_CI_CD_IP/public/frontend:latest
# From any machine (public access to APP_NAME project)
docker pull YOUR_CI_CD_IP/APP_NAME/backend:latest
docker pull YOUR_CI_CD_IP/APP_NAME/frontend:latest
```
#### **Authenticated Write Access**
@ -780,8 +771,8 @@ docker login YOUR_CI_CD_IP
# Enter: ci-user and your-secure-password
# Then push to Harbor
docker push YOUR_CI_CD_IP/public/backend:latest
docker push YOUR_CI_CD_IP/public/frontend:latest
docker push YOUR_CI_CD_IP/APP_NAME/backend:latest
docker push YOUR_CI_CD_IP/APP_NAME/frontend:latest
```
#### **Harbor Web UI Access**
@ -791,13 +782,13 @@ https://YOUR_CI_CD_IP
```
#### **Client Configuration**
For other machines to pull images from public projects, they only need:
For other machines to pull images from the APP_NAME project, they only need:
```bash
# Add to /etc/docker/daemon.json on client machines
{
"insecure-registries": ["YOUR_CI_CD_IP"]
}
# No authentication needed for pulls from public projects
# No authentication needed for pulls from APP_NAME project
```
#### **CI/CD Pipeline Configuration**
@ -805,7 +796,7 @@ For automated deployments, use the `ci-user` credentials:
```bash
# In CI/CD pipeline
echo "ci-user:your-secure-password" | docker login YOUR_CI_CD_IP --username ci-user --password-stdin
docker push YOUR_CI_CD_IP/public/backend:latest
docker push YOUR_CI_CD_IP/APP_NAME/backend:latest
```
### Step 7: Set Up SSH for Production Communication
@ -1043,7 +1034,7 @@ docker compose ps
curl -k https://localhost:8080/api/v2.0/health
# Test Harbor UI
curl -k -I https://localhost:8080
curl -k -I https://localhost
```
#### 11.4 Get Public Key for Production Server