diff --git a/CI_CD_PIPELINE_SETUP_GUIDE.md b/CI_CD_PIPELINE_SETUP_GUIDE.md index f033908..366adb9 100644 --- a/CI_CD_PIPELINE_SETUP_GUIDE.md +++ b/CI_CD_PIPELINE_SETUP_GUIDE.md @@ -1321,23 +1321,61 @@ sudo usermod -aG docker PROD_SERVICE_USER ### Step 13: Configure Docker for Harbor Access -**Important**: The Production Linode needs to be able to pull Docker images from the Harbor registry on the CI/CD Linode. +**Important**: The Production Linode needs to be able to pull Docker images from the Harbor registry on the CI/CD Linode. We need to configure Docker to trust the Harbor SSL certificate. ```bash -# Add the CI/CD Harbor registry to Docker's insecure registries -sudo mkdir -p /etc/docker -sudo tee /etc/docker/daemon.json << EOF -{ - "insecure-registries": ["YOUR_CI_CD_IP:8080"] -} -EOF +# Add Harbor certificate to system CA certificates +sudo mkdir -p /usr/local/share/ca-certificates + +# Copy Harbor certificate from CI Linode to local machine, then to Production Linode +# First, from your local machine, copy the certificate from CI Linode: +scp CI_DEPLOY_USER@YOUR_CI_CD_IP:/etc/ssl/registry/registry.crt ./ + +# Then copy it to the Production Linode: +scp registry.crt PROD_DEPLOY_USER@YOUR_PRODUCTION_IP:/tmp/ + +# Remove the cert from your local machine as no longer needed +rm registry.crt + +# Now on the Production Linode, move it to the correct location: +sudo mv /tmp/registry.crt /usr/local/share/ca-certificates/ + +# Fix certificate ownership (crucial for CA certificate trust) +sudo chown root:root /usr/local/share/ca-certificates/registry.crt + +# Update CA certificates +sudo update-ca-certificates # Restart Docker to apply changes sudo systemctl restart docker + +# Change to the PROD_SERVICE_USER +sudo su - PROD_SERVICE_USER + +# Test that the certificate is working by pulling an image from Harbor +docker pull YOUR_CI_CD_IP/APP_NAME/test:latest + +# If the pull succeeds, the certificate is working correctly + +# Change back to PROD_DEPLOY_USER +exit ``` **Important**: Replace `YOUR_CI_CD_IP` with your actual CI/CD Linode IP address. +**What this does**: +- **Copies Harbor certificate**: Transfers the SSL certificate from CI Linode to Production Linode via your local machine +- **Configures certificate trust**: Properly sets up Harbor certificate trust in Docker +- **Fixes ownership issues**: Ensures certificate has correct ownership for CA trust +- **Updates CA certificates**: Makes the certificate available to all applications +- **Restarts Docker**: Applies the new configuration +- **Tests certificate**: Verifies that Docker can successfully pull images from Harbor + +**Note**: Since you don't have direct SSH access between the Linodes, you'll need to copy the certificate through your local machine using the deployment users: +1. From your local machine: `scp CI_DEPLOY_USER@YOUR_CI_CD_IP:/etc/ssl/registry/registry.crt ./` +2. Then: `scp registry.crt PROD_DEPLOY_USER@YOUR_PRODUCTION_IP:/tmp/` +3. On Production Linode: `sudo mv /tmp/registry.crt /usr/local/share/ca-certificates/` + ### Step 14: Set Up Forgejo Runner for Production Deployment **Important**: The Production Linode needs a Forgejo runner to execute the deployment job from the CI/CD workflow. This runner will pull images from Harbor and deploy using `docker-compose.prod.yml`.