Skip to content

EOEPCA+ Container Registry Deployment Guide⚓︎

The Container Registry stores and distributes container images for application development and deployment.

Table of Contents⚓︎

  1. Introduction
  2. Architecture Overview
  3. Prerequisites
  4. Deployment
  5. Validation and Operation
  6. Uninstallation
  7. Further Reading
  8. Feedback

Introduction⚓︎

The Container Registry is a key part of the EOEPCA+ ecosystem. It stores and distributes container images for application development and deployment. We use Harbor, an open-source container registry, to efficiently manage images for applications on the platform, including those from the Application Hub or running within the Processing building block.

Key features of Harbor include:

  • Role-Based Access Control (RBAC): Control access to images based on user roles.
  • Vulnerability Scanning: Detect vulnerabilities in images.
  • Image Signing: Verify the authenticity of images.
  • Audit Logs: Track operations for compliance.
  • Replication: Sync images across multiple Harbor instances.

Architecture Overview⚓︎

Harbor is made up of several components:

  • Core Services: Manage images and users.
  • Registry: Stores images and handles pull/push operations.
  • Database: Stores metadata for projects, users, and roles.
  • Job Service: Manages tasks like replication and garbage collection.
  • Trivy: Scans images for vulnerabilities.

Optional components (can be disabled if not needed):

  • Notary: Provides image signing and verification.
  • ChartMuseum: Hosts Helm charts.

Prerequisites⚓︎

Before deploying the Container Registry, make sure you have:

Component Requirement Documentation Link
Kubernetes Cluster (tested on v1.28) Deployment Guide
Helm Version 3.5 or newer Installation Guide
kubectl Configured for cluster access Installation Guide
Ingress Properly installed Documentation
TLS Certificates Managed via cert-manager or manually TLS Certificate Management Guide

Clone the Deployment Guide Repository:

git clone -b 2.0-beta https://github.com/EOEPCA/deployment-guide
cd deployment-guide/scripts/container-registry

Validate your environment:

Run the validation script to ensure all prerequisites are met:

bash check-prerequisites.sh

Deployment⚓︎

Deploying Harbor involves configuring the Helm chart with appropriate values and installing it into your Kubernetes cluster.

  1. Run the Configuration Script:

    The script will prompt you for configuration values and generate a generated-values.yaml file for the Helm deployment. Additionally, the following keys are generated by the script and should be securely stored:

    • Harbor Admin Password: The administrative password for the Container Registry.
bash configure-container-registry.sh
  1. Key Configuration Parameters:
  • INGRESS_HOST: Base domain for ingress hosts.
    • Example: example.com
  • CLUSTER_ISSUER: Cert-manager Cluster Issuer for TLS certificates.
    • Example: letsencrypt-prod
  • STORAGE_CLASS: Storage class for persistent volumes.
    • Example: managed-nfs-storage-retain
  1. Deploy Container Registry
helm install harbor harbor \
  --version 1.7.3 \
  --values generated-values.yaml \
  --repo https://helm.goharbor.io \
  --namespace harbor \
  --create-namespace

  1. Log In

    • Username: admin
    • Password: The password that was generated during configuration. (Alternatively check the ~/.eoepca/state file)

Validation⚓︎

Automated Validation:

bash validation.sh

Manual Validation:

  1. Check Kubernetes Resources:
kubectl get all -l app=harbor --all-namespaces
  1. Access Container Registry Dashboard:
https://harbor.<your-domain>

  1. Log In:

    • Username: admin
    • Password: The password you set during configuration.

  2. Test Harbor:

    • Create a project.
    • Push and pull images.
    • Optionally, test vulnerability scanning if Trivy is enabled.

Operation⚓︎

Configure Docker Client:

To interact with Harbor using Docker commands, you need to configure your Docker client to trust the Harbor registry.

  1. Login to Harbor:
docker login harbor.<your-domain>

Enter the admin username and password when prompted.

  1. Push an Image:

Tag an image and push it to Harbor.

docker tag alpine:latest harbor.<your-domain>/library/alpine:latest
docker push harbor.<your-domain>/library/alpine:latest
  1. Pull an Image:
docker pull harbor.<your-domain>/library/alpine:latest

Note: If you’re using self-signed certificates or an untrusted CA, you may need to configure Docker to trust the registry’s certificate.

Configure Kubernetes to Pull Images from Harbor:

  1. Create an image pull secret:
kubectl create secret docker-registry harbor-registry \
  --docker-server=harbor.<your-domain> \
  --docker-username=admin \
  --docker-password=<your-harbor-admin-password> \
  --docker-email=<your-email> \
  -n <your-namespace>
  1. Reference the Secret in your Deployment:
spec:
  containers:
    - name: my-app
      image: harbor.<your-domain>/my-project/my-app:latest
  imagePullSecrets:
    - name: harbor-registry

Uninstallation⚓︎

To uninstall Harbor and clean up associated resources:

helm uninstall harbor -n

Further Reading⚓︎

Feedback⚓︎

If you encounter any issues or have suggestions for improvement, please open an issue on the EOEPCA+ Deployment Guide GitHub Repository.

Enabling Optional Components⚓︎

  • Trivy (Vulnerability Scanning):
trivy:
  enabled: true
  • ChartMuseum (Helm Chart Repository):
chartmuseum:
  enabled: true
  • Notary (Image Signing):
notary:
  enabled: true