EOEPCA+ Container Registry Deployment Guide

The Container Registry stores and distributes container images for application development and deployment.

---

Introduction

The Container Registry is a key part of the EOEPCA+ ecosystem. It stores and distributes container images for application development and deployment. We use Harbor, an open-source container registry, to efficiently manage images for applications on the platform, including those from the Application Hub or running within the Processing building block.

Key features of Harbor include:

• Role-Based Access Control (RBAC): Control access to images based on user roles.
• Vulnerability Scanning: Detect vulnerabilities in images.
• Image Signing: Verify the authenticity of images.
• Audit Logs: Track operations for compliance.
• Replication: Sync images across multiple Harbor instances.

Scripted Deployment

The Harbor deployment in this guide follows the same Scripted Deployment Approach, as for the EOEPCA building blocks.

---

Architecture Overview

Harbor is made up of several components:

• Core Services: Manage images and users.
• Registry: Stores images and handles pull/push operations.
• Database: Stores metadata for projects, users, and roles.
• Job Service: Manages tasks like replication and garbage collection.
• Trivy: Scans images for vulnerabilities.

Optional components (can be disabled if not needed):

• Notary: Provides image signing and verification.
• ChartMuseum: Hosts Helm charts.

---

Prerequisites

Before deploying the Container Registry, make sure you have:

Component	Requirement	Documentation Link
Kubernetes	Cluster (tested on v1.28)	Deployment Guide
Helm	Version 3.5 or newer	Installation Guide
kubectl	Configured for cluster access	Installation Guide
Ingress	Properly installed	Documentation
TLS Certificates	Managed via cert-manager or manually	TLS Certificate Management Guide

Clone the Deployment Guide Repository:

git clone https://github.com/EOEPCA/deployment-guide
cd deployment-guide/scripts/container-registry

Validate your environment:

Run the validation script to ensure all prerequisites are met:

bash check-prerequisites.sh

---

Deployment

Deploying Harbor involves configuring the Helm chart with appropriate values and installing it into your Kubernetes cluster.

1. Run the Configuration Script:

   Run the configuration script:

   bash configure-container-registry.sh
   

   The script will prompt you for configuration values and generate a generated-values.yaml file for the Helm deployment:

   • INGRESS_HOST: Base domain for ingress hosts.
     • Example: example.com
   • CLUSTER_ISSUER: Cert-manager Cluster Issuer for TLS certificates.
     • Example: letsencrypt-http01-apisix
   • STORAGE_CLASS: Storage class for persistent volumes.
     • Example: standard

   Additionally, the following keys are generated by the script and should be securely stored:

   • Harbor Admin Password: The administrative password for the Container Registry.

2. Deploy Container Registry

   helm repo add harbor https://helm.goharbor.io
   helm repo update harbor
   helm upgrade -i harbor harbor/harbor \
     --version 1.7.3 \
     --values generated-values.yaml \
     --namespace harbor \
     --create-namespace
   

3. Log In

   Navigate to https://harbor.your-domain in your browser.

   • Username: admin
   • Password: The password that was generated during configuration
     Check the ~/.eoepca/state file

---

Enabling Optional Components

• Trivy (Vulnerability Scanning):

  trivy:
    enabled: true
  

• ChartMuseum (Helm Chart Repository):

  chartmuseum:
    enabled: true
  

• Notary (Image Signing):

  notary:
    enabled: true
  

---

Validation

Automated Validation:

bash validation.sh

Manual Validation:

1. Check Kubernetes Resources:

   kubectl get all -l app=harbor --all-namespaces
   

2. Access Container Registry Dashboard:

https://harbor.${INGRESS_HOST}

3. Log In:

   • Username: admin
   • Password: The password you set during configuration.

4. Test Harbor:

   • Create a project.
   • Push and pull images.
   • Optionally, test vulnerability scanning if Trivy is enabled.

---

Operation

Configure Docker Client:

To interact with Harbor using Docker commands, you need to configure your Docker client to trust the Harbor registry.

1. Login to Harbor:

   source ~/.eoepca/state
   docker login -u admin -p "${HARBOR_ADMIN_PASSWORD}" harbor.${INGRESS_HOST}
   

Enter the admin username and password when prompted.

2. Push an Image:

   Tag an image and push it to Harbor.

   docker pull alpine:latest
   docker tag alpine:latest harbor.${INGRESS_HOST}/library/alpine:latest
   docker push harbor.${INGRESS_HOST}/library/alpine:latest
   

3. Pull an Image:

   docker pull harbor.${INGRESS_HOST}/library/alpine:latest
   

   Note: If you’re using self-signed certificates or an untrusted CA, you may need to configure Docker to trust the registry’s certificate.

Configure Kubernetes to Pull Images from Harbor:

1. Create an image pull secret:

   kubectl create secret docker-registry harbor-registry \
     --docker-server=harbor.${INGRESS_HOST} \
     --docker-username=admin \
     --docker-password=<your-harbor-admin-password> \
     --docker-email=<your-email> \
     -n <your-namespace>
   

2. Reference the Secret in your Deployment:

   spec:
     containers:
       - name: my-app
         image: harbor.${INGRESS_HOST}/my-project/my-app:latest
     imagePullSecrets:
       - name: harbor-registry
   

Alternatively, you may configure cluster-wide registry credentials - as mentioned under Kubernetes Additional Guidance.

---

Uninstallation

To uninstall Harbor and clean up associated resources:

helm -n harbor uninstall harbor

---

Further Reading

• Harbor Official Website
• Harbor Documentation
• Harbor Helm Chart Repository
• Harbor Helm Chart Values

---

Feedback

If you encounter any issues or have suggestions for improvement, please open an issue on the EOEPCA+ Deployment Guide GitHub Repository.