Harbor Container Registry

The harbor registry is the project's primary container registry.

Why Migrate to Harbor?

• S3 Storage Backend - Frees up GitLab disk space (no more local storage issues)
• Cosign Integration - Image signing works seamlessly
• Automatic Cleanup - Retention policies and garbage collection configured
• Proxy Caches- Faster builds, no rate limits, offline resilience

Quick Start

Use ICVR Project for Your Images

Use the new Harbor registry instead of GitLab for container images:

❌ Old✅ New

FROM registry.gitlab.com/icvr/project/image:tag

FROM harbor.icvr.xyz/icvr/project/image:tag

CI/CD pipelines usage:

# Docker build and push
include:
  - project: "ICVR/General/Templates"
    file: "/docker-builds/k8s.gitlab-ci.yml"
variables:
  DOCKER_PUSH_TARGETS: harbor
  CI_VAULT_CLIENT: ICVR
  CI_VAULT_PROJECT: Harbor

Credentials are available in the Vault service:

• DEV: ICVR/Harbor/DEV (JWT role: icvr-harbor-dev)
• STAGE: ICVR/Harbor/STAGE (JWT role: icvr-harbor-stage)
• PROD: ICVR/Harbor/PROD (JWT role: icvr-harbor-prod)

Use Proxy Caches for Base Images

Update your Dockerfiles to pull from Harbor proxy caches:

❌ Old✅ New

Direct from registries - slow, rate limited

FROM node:18-alpine
FROM bitnami/postgresql:15
FROM public.ecr.aws/eks/aws-load-balancer-controller:v2.4.0
FROM mcr.microsoft.com/dotnet/sdk:9.0

Through Harbor proxy cache - fast, cached

FROM harbor.icvr.xyz/dockerhub/library/node:18-alpine
FROM harbor.icvr.xyz/dockerhub/bitnami/postgresql:15
FROM harbor.icvr.xyz/aws/eks/aws-load-balancer-controller:v2.4.0
FROM harbor.icvr.xyz/mcr/dotnet/sdk:9.0

Update Helm charts (direct install)

❌ Old✅ New

helm install keycloak oci://registry-1.docker.io/bitnamicharts/keycloak

helm install keycloak oci://harbor.icvr.xyz/dockerhub/bitnamicharts/keycloak

Update kustomize + helm (our production flow):

# kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

helmCharts:
  - name: keycloak
    namespace: keycloak
    releaseName: keycloak
    # ❌ Old
    # repo: oci://registry-1.docker.io/bitnamicharts
    # ✅ New
    repo: oci://harbor.icvr.xyz/dockerhub/bitnamicharts
    version: 25.2.0
    valuesFile: values.yaml

# Optional: Override Bitnami chart images to use Harbor proxy
# (uncomment if chart doesn't support custom registry)
# image:
#   registry: harbor.icvr.xyz/dockerhub
#   repository: bitnami/keycloak

Available Proxy Caches

Service	URL
dockerhub - Docker Hub (includes Bitnami)	harbor.icvr.xyz/dockerhub/library/nginx:latest</br>harbor.icvr.xyz/dockerhub/bitnami/postgresql:15
aws - AWS ECR Public	harbor.icvr.xyz/aws/eks/aws-load-balancer-controller:latest
gcr - Google Container Registry	harbor.icvr.xyz/gcr/google-samples/hello-app:1.0
quay - Quay.io	harbor.icvr.xyz/quay/prometheus/prometheus:latest
mcr - Microsoft Container Registry	harbor.icvr.xyz/mcr/dotnet/runtime:8.0

Note

Bitnami images and Helm charts go through dockerhub cache.

Benefits

• Faster Builds - Images cached locally, no waiting for upstream downloads
• No Rate Limits - Avoid Docker Hub's 100 pulls/6 hours limit
• Better Storage - GitLab disk space freed up (Harbor uses S3)
• Image Signing - Cosign integration for security compliance
• Automatic Cleanup - No manual image management needed
• Offline Resilience - Builds work even if upstream registries are down