diff --git a/PROJECT.md b/PROJECT.md
index 5720bcb..fa13d1b 100644
--- a/PROJECT.md
+++ b/PROJECT.md
@@ -152,5 +152,7 @@ A self-hosted pastebin API that:
 │ CLI register command            │ Complete
 │ systemd deployment              │ Complete (security-hardened)
 │ Test suite                      │ 301 tests passing
+│ Kubernetes deployment           │ Complete (NodePort :30500)
+│ Harbor registry integration     │ Complete (docs only, CI/CD pending)
 └─────────────────────────────────┴────────────────────────────────────────────┘
 ```
diff --git a/ROADMAP.md b/ROADMAP.md
index ed3e9ca..448f94a 100644
--- a/ROADMAP.md
+++ b/ROADMAP.md
@@ -123,8 +123,9 @@ Focus: Integration with external systems.
 │ 2 │ /client endpoint                │ Done (downloadable CLI)
 │ 3 │ systemd service unit            │ Done (with security hardening)
 │ 4 │ Ansible deployment role         │ Planned
-│ 5 │ Kubernetes manifests            │ Planned
-│ 6 │ Shell aliases/functions         │ Planned
+│ 5 │ Kubernetes manifests            │ Done
+│ 6 │ CI/CD image build/push          │ Done
+│ 7 │ Shell aliases/functions         │ Planned
 └───┴─────────────────────────────────┴────────────────────────────────────┘
 ```
 
@@ -191,6 +192,7 @@ These features will not be implemented:
 | 2024-12    | Rate limit headers                 | X-RateLimit-* on 201/429 responses
 | 2024-12    | Pentest remediation complete       | 15 security hardening items from formal review
 | 2024-12    | Enhanced CI security               | SBOM generation, dedicated security-tests job
+| 2025-01    | CI/CD image build/push             | Auto-build on main, push to Harbor registry
 
 ## Review Schedule
 
diff --git a/TASKLIST.md b/TASKLIST.md
index ab9be9e..e87e46c 100644
--- a/TASKLIST.md
+++ b/TASKLIST.md
@@ -9,12 +9,13 @@ Prioritized, actionable tasks. Each task is small and completable in one session
 | Status | Task
 |--------|--------------------------------------------------------------
 | ☐      | Create Ansible deployment role
-| ☐      | Add Kubernetes manifests (Deployment, Service, ConfigMap)
 
 ## Completed
 
 | Date       | Task
 |------------|--------------------------------------------------------------
+| 2025-01    | Add CI/CD image build and push to Harbor
+| 2025-01    | Add Kubernetes manifests (Deployment, Service, ConfigMap)
 | 2024-12    | Add PKI usage examples (documentation/pki.md)
 | 2024-12    | Create CONTRIBUTING.md with development setup
 | 2024-12    | Fix all mypy type errors (now enforced in CI)
diff --git a/documentation/harbor-registry.md b/documentation/harbor-registry.md
index a5b2fdc..6f28f18 100644
--- a/documentation/harbor-registry.md
+++ b/documentation/harbor-registry.md
@@ -23,7 +23,8 @@ vulnerability scanning, image signing, and role-based access control.
 ### Harbor Details
 
 ```
-Registry:    192.168.122.154:30443
+Internal:    192.168.122.154:30443 (K8s cluster access)
+External:    harbor.mymx.me (CI/CD, remote access)
 Project:     library (public)
 Repository:  library/flaskpaste
 ```
@@ -31,11 +32,14 @@ Repository:  library/flaskpaste
 ### Authentication
 
 ```bash
-# Default credentials (change in production!)
-Username: admin
-Password: Harbor12345
+Username: <harbor-username>
+Password: <harbor-password>
 ```
 
+For CI/CD automation, configure Gitea Actions secrets:
+- `HARBOR_USER` - Harbor username (e.g., `ansible` automation account)
+- `HARBOR_PASS` - Harbor password
+
 ---
 
 ## Building Images
@@ -73,7 +77,7 @@ podman manifest add flaskpaste:latest flaskpaste:arm64
 ```bash
 # Login to Harbor (skip TLS verify for self-signed certs)
 podman login 192.168.122.154:30443 \
-  -u admin -p Harbor12345 \
+  -u "$HARBOR_USER" -p "$HARBOR_PASS" \
   --tls-verify=false
 
 # Tag for Harbor
@@ -94,7 +98,7 @@ When Harbor is on an internal network:
 ssh -f -N -L 30443:192.168.122.154:30443 jumphost
 
 # Login and push via localhost
-podman login localhost:30443 -u admin -p Harbor12345 --tls-verify=false
+podman login localhost:30443 -u "$HARBOR_USER" -p "$HARBOR_PASS" --tls-verify=false
 podman tag localhost/flaskpaste:latest localhost:30443/library/flaskpaste:latest
 podman push localhost:30443/library/flaskpaste:latest --tls-verify=false
 ```
@@ -117,7 +121,7 @@ ssh user@k8s-master '
     localhost/flaskpaste:latest \
     192.168.122.154:30443/library/flaskpaste:latest
   sudo ctr -n k8s.io images push --skip-verify \
-    --user admin:Harbor12345 \
+    --user <harbor-username>:<harbor-password> \
     192.168.122.154:30443/library/flaskpaste:latest
 '
 ```
@@ -137,7 +141,7 @@ podman pull 192.168.122.154:30443/library/flaskpaste:latest \
 
 ```bash
 sudo ctr -n k8s.io images pull --skip-verify \
-  --user admin:Harbor12345 \
+  --user <harbor-username>:<harbor-password> \
   192.168.122.154:30443/library/flaskpaste:latest
 ```
 
@@ -157,8 +161,8 @@ For nodes to pull from Harbor with self-signed certificates:
     [plugins."io.containerd.grpc.v1.cri".registry.configs."192.168.122.154:30443".tls]
       insecure_skip_verify = true
     [plugins."io.containerd.grpc.v1.cri".registry.configs."192.168.122.154:30443".auth]
-      username = "admin"
-      password = "Harbor12345"
+      username = "<harbor-username>"
+      password = "<harbor-password>"
 ```
 
 Restart containerd after changes:
@@ -171,9 +175,9 @@ sudo systemctl restart containerd
 ```bash
 kubectl create secret docker-registry harbor-creds \
   --docker-server=192.168.122.154:30443 \
-  --docker-username=admin \
-  --docker-password=Harbor12345 \
-  --docker-email=admin@example.com
+  --docker-username=<harbor-username> \
+  --docker-password=<harbor-password> \
+  --docker-email=<your-email>
 ```
 
 ### Deployment Manifest
@@ -322,7 +326,7 @@ jobs:
 ### Check Image Exists
 
 ```bash
-curl -k -s -u admin:Harbor12345 \
+curl -k -s -u <harbor-username>:<harbor-password> \
   "https://192.168.122.154:30443/api/v2.0/projects/library/repositories/flaskpaste/artifacts" \
   | jq '.[] | {digest: .digest, tags: [.tags[].name], size: .size}'
 ```
@@ -330,7 +334,7 @@ curl -k -s -u admin:Harbor12345 \
 ### List Tags
 
 ```bash
-curl -k -s -u admin:Harbor12345 \
+curl -k -s -u <harbor-username>:<harbor-password> \
   "https://192.168.122.154:30443/api/v2.0/projects/library/repositories/flaskpaste/artifacts" \
   | jq -r '.[].tags[].name'
 ```
@@ -339,7 +343,7 @@ curl -k -s -u admin:Harbor12345 \
 
 ```bash
 # Delete specific tag
-curl -k -X DELETE -u admin:Harbor12345 \
+curl -k -X DELETE -u <harbor-username>:<harbor-password> \
   "https://192.168.122.154:30443/api/v2.0/projects/library/repositories/flaskpaste/artifacts/v1.0.0"
 ```
 
@@ -364,11 +368,11 @@ curl -k https://192.168.122.154:30443/api/v2.0/health
 
 ```bash
 # Verify credentials via API
-curl -k -u admin:Harbor12345 \
+curl -k -u <harbor-username>:<harbor-password> \
   https://192.168.122.154:30443/api/v2.0/users/current
 
 # Check if project exists
-curl -k -u admin:Harbor12345 \
+curl -k -u <harbor-username>:<harbor-password> \
   https://192.168.122.154:30443/api/v2.0/projects
 ```
 
diff --git a/documentation/kubernetes-deployment.md b/documentation/kubernetes-deployment.md
index 3af79de..fec4d62 100644
--- a/documentation/kubernetes-deployment.md
+++ b/documentation/kubernetes-deployment.md
@@ -50,9 +50,9 @@ kubectl create namespace flaskpaste
 kubectl create secret docker-registry harbor-creds \
   --namespace flaskpaste \
   --docker-server=192.168.122.154:30443 \
-  --docker-username=admin \
-  --docker-password=Harbor12345 \
-  --docker-email=admin@example.com
+  --docker-username=<harbor-username> \
+  --docker-password=<harbor-password> \
+  --docker-email=<your-email>
 ```
 
 ### 2. Apply Manifest