claw/flaskpaste
1
0
Fork 1
forked from username/flaskpaste
Code Pull Requests Activity

docs: update harbor integration status and remove hardcoded credentials

Browse Source
This commit is contained in:
Username
2026-01-18 09:57:27 +01:00
parent 0fc45587cd
commit 9eee14e918
5 changed files with 33 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
PROJECT.md
View File

@@ -152,5 +152,7 @@ A self-hosted pastebin API that:
│ CLI register command │ Complete │ CLI register command │ Complete
│ systemd deployment │ Complete (security-hardened) │ systemd deployment │ Complete (security-hardened)
│ Test suite │ 301 tests passing │ Test suite │ 301 tests passing
│ Kubernetes deployment │ Complete (NodePort :30500)
│ Harbor registry integration │ Complete (docs only, CI/CD pending)
└─────────────────────────────────┴────────────────────────────────────────────┘ └─────────────────────────────────┴────────────────────────────────────────────┘
``` ```

6
ROADMAP.md
View File

@@ -123,8 +123,9 @@ Focus: Integration with external systems.
│ 2 │ /client endpoint │ Done (downloadable CLI) │ 2 │ /client endpoint │ Done (downloadable CLI)
│ 3 │ systemd service unit │ Done (with security hardening) │ 3 │ systemd service unit │ Done (with security hardening)
│ 4 │ Ansible deployment role │ Planned │ 4 │ Ansible deployment role │ Planned
│ 5 │ Kubernetes manifests │ Planned │ 5 │ Kubernetes manifests │ Done
│ 6 │ Shell aliases/functionsPlanned │ 6 │ CI/CD image build/push Done
│ 7 │ Shell aliases/functions │ Planned
└───┴─────────────────────────────────┴────────────────────────────────────┘ └───┴─────────────────────────────────┴────────────────────────────────────┘
``` ```
@@ -191,6 +192,7 @@ These features will not be implemented:
| 2024-12 | Rate limit headers | X-RateLimit-* on 201/429 responses | 2024-12 | Rate limit headers | X-RateLimit-* on 201/429 responses
| 2024-12 | Pentest remediation complete | 15 security hardening items from formal review | 2024-12 | Pentest remediation complete | 15 security hardening items from formal review
| 2024-12 | Enhanced CI security | SBOM generation, dedicated security-tests job | 2024-12 | Enhanced CI security | SBOM generation, dedicated security-tests job
| 2025-01 | CI/CD image build/push | Auto-build on main, push to Harbor registry
## Review Schedule ## Review Schedule

3
TASKLIST.md
View File

@@ -9,12 +9,13 @@ Prioritized, actionable tasks. Each task is small and completable in one session
| Status | Task | Status | Task
|--------|-------------------------------------------------------------- |--------|--------------------------------------------------------------
| ☐ | Create Ansible deployment role | ☐ | Create Ansible deployment role
| ☐ | Add Kubernetes manifests (Deployment, Service, ConfigMap)
## Completed ## Completed
| Date | Task | Date | Task
|------------|-------------------------------------------------------------- |------------|--------------------------------------------------------------
| 2025-01 | Add CI/CD image build and push to Harbor
| 2025-01 | Add Kubernetes manifests (Deployment, Service, ConfigMap)
| 2024-12 | Add PKI usage examples (documentation/pki.md) | 2024-12 | Add PKI usage examples (documentation/pki.md)
| 2024-12 | Create CONTRIBUTING.md with development setup | 2024-12 | Create CONTRIBUTING.md with development setup
| 2024-12 | Fix all mypy type errors (now enforced in CI) | 2024-12 | Fix all mypy type errors (now enforced in CI)

40
documentation/harbor-registry.md
View File

@@ -23,7 +23,8 @@ vulnerability scanning, image signing, and role-based access control.
### Harbor Details ### Harbor Details
``` ```
Registry: 192.168.122.154:30443 Internal: 192.168.122.154:30443 (K8s cluster access)
External: harbor.mymx.me (CI/CD, remote access)
Project: library (public) Project: library (public)
Repository: library/flaskpaste Repository: library/flaskpaste
``` ```
@@ -31,11 +32,14 @@ Repository: library/flaskpaste
### Authentication ### Authentication
```bash ```bash
# Default credentials (change in production!) Username: <harbor-username>
Username: admin Password: <harbor-password>
Password: Harbor12345
``` ```
For CI/CD automation, configure Gitea Actions secrets:
- `HARBOR_USER` - Harbor username (e.g., `ansible` automation account)
- `HARBOR_PASS` - Harbor password
--- ---
## Building Images ## Building Images
@@ -73,7 +77,7 @@ podman manifest add flaskpaste:latest flaskpaste:arm64
```bash ```bash
# Login to Harbor (skip TLS verify for self-signed certs) # Login to Harbor (skip TLS verify for self-signed certs)
podman login 192.168.122.154:30443 \ podman login 192.168.122.154:30443 \
-u admin -p Harbor12345 \ -u "$HARBOR_USER" -p "$HARBOR_PASS" \
--tls-verify=false --tls-verify=false
# Tag for Harbor # Tag for Harbor
@@ -94,7 +98,7 @@ When Harbor is on an internal network:
ssh -f -N -L 30443:192.168.122.154:30443 jumphost ssh -f -N -L 30443:192.168.122.154:30443 jumphost
# Login and push via localhost # Login and push via localhost
podman login localhost:30443 -u admin -p Harbor12345 --tls-verify=false podman login localhost:30443 -u "$HARBOR_USER" -p "$HARBOR_PASS" --tls-verify=false
podman tag localhost/flaskpaste:latest localhost:30443/library/flaskpaste:latest podman tag localhost/flaskpaste:latest localhost:30443/library/flaskpaste:latest
podman push localhost:30443/library/flaskpaste:latest --tls-verify=false podman push localhost:30443/library/flaskpaste:latest --tls-verify=false
``` ```
@@ -117,7 +121,7 @@ ssh user@k8s-master '
localhost/flaskpaste:latest \ localhost/flaskpaste:latest \
192.168.122.154:30443/library/flaskpaste:latest 192.168.122.154:30443/library/flaskpaste:latest
sudo ctr -n k8s.io images push --skip-verify \ sudo ctr -n k8s.io images push --skip-verify \
--user admin:Harbor12345 \ --user <harbor-username>:<harbor-password> \
192.168.122.154:30443/library/flaskpaste:latest 192.168.122.154:30443/library/flaskpaste:latest
' '
``` ```
@@ -137,7 +141,7 @@ podman pull 192.168.122.154:30443/library/flaskpaste:latest \
```bash ```bash
sudo ctr -n k8s.io images pull --skip-verify \ sudo ctr -n k8s.io images pull --skip-verify \
--user admin:Harbor12345 \ --user <harbor-username>:<harbor-password> \
192.168.122.154:30443/library/flaskpaste:latest 192.168.122.154:30443/library/flaskpaste:latest
``` ```
@@ -157,8 +161,8 @@ For nodes to pull from Harbor with self-signed certificates:
[plugins."io.containerd.grpc.v1.cri".registry.configs."192.168.122.154:30443".tls] [plugins."io.containerd.grpc.v1.cri".registry.configs."192.168.122.154:30443".tls]
insecure_skip_verify = true insecure_skip_verify = true
[plugins."io.containerd.grpc.v1.cri".registry.configs."192.168.122.154:30443".auth] [plugins."io.containerd.grpc.v1.cri".registry.configs."192.168.122.154:30443".auth]
username = "admin" username = "<harbor-username>"
password = "Harbor12345" password = "<harbor-password>"
``` ```
Restart containerd after changes: Restart containerd after changes:
@@ -171,9 +175,9 @@ sudo systemctl restart containerd
```bash ```bash
kubectl create secret docker-registry harbor-creds \ kubectl create secret docker-registry harbor-creds \
--docker-server=192.168.122.154:30443 \ --docker-server=192.168.122.154:30443 \
--docker-username=admin \ --docker-username=<harbor-username> \
--docker-password=Harbor12345 \ --docker-password=<harbor-password> \
--docker-email=admin@example.com --docker-email=<your-email>
``` ```
### Deployment Manifest ### Deployment Manifest
@@ -322,7 +326,7 @@ jobs:
### Check Image Exists ### Check Image Exists
```bash ```bash
curl -k -s -u admin:Harbor12345 \ curl -k -s -u <harbor-username>:<harbor-password> \
"https://192.168.122.154:30443/api/v2.0/projects/library/repositories/flaskpaste/artifacts" \ "https://192.168.122.154:30443/api/v2.0/projects/library/repositories/flaskpaste/artifacts" \
| jq '.[] | {digest: .digest, tags: [.tags[].name], size: .size}' | jq '.[] | {digest: .digest, tags: [.tags[].name], size: .size}'
``` ```
@@ -330,7 +334,7 @@ curl -k -s -u admin:Harbor12345 \
### List Tags ### List Tags
```bash ```bash
curl -k -s -u admin:Harbor12345 \ curl -k -s -u <harbor-username>:<harbor-password> \
"https://192.168.122.154:30443/api/v2.0/projects/library/repositories/flaskpaste/artifacts" \ "https://192.168.122.154:30443/api/v2.0/projects/library/repositories/flaskpaste/artifacts" \
| jq -r '.[].tags[].name' | jq -r '.[].tags[].name'
``` ```
@@ -339,7 +343,7 @@ curl -k -s -u admin:Harbor12345 \
```bash ```bash
# Delete specific tag # Delete specific tag
curl -k -X DELETE -u admin:Harbor12345 \ curl -k -X DELETE -u <harbor-username>:<harbor-password> \
"https://192.168.122.154:30443/api/v2.0/projects/library/repositories/flaskpaste/artifacts/v1.0.0" "https://192.168.122.154:30443/api/v2.0/projects/library/repositories/flaskpaste/artifacts/v1.0.0"
``` ```
@@ -364,11 +368,11 @@ curl -k https://192.168.122.154:30443/api/v2.0/health
```bash ```bash
# Verify credentials via API # Verify credentials via API
curl -k -u admin:Harbor12345 \ curl -k -u <harbor-username>:<harbor-password> \
https://192.168.122.154:30443/api/v2.0/users/current https://192.168.122.154:30443/api/v2.0/users/current
# Check if project exists # Check if project exists
curl -k -u admin:Harbor12345 \ curl -k -u <harbor-username>:<harbor-password> \
https://192.168.122.154:30443/api/v2.0/projects https://192.168.122.154:30443/api/v2.0/projects
``` ```

6
documentation/kubernetes-deployment.md
View File

@@ -50,9 +50,9 @@ kubectl create namespace flaskpaste
kubectl create secret docker-registry harbor-creds \ kubectl create secret docker-registry harbor-creds \
--namespace flaskpaste \ --namespace flaskpaste \
--docker-server=192.168.122.154:30443 \ --docker-server=192.168.122.154:30443 \
--docker-username=admin \ --docker-username=<harbor-username> \
--docker-password=Harbor12345 \ --docker-password=<harbor-password> \
--docker-email=admin@example.com --docker-email=<your-email>
``` ```
### 2. Apply Manifest ### 2. Apply Manifest