Harbor Container Registry Training — Raffael Hühnerschulte

What We Cover

Enterprise container registry — scanning, signing, replication, and access control

Module 1

Setup, Access Control & Image Trust

Harbor architecture: core API, jobservice, portal, database (PostgreSQL), Redis, and storage backend options
Helm installation: values.yaml configuration, persistence, TLS with cert-manager, external database setup
Project-based access control: public vs private projects, member roles (Admin, Developer, Guest), project quotas
Robot accounts: project-scoped and system-scoped robot accounts for CI pipelines, permission sets
Retention policies: tag retention rules by regex, count, or last pull — automatic cleanup scheduling
Image signing with Cosign: keyless signing via OIDC, Cosign signature storage as OCI artifacts, Harbor content trust enforcement
Webhooks: push, pull, delete, scanning, and signing event triggers for CI/CD integration

Module 2

Vulnerability Scanning, Replication & Kubernetes Integration

Trivy scanner integration: on-push scanning, scheduled scans, CVE severity levels, scanner configuration
Vulnerability gates: project-level policies blocking pull of images with critical/high CVEs
Replication rules: push-based and pull-based replication, filter by tag/label/repository, scheduling options
Proxy cache: configuring Harbor as a pull-through cache for Docker Hub, GCR, Quay — rate limit protection
OIDC/LDAP authentication: connecting Harbor to enterprise identity providers, group-to-role mapping
imagePullSecret management: robot account credentials as Kubernetes Secrets, ExternalSecrets integration
OCI artifact support: storing Helm charts, SBOM attestations, and other OCI artifacts alongside container images

Learning Outcomes

What your team walks away with

Participants can deploy Harbor as a production-grade enterprise registry, enforce vulnerability scanning policies in the delivery pipeline, and control access for multi-team environments.

Deploy and operate Harbor as an enterprise container registry with Helm and production-grade configuration
Enforce vulnerability scanning gates in CI/CD to block images with critical CVEs from reaching production
Replicate images across environments and registries with scheduled or event-driven replication rules
Configure proxy caching for upstream registries to avoid rate limiting and improve pull performance
Manage multi-team image access with project-based RBAC and CI-focused robot account permissions

Book the Harbor training

Reach out to schedule a session for your team — remote, on-site, or hybrid, in German or English.

Get in touch