harbor-registry

What is harbor-registry?

The harbor-registry image provides a self-hosted, enterprise-grade container registry built on top of the CNCF Distribution project. Harbor extends a basic registry with features like role-based access control (RBAC), vulnerability scanning, image signing, replication policies, and audit logging — making it the registry of choice for teams that need governance and security over their container artifact supply chain.

Harbor is widely deployed in on-premises and air-gapped Kubernetes environments, CI/CD pipelines, and regulated industries where pulling images from public registries like Docker Hub isn't permitted or practical. It supports hosting OCI-compliant images and Helm charts, and integrates natively with scanners like Trivy and Clair.

It's relevant for platform engineers, DevSecOps teams, and anyone building an internal artifact distribution layer.

How to use this image

The harbor-registry image is deployed as a multi-component system rather than a single standalone container. Most production deployments use the Helm chart, which orchestrates the core registry, portal, jobservice, database, and scanner components together.

Install via Helm:

helm repo add harbor https://helm.goharbor.io
helm install harbor harbor/harbor \
  --namespace harbor --create-namespace \
  --set expose.type=ingress \
  --set expose.ingress.hosts.core=harbor.example.com \
  --set externalURL=https://harbor.example.com

After the Helm install completes, the operator provisions the registry, portal, and jobservice components, wires them to a PostgreSQL backend, and exposes the UI and API via the configured ingress. Teams log in with their Harbor credentials, push images to projects, and enforce vulnerability scanning and signing policies from the Harbor UI. Logs from all components are written to stdout and can be collected via standard Kubernetes logging systems.

Image variants

Published under repositories such as goharbor/harbor-core and goharbor/registry-photon, Harbor ships as a suite of component images that are versioned and deployed together. The key images are:

• harbor-core – The central API server handling authentication, project management, and policy enforcement.
• registry-photon – The underlying OCI distribution registry layer, patched and maintained by the Harbor team.
• harbor-portal – The web UI frontend.
• harbor-jobservice – Handles async background jobs including replication, garbage collection, and scan scheduling.
• harbor-db – A PostgreSQL instance pre-configured for Harbor's schema.
• trivy-adapter-photon – The Trivy vulnerability scanner adapter for scanning images stored in the registry.

All component images follow the same versioning scheme (e.g., v2.10.0) and must be deployed as a matched set — mixing versions across components is not supported. Production deployments should pin to explicit versions and test upgrades carefully due to schema and CRD changes between releases.