What AI and cloud consulting services does Luca Berton offer?

Luca Berton provides expert consulting in AI/ML platform strategy, multi-tenant GPU orchestration on OpenShift AI, MLOps enablement, cloud infrastructure design, Kubernetes workshops, and Ansible & Python training.

What is Ansible Pilot?

Ansible Pilot is the leading resource for Ansible automation learning, featuring a YouTube channel with 6.1K subscribers and 1M+ views, plus AnsiblePilot.com with 648K total users.

How can I book a consultation with Luca Berton?

Schedule a free consultation through Calendly at calendly.com/lucaberton or visit lucaberton.com/contact.

Harbor: Enterprise Container Registry on Kubernetes

What Is Harbor?

Harbor is an enterprise container registry with vulnerability scanning, image signing, replication, and RBAC. CNCF Graduated, 25K+ GitHub stars.

Harbor vs Docker Hub vs ECR

Feature	Harbor	Docker Hub	ECR/GCR/ACR
Self-hosted	✅	❌	❌
Vulnerability scanning	✅ (Trivy)	⚠️ Paid	✅
Image signing	✅ (Cosign/Notary)	❌	⚠️
Replication	✅ (multi-site)	❌	⚠️ (cross-region)
RBAC	✅ Fine-grained	⚠️ Basic	✅
Helm charts	✅	❌	⚠️
Quotas	✅ Per-project	💰	✅
Cost	$0 + infra	$7-25/mo	Per-GB

Helm Installation

helm repo add harbor https://helm.goharbor.io
helm install harbor harbor/harbor \
  --namespace harbor \
  --create-namespace \
  --set expose.type=ingress \
  --set expose.ingress.hosts.core=registry.yourdomain.com \
  --set expose.tls.certSource=secret \
  --set persistence.persistentVolumeClaim.registry.size=500Gi \
  --set persistence.persistentVolumeClaim.database.size=50Gi \
  --set harborAdminPassword=your-secure-password \
  --set trivy.enabled=true

Key Features

Automatic Vulnerability Scanning

Every pushed image is scanned with Trivy:

# Push triggers automatic scan
docker push registry.yourdomain.com/myproject/api:v1.2.3

# Harbor blocks pull if critical CVEs found (configurable)
# Policy: prevent deployment of images with Critical/High CVEs

Image Signing (Supply Chain Security)

# Sign with Cosign
cosign sign --key cosign.key registry.yourdomain.com/myproject/api:v1.2.3

# Kubernetes admission controller verifies signatures
# Only signed images can run in production namespaces

Replication (Multi-Site)

┌──────────────┐         ┌──────────────┐
│  Harbor EU   │◀──sync──▶│  Harbor US   │
│  (primary)   │         │  (replica)   │
└──────────────┘         └──────────────┘
       │
       │  push from CI/CD
       │
┌──────▼──────┐
│  Developers │
└─────────────┘

Images replicated across regions for HA and faster pulls.

Garbage Collection

# Schedule GC to reclaim storage from deleted tags
# Harbor Admin → Configuration → Garbage Collection → Schedule
# Recommended: weekly, during low-traffic hours

Integration with Kubernetes

# ImagePullSecret for Harbor
apiVersion: v1
kind: Secret
metadata:
  name: harbor-registry
type: kubernetes.io/dockerconfigjson
data:
  .dockerconfigjson: <base64-encoded-config>
---
# Pod spec
spec:
  imagePullSecrets:
    - name: harbor-registry
  containers:
    - name: app
      image: registry.yourdomain.com/production/api:v1.2.3

Storage Sizing

Images	Tags/Image	Avg Size	Total Storage
50	10	500MB	250GB
200	20	500MB	2TB
500	30	1GB	15TB

Enable layer deduplication — reduces actual storage by 40-60%.