Build a Full CI/CD Pipeline with Kubernetes, Jenkins, and Harbor

Overview

The article presents a complete, practical handbook for constructing a CI/CD pipeline using Kubernetes (K8s) as the runtime, Jenkins as the automation engine, and Harbor as a private container registry. It covers core concepts, a full architecture diagram, environment setup, Helm‑based installations, credential management, and best‑practice recommendations.

Core Concepts

Kubernetes (K8s) : container orchestration platform handling deployment, scaling, rolling updates, and high availability.

Jenkins : automation server that acts as the "brain" of the pipeline, performing code checkout, build, test, and publish steps.

Harbor : enterprise‑grade private Docker registry for secure storage and distribution of images.

Architecture Diagram

Environment Preparation

A Kubernetes cluster (v1.20+ recommended) with at least three nodes.

Helm ≥ 3.0, kubectl, and Docker installed on the control machine.

Deployment Steps

1. Deploy Jenkins

helm repo add jenkins https://charts.jenkins.io</code><code>helm repo update</code><code>helm install jenkins jenkins/jenkins \</code><code>  --namespace jenkins --create-namespace \</code><code>  --set persistence.storageClass=hostpath \</code><code>  --set controller.serviceType=NodePort \</code><code>  --set controller.nodePort=32080

Retrieve the initial admin password:

kubectl exec --namespace jenkins -it svc/jenkins -- cat /var/jenkins_home/secrets/initialAdminPassword

Access Jenkins at http://<NodeIP>:32080.

2. Deploy Harbor

helm repo add harbor https://helm.goharbor.io</code><code>helm repo update</code><code>helm install harbor harbor/harbor \</code><code>  --namespace harbor --create-namespace \</code><code>  --set expose.type=NodePort \</code><code>  --set expose.tls.enabled=false \</code><code>  --set externalURL=http://harbor.local \</code><code>  --set persistence.persistentVolumeClaim.registry.storageClass=hostpath

Harbor UI is reachable at http://<NodeIP>:30002 (default credentials: admin / Harbor12345).

3. Integrate Jenkins with Harbor

Add a credential in Jenkins:

Type: Username with password

ID: harbor-credentials Username: admin Password: Harbor12345 Use the credential in the Jenkinsfile when pushing images.

4. Deploy Application Images from Harbor

Create an ImagePullSecret for Kubernetes:

kubectl create secret docker-registry harbor-secret \
  --docker-server=harbor.local \
  --docker-username=admin \
  --docker-password=Harbor12345 \
  --namespace=demo

Example Deployment manifest:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: myapp
spec:
  replicas: 2
  selector:
    matchLabels:
      app: myapp
  template:
    metadata:
      labels:
        app: myapp
    spec:
      containers:
      - name: app
        image: harbor.local/library/myapp:latest
      imagePullSecrets:
      - name: harbor-secret

Best Practices

Persist Jenkins data with a PVC.

Use dynamic agent pods that terminate after builds.

Enable HTTPS on Harbor and integrate Trivy for vulnerability scanning.

Configure Notary for image signing.

Leverage image replication for multi‑cluster sync.

Prefer Helm or Kustomize for managing Deployments.

Adopt GitOps tools such as ArgoCD or FluxCD for automated sync.

Apply RBAC and dedicated ServiceAccounts for Jenkins; integrate LDAP/AD with Harbor for unified authentication.

Summary

Theoretical layer : Jenkins orchestrates pipelines, Harbor stores images, and K8s runs workloads, forming a complete CI/CD loop.

Practical layer : Helm charts deploy Jenkins and Harbor, credentials and secrets are configured, and a Jenkinsfile drives code → image → deployment automation.

Optimization layer : Adding GitOps (ArgoCD/FluxCD) and a service mesh (Istio/Linkerd) further enhances delivery intelligence and security.