Image Lifecycle Overview
Purpose: For platform engineers, explains how container images flow through build, scan, sign, publish, promote, and mirror stages.
Image lifecycle management is not a CLI feature. The build, scan, sign, and promote pipeline is maintained in the openCenter-gitops-base repository. Air-gap mirroring is handled by the openCenter-AirGap repository. The openCenter-cli does not manage container images directly.
Concept Summary
Every container image in the openCenter platform passes through a six-stage lifecycle before it runs in a production cluster. Each stage has a gate — an image that fails any gate does not advance.
How It Works
Stage 1 — Build
CI pipelines produce OCI-compliant images from multi-stage Dockerfiles. Each build pins its base image by digest (not latest) and outputs a deterministic image tagged with the Git SHA and a semantic version.
Build artifacts include the image itself plus build metadata (commit, timestamp, pipeline URL) stored as OCI annotations.
Stage 2 — Scan
Harbor's integrated Trivy scanner runs automatically on push. The scan produces a vulnerability report and an SBOM in SPDX format. Images with Critical-severity CVEs are blocked from promotion by Harbor's project-level policy.
Platform teams can also run Trivy in CI before pushing to Harbor, catching issues earlier in the pipeline.
Stage 3 — Sign
After a successful scan, cosign signs the image using a keyless (Fulcio + Rekor) or key-pair workflow. The signature is stored as an OCI artifact alongside the image in Harbor. Kyverno policies on the cluster verify signatures at admission time — unsigned images are rejected.
Stage 4 — Publish
Signed images land in a Harbor project scoped to the environment (e.g., harbor.example.com/platform-dev/). Harbor projects enforce access control, vulnerability thresholds, and retention rules independently.
Stage 5 — Promote
Promotion copies an image (with its signature and SBOM) from one Harbor project to another — typically dev → staging → production. Promotion is a metadata operation in Harbor (no rebuild). Each promotion requires the image to pass the destination project's scan policy.
Stage 6 — Mirror (Air-Gap)
For disconnected environments, opencenter-airgap build pulls every image listed in the platform manifest, bundles them into a Zarf package (.tar.zst), and includes signatures and SBOMs. The Zarf package is transferred to the air-gapped bastion, which serves images from a local registry on port 5000.
Trade-Offs and Alternatives
| Approach | Pros | Cons |
|---|---|---|
| Harbor-native scanning (current) | Single registry, integrated UI, policy gates | Tied to Harbor's Trivy version |
| External scan pipeline (Grype, Snyk) | Vendor flexibility, richer policy language | Extra infrastructure, sync complexity |
| Notation instead of cosign | CNCF standard, broader tooling | Less mature ecosystem than cosign today |
Common Misconceptions
- "Promotion rebuilds the image." It does not. Promotion is a copy operation that preserves the original digest.
- "Air-gap mirroring is optional." For connected clusters it is. For any site without outbound internet, mirroring is the only path to deploy platform services.
- "Scanning once is enough." Each Harbor project re-scans on push. New CVE data may flag an image that was clean yesterday.
Further Reading
- Build System — Dockerfile patterns and CI integration
- Security & SBOM — Scanning configuration and signing details
- Publish & Promote — Promotion pipeline between environments
- Air-Gap Mirroring — Packaging images for disconnected sites